In ICSF FMID HCR7790, two functions were added that coordinate CKDS refreshes and CKDS master key changes across sysplex members sharing the same active CKDS. The coordinated administration functions simplify KDS management by automating the manual process for performing local refreshes and local master key changes. Although a sysplex environment is not required to use these functions, sysplex environments gain the maximum benefit from them when the changes are coordinated across all LPARs sharing the same active KDS.
In ICSF FMID HCR77A0, the coordinated refresh function has been extended to the PKDS and the coordinated change master key function has been extended to both the PKDS and TKDS.
Both functions are initiated from a single ICSF instance. This instance will drive the operation across the sysplex using sysplex messaging to other members sharing the same active KDS. Only one coordinated administration function may be performed at a time on one KDS type (CKDS, PKDS, or TKDS).
For coordinated refresh (either CKDS or PKDS), the initiating system sends sysplex messages to all sysplex members sharing the same active KDS, instructing them to either refresh their in-store KDS copy of the active KDS, or refresh their in-store KDS copy to a new KDS. Performing a coordinated refresh to a new KDS will result in the new KDS becoming the active KDS for all sysplex members in this KDS sysplex cluster.
Coordinated change master key will reencipher the active KDS (either CKDS, PKDS, or TKDS) disk-copy to a new KDS using the master key values that have been pre-loaded into the new master key register or registers. Before performing the coordinated change master key function, you must use either Master Key Entry (for CKDS and PKDS) or TKE (for CKDS, PKDS, and TKDS) to load the new master key register or registers.
For CKDS, the coordinated change master key function may be used to change both the DES and AES master keys, or just one or the other.
For PKDS, the coordinated change master key function may be used to change both the RSA and ECC master keys, or just one or the other.
For TKDS, the coordinated change master key function is the only function available for changing the P11 master key.
For more information on Master Key Entry (CKDS and PKDS) refer to Entering master key parts. For more information on loading the new master key registers from TKE (CKDS, PKDS, and TKDS), refer to the z/OS Cryptographic Services ICSF TKE Workstation User's Guide.
After reenciphering the active KDS disk-copy, the initiating system will send sysplex messages to the other members sharing the same active KDS, informing them to re-load their in-store KDS from the new reenciphered KDS.
Next, the initiating system will set the master key or keys for the new master key register or registers (DES, AES, RSA, ECC, P11) that have been pre-loaded for the KDS type being processed (CKDS, PKDS, or TKDS), and make the new KDS the active KDS.
Finally, the initiating system will send sysplex messages to the other members of the KDS sysplex cluster, informing them to set their master keys for the new master key registers (DES, AES, RSA, ECC, or P11) that have been pre-loaded for the KDS type being processed (CKDS, PKDS, or TKDS), and to make the new KDS their active KDS.
When performing a coordinated change master key on the CKDS or PKDS, it is not required to disable dynamic CKDS or PKDS updates within the sysplex while performing a coordinated change master key. This is an enhancement over the local CKDS and PKDS master key change functions, for which disallowing dynamic CKDS and PKDS update services is recommended. There is no option to disable dynamic TKDS updates or to perform a local TKDS change master key so this does not apply to the TKDS.
During a coordinated change master key, dynamic KDS update requests will be routed to, and processed by, the ICSF instance that initiated the coordinated change master key. The initiator will process dynamic KDS updates against the active KDS during the coordinated change master key. When the initiating system has reenciphered the KDS, and before it coordinates the KDS master key change across the sysplex, there is a brief suspension to dynamic KDS update processing. During this brief suspension, dynamic KDS updates that were processed by the initiator are applied to the new reenciphered KDS.
If you cannot tolerate a temporary suspensions of dynamic KDS update services in your workload while processing a coordinated CKDS or PKDS change master key, and would prefer that update requests are failed instead, you should disallow dynamic KDS access prior to performing coordinated change master key. There is no option to disable dynamic TKDS access so this does not apply to coordinated TKDS change master key.
During a coordinated TKDS change master key, all PKCS #11 session objects will be reenciphered on all members of the TKDS sysplex cluster. The PKCS #11 session objects are reenciphered after the TKDS records are reenciphered and right before the new P11 master key value is set during the temporary suspensions of dynamic TKDS update services.
The coordinated refresh function is only available for the CKDS and PKDS. The TKDS does not have utilities like the CKDS and PKDS do that allow the user to alter the contents of the TKDS outside of ICSF. For this reason there is no need to ever refresh the TKDS.
For a coordinated CKDS and PKDS refresh, dynamic KDS update processing is internally suspended by the initiator until the coordinated refresh completes. However, IBM still recommends that you disallow dynamic access prior to performing a coordinated refresh.
For more information on disabling dynamic CKDS and PKDS updates, refer to Displaying administrative control functions.
If a Key Store Policy is defined on the active CKDS and/or PKDS, it will continue to be used on the new CKDS and/or PKDS after a coordinated change master key or coordinated refresh completes. The TKDS does not have a Key Store Policy.
In order to perform coordinated CKDS change master key and coordinated CKDS refresh, all ICSF instances in the sysplex, regardless of their active CKDS, must be at the HCR7790 level or later. Coordinated CKDS administration functions will be unavailable if an instance of ICSF joins the sysplex that is running at a level lower than HCR7790. When an ICSF instance running at a level lower than HCR7790 joins the sysplex group, the manual local process must be used to perform CKDS refreshes and CKDS master key changes on each LPAR in the CKDS sysplex cluster.
In order to perform coordinated PKDS change master key, coordinated PKDS refresh, and coordinated TKDS change master key, all ICSF instances in the sysplex, regardless of their active PKDS and TKDS, must be at the HCR77A0 level or later. Coordinated PKDS and TKDS administration functions will be unavailable if an instance of ICSF joins the sysplex that is running at a level lower than HCR77A0. When an ICSF instance running at a level lower than HCR77A0 joins the sysplex group, the manual local process must be used to perform local PKDS change master key and local PKDS refresh on each LPAR in the PKDS sysplex cluster. There is no local function for changing the P11 master key, so it is required that all ICSF instances in the sysplex group be at the HCR77A0 level or later in order to change the P11 master key for the TKDS.
To perform a coordinated CKDS or PKDS refresh, use the procedure described in Performing a coordinated refresh. To perform a local CKDS or PKDS refresh, use the procedures described in Performing a Local CKDS Refresh or Performing a Local PKDS Refresh in Managing CCA Master Keys, on each member of the sysplex cluster depending on your coprocessor type. When performing a local refresh or a coordinated refresh, you should disable dynamic KDS updates on all sysplex members.
To change master keys, use the coordinated change master key function described in Performing a coordinated change master key. This capability is only available if your system and/or sysplex meets the necessary requirements. To review these requirements, refer to Symmetric Master Keys and the CKDS for CKDS, Asymmetric master keys and the PKDS for PKDS, and Changing the Master Key for TKDS.
If your environment does not meet the necessary requirements for performing a coordinated CKDS or PKDS change master key, use the local change master key process. The local process should be performed on an instance running the latest level of ICSF. Depending on your coprocessor type, see Changing the master keys in Managing CCA Master Keys, for instructions on how to perform a local change master key. On the other sysplex cluster members, enter the master keys as described in Reentering master keys when they have been cleared in Managing CCA Master Keys. Reenciphering the CKDS or PKDS is not necessary on the other sysplex cluster members.
There is no local change master key option for TKDS. The P11 master keys can only be changed using coordinated change master key.
When using the manual local change master key process for CKDS and PKDS, it is recommended to disable dynamic KDS updates on all sysplex members.