The procedure you need to follow for changing the asymmetric master
keys, reenciphering the PKDS, and activating the new master keys will
differ depending your system's hardware and coprocessor licensed internal
code. Although the details of the various procedures do differ, they
are all guiding you through performing the same significant actions.
Essentially, to change the symmetric keys, you need to:
- Enter the master key parts into the new master key registers,
as described in Entering master key parts.
- Reencipher the PKDS under the new master key. This fills an empty
VSAM data set you created earlier with the reenciphered keys, making
the data set the new PKDS. This new reenciphered PKDS is a disk copy.
- Change the asymmetric master keys and make the reenciphered PKDS
the active PKDS.
The procedure for the changing the RSA-MK depends on the cryptographic
coprocessors on your system.
- If your system has one or more coprocessors (CEX3 and later with
the Sep. 2011 or later LIC) online with the RSA-MK loaded, these are
the main steps involved in performing a local RSA master key change.
- 1.Enter the RSA-MK master key parts.
- Reencipher the PKDS under the new RSA-MK.
- Perform an asymmetric master key change.
- If your system doesn't have any coprocessors (CEX3 or later with
the Sep. 2011 or later LIC) online, these are the main steps involved
in performing a local RSA master key change:
- Disable PKA callable services control.
- Enter the RSA-MK master key parts. The RSA-MK is automatically
set when the final key part is loaded.
- Reencipher the PKDS under the current RSA-MK.
- Perform an asymmetric master key change.
- Enable PKA callable services control.