Asymmetric master keys and the PKDS

The procedure you need to follow for changing the asymmetric master keys, reenciphering the PKDS, and activating the new master keys will differ depending your system's hardware and coprocessor licensed internal code. Although the details of the various procedures do differ, they are all guiding you through performing the same significant actions. Essentially, to change the symmetric keys, you need to:

1. Enter the master key parts into the new master key registers, as described in Entering master key parts.
2. Reencipher the PKDS under the new master key. This fills an empty VSAM data set you created earlier with the reenciphered keys, making the data set the new PKDS. This new reenciphered PKDS is a disk copy.
3. Change the asymmetric master keys and make the reenciphered PKDS the active PKDS.

The procedure for the changing the RSA-MK depends on the cryptographic coprocessors on your system.

• If your system has one or more coprocessors (CEX3 and later with the Sep. 2011 or later LIC) online with the RSA-MK loaded, these are the main steps involved in performing a local RSA master key change.
  1. 1.Enter the RSA-MK master key parts.
  2. Reencipher the PKDS under the new RSA-MK.
  3. Perform an asymmetric master key change.
• If your system doesn't have any coprocessors (CEX3 or later with the Sep. 2011 or later LIC) online, these are the main steps involved in performing a local RSA master key change:
  1. Disable PKA callable services control.
  2. Enter the RSA-MK master key parts. The RSA-MK is automatically set when the final key part is loaded.
  3. Reencipher the PKDS under the current RSA-MK.
  4. Perform an asymmetric master key change.
  5. Enable PKA callable services control.