The step-by-step procedure for changing the RSA-MK or
ECC-MK is documented in this topic.
Notes:
- Prior to reenciphering a PKDS, consider temporarily disallowing
dynamic PKDS update services. For more information, refer to Steps for enabling and disabling PKA callable services and
PKDS updates.
- The procedure for changing the RSA-MK depends on the cryptographic
coprocessors online on your system. When your system has CEX3C coprocessors
that are online and have the RSA-MK loaded, the steps involving the
PKA callable services control should be ignored. The control will
not be active.
- When the PKDS is shared by multiple images in a sysplex environment,
the asymmetric key master keys must also be changed on all the sharing
systems. See Running in a Sysplex Environment.
|