z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Reenciphering a disk copy of a CKDS and changing the master key

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

This topic describes how to use the utility program to reencipher a disk copy of a CKDS and to change a master key.

Notes:
  1. Prior to performing any function that affects the current CKDS, such as reenciphering, refreshing, or changing the master key, consider temporarily disallowing dynamic CKDS update services. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates. If a CKDS reencipher is to be performed on a CKDS which is shared by members of a sysplex, dynamic CKDS updates should be disabled on all sysplex systems until the master key has been changed and the newly reenciphered CKDS is active on all systems sharing the CKDS
  2. If the CKDS contains HMAC keys, it must be reenciphered on a system with a CEX3C and the Sept. 2010 or later licensed internal code.
  1. When you change a master key, you must first reencipher any disk copies of the CKDSs under the new master key in the new master key register.

    You can reencipher a CKDS either using the panels or the utility program.

    Notes:
    1. In compatibility or co-existence mode, you can use the utility program to reencipher a CKDS but not to change the master key. To change the master key using the utility program, you must be in noncompatibility mode.
    2. When invoking the master key reencipher you need access to the CSFMVR profile in the CSFSERV class.
  2. Invoke the program as a batch job or from another program.

    You pass the same parameters whether you call the program as a batch job or from another program.

  3. Pass the names of the CKDSs upon which to perform the task and the name of the task to perform.

    When you invoke the utility program from another program, General Register 1 must contain a pointer to the address of a data area whose structure is as follows: 

       Bytes 0-1: Length of the parameter string in binary
   Bytes 2-n: The parameter string

    The parameter string is the same as that which you would specify using the PARM keyword on the EXEC JCL statement if you invoked the program as a batch job.

  4. To reencipher a disk copy of a CKDS, pass these parameters in this order:
    1. The name of the disk copy of the CKDS to reencipher.
    2. The name of an empty disk copy of the CKDS to contain the reenciphered keys.
    3. The name for the task: REENC.
    Note:
    The input CKDS and the output CKDS must have the same VSAM attributes.
  5. To reencipher the CKDS using JCL, use JCL like this example: 
       //STEP EXEC PGM=CSFEUTIL,PARM='OLD.CKDS,NEW.CKDS,REENC'

    The first parameter passed, OLD.CKDS, is the name of the disk copy to reencipher. The second parameter, NEW.CKDS, is the name of an empty disk copy of the CKDS where you want ICSF to place the reenciphered keys.

  6. When you reencipher all the disk copies of the CKDSs under the new master key, make the new master key active by changing the master key.

    The utility program activates the new master key and reads a disk copy of a CKDS reenciphered under the new master key into storage.

  7. To change a master key, pass these parameters in this order:
    1. The name of the disk copy of the CKDS to read into storage.
    2. The name for the task: CHANGE.
  8. To change the master key using JCL, use JCL like this example: 
       //STEP EXEC PGM=CSFEUTIL,PARM='NEW.CKDS,CHANGE'

    The utility program reads the new master key into the master key register to make that master key active. The program also reads into storage a disk copy of the CKDS that you specify. This CKDS should be reenciphered under the new master key that you are making the current master key. The first parameter passed, NEW.CKDS, is the name of the disk copy of the CKDS that you want ICSF to read into storage.

When you invoke the program as a batch job, you receive the return code in a message when the job completes. You do not receive a reason code with the return code. When the program is invoked from another program, the invoking program receives the reason code in General Register 0 along with the return code in General Register 15. The return codes and reason codes are explained in Return and reason codes for the CSFEUTIL program.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014