Managing keys using TKE and ICSF

Master keys are used to protect all cryptographic keys that are active on your system.

Because master key protection is essential to the security of the other keys, ICSF stores the master keys within the secure hardware of the cryptographic feature. This nonvolatile key storage area is unaffected by system power outages, because it has a battery backup. The values of the master keys never appear in the clear outside the cryptographic feature.

Requirements: ICSF is required to complete some operations initiated from TKE:

For CCA host crypto modules, operations that require ICSF include setting the master keys, loading operational keys into the CKDS, and loading RSA keys from a host data set to the PKDS.
For CCA host crypto modules, ICSF is also required for initializing or refreshing the CKDS, disabling and enabling PKA services, PKDS initialization, PKDS reencipher, and PKDS activate.
For EP11 host crypto modules, operations that require ICSF include first time setting of the P11 master key, any subsequent P11 master key change, initializing or updating the TKDS, and reenciphering the TKDS.

For more information about these ICSF procedures, see z/OS Cryptographic Services ICSF Administrator's Guide.

Attention: Be prepared to switch between your TKE workstation and your ICSF host session.

Note: Under normal circumstances, set master keys using ICSF services that coordinate setting the master key with initializing or re-enciphering key storage. Failure to do this can cause the keys or tokens in key storage to become unusable when accessed by ICSF. There are some exceptions.

ICSF prior to HCR7790 allows the RSA master key to be set from TKE using the Set option, but PKA Callable Services must be disabled first. If no online host crypto modules are at the September 2011 LIC level or later, ICSF at HCR7790 or later also allows the RSA master key to be set from TKE using the Set option.
Beginning with TKE V7.30, the Set, immediate option allows any master key to be set from TKE. Use this option only when key storage does not need to be initialized or re-enciphered when the master key is set. For example, this option can be used to reload a previous master key value if a host crypto module has been inadvertently zeroized.