Changing master keys

For security reasons your installation should change the master keys periodically. In addition, if the master keys have been cleared, you might want to change the master keys after you reenter the cleared master keys.

For CCA host crypto modules, the DES and AES master keys protect the Cryptographic Key Data Set (CKDS). There are three main steps involved in changing the DES or AES master key:
  1. Load the DES or AES master key parts into the new master key register.
  2. Reencipher the CKDS under the new DES or AES master key.
  3. Change the new DES or AES master key and activate the reenciphered CKDS.

In the first step, DES and AES master key parts can be loaded using TKE, or from ICSF panels. The second and third steps are performed using ICSF, or can be done using the Coordinated KDS Change Master Key utility (FMID HCR7790 or higher). For information about this utility, see z/OS Cryptographic Services ICSF Administrator's Guide.

For CCA host crypto modules, the RSA and ECC (APKA) master keys protect the Public Key Data Set (PKDS). There are six main steps involved in changing the RSA or ECC (APKA) master key:
  1. Disable PKA Services (required to load the RSA master key).
  2. Enter the RSA or ECC (APKA) master key parts into the new master key register.
  3. Reencipher the PKDS under the new RSA or ECC (APKA) master key.
  4. Change the new master keys and activate the reenciphered PKDS.
  5. Enable PKA Services.
  6. Enable Dynamic PKDS Access.
RSA and ECC (APKA) master key parts can be loaded using TKE or from ICSF panels. The other steps are performed using ICSF, or can be done using the Coordinated KDS Change Master Key utility (FMID HCR77A0 or higher). For information about this utility, see z/OS Cryptographic Services ICSF Administrator's Guide.
Notes:
  1. On older versions of ICSF, the RSA master key is called the asymmetric master key.
  2. ICSF uses the term 'ECC master key'. CCA calls it the 'APKA master key'. On TKE, it is referred to as the 'ECC (APKA) master key'.
  3. Steps 1, 5, and 6 are not required on IBM z196/z114 and newer systems.

For EP11 host crypto modules, the P11 master keys protect the PKCS #11 token key data set (TKDS).

If multiple instances of ICSF share the same TKDS in a sysplex environment, the P11 master key must be set to the same value for each instance. All instances must be at FMID HCR77A0 or higher, even if they do not use secure PKCS #11 services. A TKE domain group can be used to manage the multiple domains of the ICSF instances so that all receive the same new P11 master key value.

There are three main steps involved in changing the P11 master key:
  1. Load the P11 master key parts into the new master key register.
  2. Create a VSAM data set to hold the reenciphered keys.
  3. Do a coordinated TKDS master key change.
In the first step, P11 master key parts must be loaded using TKE. There is no ICSF option to load P11 master key parts. ICSF is required to perform the other steps.

For step-by-step ICSF procedures for changing master keys, see z/OS Cryptographic Services ICSF Administrator's Guide.