Master keys are used to protect all cryptographic keys that are
active on your system.
Because master key protection is essential to the security of the
other keys, ICSF stores the master keys within the secure hardware
of the cryptographic feature. This nonvolatile key storage area is
unaffected by system power outages, because it has a battery backup.
The values of the master keys never appear in the clear outside the
cryptographic feature.
Requirements: ICSF is required to complete
some operations initiated from TKE:
- For CCA host crypto modules, operations that require ICSF include
setting the master keys, loading operational keys into the CKDS, and
loading RSA keys from a host data set to the PKDS.
- For CCA host crypto modules, ICSF is also required for initializing
or refreshing the CKDS, disabling and enabling PKA services, PKDS
initialization, PKDS reencipher, and PKDS activate.
- For EP11 host crypto modules, operations that require ICSF include
first time setting of the P11 master key, any subsequent P11 master
key change, initializing or updating the TKDS, and reenciphering the
TKDS.
For more information about these ICSF procedures, see z/OS Cryptographic Services ICSF Administrator's Guide.
Attention: Be prepared to switch between your TKE workstation
and your ICSF host session.
Note: Under normal circumstances, set master keys using ICSF services
that coordinate setting the master key with initializing or re-enciphering
key storage. Failure to do this can cause the keys or tokens in key
storage to become unusable when accessed by ICSF. There are some exceptions.
- ICSF prior to HCR7790 allows the RSA master key to be set from
TKE using the Set option, but PKA Callable
Services must be disabled first. If no online host crypto modules
are at the September 2011 LIC level or later, ICSF at HCR7790 or later
also allows the RSA master key to be set from TKE using the Set option.
- Beginning with TKE V7.30, the Set, immediate option
allows any master key to be set from TKE. Use this option only when
key storage does not need to be initialized or re-enciphered when
the master key is set. For example, this option can be used to reload
a previous master key value if a host crypto module has been inadvertently
zeroized.