At this point, the new P11 master key register on each EP11 coprocessor available to this ICSF instance must be in the FULL COMMITTED state. If running in a Sysplex, the new P11 master key register in each domain sharing the TKDS should also be FULL COMMITTED with the same master key parts. You must now initialize a new (or update the existing) TKDS, thus activating the P11-MK.
CSFMKM10 --------------- ICSF - Master Key Management ------------------------
OPTION ===>
Enter the number of the desired option.
1 CKDS MK MANAGEMENT - Perform Cryptographic Key Data Set (CKDS)
functions including master key management
2 PKDS MK MANAGEMENT - Perform Public Key Data Set (PKDS)
functions including master key management
3 TKDS MK MANAGEMENT - Perform PKCS #11 Token Data Set (TKDS)
functions including master key management
4 SET MK - Set master keys
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
OPTION ===> 3
CSFMKM40 ------------------- ICSF - TKDS Master Key Management ----------------------
OPTION ===>
Enter the number of the desired option.
1 INIT/UPDATE TKDS - Initialize the active TKDS or update the header of
the active TKDS
2 COORDINATED TKDS CHANGE MK - Perform a coordinated TKDS master key change
3 COORDINATED TKDS CONVERSION - Convert the TKDS to use KDSR record format
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
OPTION ===> 1
After you complete the entire process, the P11-MK is activated for the ICSF host system that you initiated this from. You may now start using secure PKCS #11 services. If running in a Sysplex, all instances of ICSF on other systems sharing the TKDS must perform TKDS initialization as well or must be restarted before they can start using secure PKCS #11 services.