You should periodically change the value of cryptographic keys to reduce the possibility of exposing a key value. It is recommended that you change the DES or AES master key at least every 12 months.

The security administrator can use the key generator utility program (KGUP) to change the cryptographic keys. KGUP updates keys in the disk copy of the cryptographic key data set while the callable services access keys in the in-storage copy of the cryptographic key data set. Therefore, you can change the keys without affecting cryptographic operations. For more information on using KGUP, refer to z/OS Cryptographic Services ICSF Administrator’s Guide.