How do I ensure an easy hardware migration of my master-key-part-generated cryptographic master keys? (ICSF)

Steps

1.Find your document containing the master key parts for each of your four master key types (DES, AES, RSA, and ECC). Ensure that this document also shows the MKVPs associated with each of your four complete master keys.

2. Issue the following command to view your KDS header records. Note the CKDS contains a header record for DES and AES. The PKDS contains a header record for RSA and ECC. Identify the MKVP values: 

•  TSO PRINT IDS('your-current-ckds') COUNT(1) 
  • View offsets +6C for DES MKVP (8 bytes) and +7C for AES MKVP (8 bytes) 
• TSO PRINT IDS('your-current-pkds') COUNT(1) 
  • View offsets +7C for RSA MKVP(16 bytes) and +8C for ECC MKVP (8 bytes) 

Compare the MKVPs to the MKVP values found in your master key document in Step 1.

Use the following doc links for more help identifying the MKVP for each Master Key type found within the CKDS and PKDS headers.

• CKDS Header Record Format (DES and AES Master Key Verification Pattern): 
  • http://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.csfb200/csf2b200177.htm 
• PKDS Header Record Format (RSA Hash Pattern and ECC Verification Pattern): 
  • http://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.csfb200/csf2b200184.htm 

3. If any of your MKVPs written in your document do NOT match the MKVPs found in your CKDS and PKDS header record, do not proceed with the migration.  The key part values recorded in your document do NOT match the master keys that initialized your CKDS and PKDS. 

RECOMMENDED ACTION: Perform a master key change to a new set of master key values from an LPAR still actively using these KDSes.  Derive the new set of master key values by following the procedure outlined below.  

Steps to perform a master key change with master key part load:

1. Allocate a new CKDS and PKDS.  

• New CKDS: https://www.ibm.com/docs/en/zos/2.5.0?topic=ckds-steps-create 
• New PKDS: https://www.ibm.com/docs/en/zos/2.5.0?topic=pkds-icsf-system-resource-planning 

2. Review the “Entering Master Key Parts” section (and subsections) of the ICSF Administrator’s Guide to generate new master key parts for all 4 master key types (DES, AES, RSA, and ECC): https://www.ibm.com/docs/en/zos/2.5.0?topic=keys-entering-master-key-parts 

3. Review the “Steps for reenciphering the CKDS and performing a local symmetric master key change” section of the ICSF Administrator’s Guide. Follow the instructions through step 5 within the link: https://www.ibm.com/docs/en/zos/2.5.0?topic=smkc-steps-reenciphering-ckds-performing-local-symmetric-master-key-change 

4. Review the “Steps for reenciphering the PKDS and performing a local asymmetric master key change” section of the ICSF Administrator’s Guide. Follow the instructions through step 5 within the link: https://www.ibm.com/docs/en/zos/2.5.0?topic=amkp-steps-reenciphering-pkds-performing-local-asymmetric-master-key-change 

5. Move those newly reenciphered data sets to the new LPAR, point to them from within the ICSF options data set, and start ICSF. Ignore CSFM137E error messages on ICSF startup. The failure messages are expected because we have not entered the matching master key parts.

6. On the new LPAR, enter the DES, AES, RSA, and ECC master key parts from Step 2. 

7. ICSF panel option 2 “KDS Management” followed by option 4 “Set MK” activates your master keys. 

8. Confirm in ICSF Coprocessor Management Panel (Option 1) that all 4 master key types now show an “A” for ACTIVE.