Changing PKCS #11 master keys when the TKDS is shared in a sysplex environment

ICSF coordinates TKDS master key changes across sysplex members sharing the same active TKDS. The master key change is initiated from a single ICSF instance. This instance will drive the operation across the sysplex using sysplex messaging to other members sharing the same active TKDS.

A Coordinated TKDS change master key will reencipher the active TKDS disk-copy to a new TKDS using the master key values that have been pre-loaded into the new master key registers. Before performing the coordinated TKDS change master key function, you must use the TKE to load the new P11 master key registers.

After reenciphering the active TKDS disk-copy, the initiating system will send sysplex messages to the other members sharing the same active TKDS, informing them to re-load their in-store TKDS from the new reenciphered TKDS. Next, the initiating system will set the PKCS #11 master key for the new master key registers that have been pre-loaded, and make the new TKDS the active TKDS. Finally, the initiating system will send sysplex messages to the other members of their TKDS sysplex cluster, informing them to set their PKCS #11 master key for the new master key registers that have been pre-loaded, and to make the new TKDS their active TKDS.

During a coordinated TKDS master key change, dynamic TKDS update requests will be routed to, and processed by, the ICSF instance that initiated the coordinated TKDS master key change. The initiator will process dynamic TKDS updates against the active TKDS during the coordinated TKDS change master key. When the initiating system has reenciphered the TKDS, and before it coordinates the TKDS master key change across the sysplex, there is a brief suspension to dynamic TKDS update processing. During this brief suspension, dynamic TKDS updates that were processed by the initiator are applied to the new reenciphered TKDS.
Note:
  1. It is not necessary to be in a sysplex to perform a coordinated TKDS change master key. In fact, the procedure to change the PKCS #11 master key on single system images is identical to that of a sysplex environment.
  2. In order to perform a coordinated TKDS change master key, all systems sharing the TKDS within the sysplex must be at HCR77A0 and all must have at least one active Enterprise PKCS #11 coprocessor.
See Managing Enterprise PKCS #11 Master Keys for information on how to perform a coordinated TKDS change master key.
Parent topic: TKDS management in a sysplex