z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Steps for changing master keys

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

For security reasons your installation should change the master keys periodically. In addition, if the master keys have been cleared, you may also want to change the master keys when you reenter the cleared master keys.

There are three main steps involved in changing the DES master key:

  1. Enter the DES and SYM-MK master key parts.
  2. Reencipher the CKDS under the new DES master key.
  3. Change the new DES master key and activate the reenciphered CKDS.
Note:
When changing the master key, remember to change the name of the CKDS in the Installation Options Data Set.

There are six main steps involved in changing the PKA master keys:

  1. Disable PKA Services
  2. Enter the PKA master keys (SMK and KMMK, if equal to the SMK) and ASYM-MK.
  3. Reencipher the PKDS under the new PKA master keys.
  4. Refresh the PKDS.
  5. Enable PKA Services
  6. Enable PKDS read and write access.
Notes:
  1. PKA master keys should only be changed if there is a PCICC available on the system.
  2. When changing the master key, remember to change the name of the PKDS in the Installation Options Data Set.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014