Asymmetric master keys and the PKDS

You can reencipher a PKDS either using the panels or the utility program.

  1. Invoke the program as a batch job or from another program.

    You pass the same parameters whether you call the program as a batch job or from another program.

  2. Pass the names of the PKDSs upon which to perform the task and the name of the task to perform.
    When you invoke the utility program from another program, General Register 1 must contain a pointer to the address of a data area whose structure is as follows:
       Bytes 0-1: Length of the parameter string in binary
       Bytes 2-n: The parameter string

    The parameter string is the same as that which you would specify using the PARM keyword on the EXEC JCL statement if you invoked the program as a batch job.

  3. To reencipher a PKDS, pass these parameters in this order:
    1. The name of the PKDS to reencipher.
    2. The name of an empty PKDS to contain the reenciphered keys.
    3. The name for the task: RECIPHER.
  4. To reencipher the PKDS using JCL, use JCL like this example:
       //STEP EXEC PGM=CSFPUTIL,PARM='OLD.PKDS,NEW.PKDS,RECIPHER'

    The first parameter passed, OLD.PKDS, is the name of the PKDS to reencipher. The second parameter, NEW.PKDS, is the name of an empty PKDS where you want ICSF to place the reenciphered keys.

  5. When you reencipher all the PKDSs under the new master key, refresh the PKDS.

When you invoke the program as a batch job, you receive the return code in a message when the job completes. You do not receive a reason code with the return code. The return codes are explained in Return and reason codes for the CSFPUTIL program.