For security reasons your installation should change the master keys periodically. In addition, if the master keys have been cleared, you may also want to change the master keys when you reenter the cleared master keys.

There are three main steps involved in changing the DES-MK master key or AES-MK master key:

1. Enter the DES-MK or AES-MK master key parts.
2. Reencipher the CKDS under the new DES-MK or AES-MK master key.
3. Change the new DES-MK or AES-MK master key and activate the reenciphered CKDS.

The procedure for the changing the RSA-MK depends on the cryptographic coprocessors on your system.

• If your system has one or more CEX3C coprocessors (with the Sep. 2011 or later LIC) online with the RSA-MK loaded, these are the main steps involved in changing the RSA-MK:
  1. Enter the RSA-MK master key parts.
  2. Reencipher the PKDS under the new RSA-MK.
  3. Change the new RSA-MK.
• If your system doesn't have any CEX3C coprocessors (with the Sep. 2011 or later LIC) online, these are the main steps involved in changing the RSA-MK:
  1. Disable PKA callable services control.
  2. Enter the RSA-MK master key parts.
  3. Reencipher the PKDS under the new RSA-MK.
  4. Change the new RSA-MK.
  5. Enable PKA callable services control.
• These are the main steps involved in changing the ECC-MK:
  1. Enter the ECC-MK master key parts.
  2. Reencipher the PKDS under the new ECC-MK.
  3. Change the new ECC-MK.