Symmetric Master Keys and the CKDS

The procedure you need to follow for changing the symmetric master keys, reenciphering the CKDS, and activating the new master keys will differ depending on factors such as your system's compatibility mode. Although the details of the various procedures do differ, they are all guiding you through performing the same significant actions. Essentially, to change the symmetric keys, you need to:
  1. Enter the master key parts into the new master key registers (as described in Entering master key parts).
  2. Reencipher the CKDS under the new master key. This fills an empty VSAM data set you created earlier with the reenciphered keys, making the data set the new CKDS. This new reenciphered CKDS is a disk copy.
  3. Change the symmetric master keys and make the reenciphered CKDS the active CKDS.

Because this procedure branches into different instructions based on whether ICSF is running in noncompatibility, compatibility, or co-existence mode, you should first understand the following background information on these modes before referring to and performing the procedure.

ICSF runs in noncompatibility, compatibility, or co-existence mode with the IBM cryptographic products, and Programmed Cryptographic Facility (PCF). You specify which mode ICSF runs in by using an installation option. For a description of the modes and how to specify an installation option, see z/OS Cryptographic Services ICSF System Programmer's Guide.

In noncompatibility mode, ICSF allows you to change the master key with continuous operations. Therefore applications can continue to run without disruption. However, when ICSF is in compatibility mode or co-existence mode, you should use a different procedure to activate the changed master key. This is to ensure that no application is holding an internal token with the wrong master key.

In all three modes, you enter the new master key and reencipher the disk copy of the CKDS under the new master key using the master key panels. In noncompatibility mode, you then activate the new master key and refresh the in-storage copy of the CKDS with the disk copy using the master key panels or a utility program.

In compatibility mode and coexistence mode, however, activating the new master key and refreshing the in-storage copy of the CKDS does not reencipher internal key tokens under the new master key. ICSF applications that are holding internal key tokens which have been enciphered under the wrong master key will fail with a warning message. Applications that use the PCF macros, run with no warning message and produce erroneous results.

If you have a cryptographic feature installed, when you start ICSF, you must go to the CSFMKM30 — PKDS Management panel) and do a set master key (option 4, SET MK). This will change the master keys of all the cryptographic features.

A re-IPL ensures that a program does not access a cryptographic service that uses a key that is encrypted under a different master key. If a program is using an operational key, the program should either re-create or reimport the key, or generate a new key.

If a re-IPL is not practical in your installation, you can use this alternative method. Stop all cryptographic applications, especially those using PCF macros, when activating the new master key and refreshing the in-storage copy of the CKDS. This eliminates all operational keys that are encrypted under the current master key. When you start ICSF again, applications using an operational key can either re-create or reimport the key.

Parent topic: Changing the master keys