Changing the RSA master key
The process to reencipher the PKDS and change the RSA master key is different for IBM zEnterprise 196 and newer servers. For these systems, RSA master key change will be processed in the same manner as master key change for the DES, AES and ECC master keys.
This is the original procedure for changing the RSA master key for systems without CEX3C or newer coprocessors and at least the Sep. 2011 LIC, this procedure has not changed.
- Disable dynamic PKDS updates control (recommended)
- Disable PKA callable services control
- Load the new RSA master key
- TKE: load and set RSA master key
- ICSF panels: loading the final key part causes the current master key to be set
- Reencipher the PKDS (old to current master key)
- Refresh the reenciphered PKDS
- Enable PKA callable services control
- Enable dynamic PKDS updates control
For systems with CEX3C or newer coprocessors and at least the Sep. 2011 LIC with the RSA master key loaded, this is the procedure for changing the RSA master key. See z/OS Cryptographic Services ICSF Administrator's Guide for more information.
- Disable dynamic PKDS updates control (recommended)
- Load the new RSA master key (TKE or ICSF panels)
- Reencipher the PKDS (current to new master key)
- Change the RSA master key (the current master key is set and the reenciphered PKDS becomes active PKDS)
- Enable dynamic PKDS updates control
Note: When the new RSA master key change process is used:
- The PKA callable services control will not appear on the Administrator Control Functions panel.
- The availability of callable services that required the RSA master key is controlled by the state of the RSA master key. When the RSA master key is active (the master key verification pattern in the PKDS matches the verification pattern of the current RSA master key), RSA callable service are available. Message CSFM130I will be issued.
- The RSA master key cannot be set from the TKE workstation.