Because this procedure branches into different instructions based on whether ICSF is running in noncompatibility, compatibility, or co-existence mode, you should first understand the following background information on these modes before referring to and performing the procedure.
ICSF runs in noncompatibility, compatibility, or co-existence mode with the IBM cryptographic products, and Programmed Cryptographic Facility (PCF). You specify which mode ICSF runs in by using an installation option. For a description of the modes and how to specify an installation option, see z/OS Cryptographic Services ICSF System Programmer's Guide.
In noncompatibility mode, ICSF allows you to change the master key with continuous operations. Therefore applications can continue to run without disruption. However, when ICSF is in compatibility mode or co-existence mode, you should use a different procedure to activate the changed master key. This is to ensure that no application is holding an internal token with the wrong master key.
In all three modes, you enter the new master key and reencipher the disk copy of the CKDS under the new master key using the master key panels. In noncompatibility mode, you then activate the new master key and refresh the in-storage copy of the CKDS with the disk copy using the master key panels or a utility program.
In compatibility mode and coexistence mode, however, activating the new master key and refreshing the in-storage copy of the CKDS does not reencipher internal key tokens under the new master key. ICSF applications that are holding internal key tokens which have been enciphered under the wrong master key will fail with a warning message. Applications that use the PCF macros, run with no warning message and produce erroneous results.
If you have a cryptographic feature installed, when you start ICSF, you must go to the CSFMKM30 — PKDS Management panel) and do a set master key (option 4, SET MK). This will change the master keys of all the cryptographic features.
A re-IPL ensures that a program does not access a cryptographic service that uses a key that is encrypted under a different master key. If a program is using an operational key, the program should either re-create or reimport the key, or generate a new key.
If a re-IPL is not practical in your installation, you can use this alternative method. Stop all cryptographic applications, especially those using PCF macros, when activating the new master key and refreshing the in-storage copy of the CKDS. This eliminates all operational keys that are encrypted under the current master key. When you start ICSF again, applications using an operational key can either re-create or reimport the key.