Initialize or Update the TKDS

At this point, the new P11 master key register on each EP11 coprocessor available to this ICSF instance must be in the FULL COMMITTED state. If running in a Sysplex, the new P11 master key register in each domain sharing the TKDS should also be FULL COMMITTED with the same master key parts. You must now initialize a new (or update the existing) TKDS, thus activating the P11-MK.

From the ICSF Primary Menu:

Select option 2, MASTER KEY MGMT, on the ICSF Primary Menu panel.

The Master Key Management panel appears. Select Option 3, TKDS MK MANAGEMENT.

Figure 1. ICSF Master Key Management Panel

CSFMKM10 --------------- ICSF - Master Key Management ------------------------
OPTION ===> 
                                                                              
Enter the number of the desired option.                                        
                                                                               
  1  CKDS MK MANAGEMENT -  Perform Cryptographic Key Data Set (CKDS)           
                           functions including master key management              
  2  PKDS MK MANAGEMENT -  Perform Public Key Data Set (PKDS)                  
                           functions including master key management   
  3  TKDS MK MANAGEMENT -  Perform PKCS #11 Token Data Set (TKDS)              
                           functions including master key management     
  4  SET MK             -  Set master keys                                                                                                

Press ENTER to go to the selected option.                                      
Press END   to exit to the previous menu.                                      
                                                                                                                    
OPTION ===> 3

The TKDS Master Key Management panel now appears.

Figure 2. ICSF TKDS Master Key Management Panel

CSFMKM40 ------------------- ICSF - TKDS Master Key Management ----------------------
OPTION ===>                                                                    
                                                                               
Enter the number of the desired option.                                        
                                                                               
  1  INIT/UPDATE TKDS - Initialize the active TKDS or update the header of     
                        the active TKDS                                        
  2  COORDINATED TKDS CHANGE MK - Perform a coordinated TKDS master key change 
  3  COORDINATED TKDS CONVERSION - Convert the TKDS to use KDSR record format  

Press ENTER to go to the selected option.                                      
Press END   to exit to the previous menu.                                      
                                                                                                                    
OPTION ===> 1

Select Option 1, INIT/UPDATE TKDS. This will cause ICSF to update the header record of the active TKDS and set the master key. No additional sub-panels are shown. When ICSF completes, the message INITIALIZATION COMPLETE appears. If the customer did not enter a master key into the new master key register previously, the message NMK REGISTER NOT FULL COMMITTED appears and the initialization process ends.

Note: If any part of the option 1 fails, you may need to reload the new master key register before starting over.

After you complete the entire process, the P11-MK is activated for the ICSF host system that you initiated this from. You may now start using secure PKCS #11 services. If running in a Sysplex, all instances of ICSF on other systems sharing the TKDS must perform TKDS initialization as well or must be restarted before they can start using secure PKCS #11 services.