In ICSF FMID HCR7790, two functions have been added that coordinate CKDS refreshes and CKDS master key changes across sysplex members sharing the same active CKDS. The coordinated CKDS administration functions simplify CKDS management by automating the manual process for performing single-system CKDS refreshes and single-system CKDS master key changes. Although a sysplex environment is not required to use these functions, sysplex environments gain the maximum benefit from them when the changes are coordinated across all LPARs sharing the same active CKDS.

Both functions are initiated from a single ICSF instance. This instance will drive the operation across the sysplex using sysplex messaging to other members sharing the same active CKDS.

For coordinated CKDS refresh, the initiating system sends sysplex messages to all sysplex members sharing the same active CKDS, instructing them to either refresh their in-store CKDS copy of the active CKDS, or refresh their in-store CKDS copy to a new CKDS. Performing a coordinated CKDS refresh to a new CKDS will result in the new CKDS becoming the active CKDS for all sysplex members in this CKDS sysplex cluster.

Coordinated CKDS change master key will reencipher the active CKDS disk-copy to a new CKDS using the master key values that have been pre-loaded into the new master key registers. Before performing the coordinated CKDS change master key function, you must use either Master Key Entry or TKE to load the new master key registers. The coordinated CKDS change master key function may be used to change both the DES and AES master keys, or just one or the other.

For more information on Master Key Entry refer to Entering master key parts (PCIXCC, CEX2C, or CEX3C). For more information on loading the new master key registers from TKE, refer to the z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

After reenciphering the active CKDS disk-copy, the initiating system will send sysplex messages to the other members sharing the same active CKDS, informing them to re-load their in-store CKDS from the new reenciphered CKDS.

Next, the initiating system will set the symmetric master keys for the new master key registers (DES and/or AES) that have been pre-loaded, and make the new CKDS the active CKDS.

Finally, the initiating system will send sysplex messages to the other members of their CKDS sysplex cluster, informing them to set their symmetric master keys for the new master key registers (DES and/or AES) that have been pre-loaded, and to make the new CKDS their active CKDS.

It is not required to disable dynamic CKDS updates within the sysplex while performing a coordinated CKDS master key change. This is an enhancement over the single-system CKDS master key change function, for which disallowing dynamic CKDS update services is recommended.

During a coordinated CKDS master key change, dynamic CKDS update requests will be routed to, and processed by, the ICSF instance that initiated the coordinated CKDS master key change. The initiator will process dynamic CKDS updates against the active CKDS during the coordinated CKDS change master key. When the initiating system has reenciphered the CKDS, and before it coordinates the CKDS master key change across the sysplex, there is a brief suspension to dynamic CKDS update processing. During this brief suspension, dynamic CKDS updates that were processed by the initiator are applied to the new reenciphered CKDS. If you cannot tolerate a temporary suspensions of dynamic CKDS update services in your workload, and would prefer that update requests are failed instead, you should disallow dynamic CKDS access prior to performing a coordinated CKDS change master key.

For a coordinated CKDS refresh, dynamic CKDS update processing is internally suspended by the initiator until the coordinated CKDS refresh completes. However, IBM still recommends that you disallow dynamic CKDS access prior to performing a coordinated CKDS refresh.

For more information on disabling dynamic CKDS updates, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.

If a Key Store Policy is defined on the active CKDS, it will continue to be used on the new CKDS after a coordinated CKDS change master key or coordinated CKDS refresh completes.

In order to perform one of the coordinated CKDS administration functions, all ICSF instances in the sysplex, regardless of their active CKDS, must be at the HCR7790 level or later. Coordinated CKDS administration functions will be unavailable if an instance of ICSF joins the sysplex that is running at a level lower then HCR7790. When an ICSF instance running at a level lower than HCR7790 joins the sysplex group, the manual single-system process must be used to perform CKDS refreshes and CKDS master key changes on each LPAR in the CKDS sysplex cluster.

To perform a coordinated CKDS refresh, use the procedure describe in Performing a coordinated CKDS refresh. To perform a single-system CKDS refresh, use the procedure described in Performing a single system CKDS refresh on each member of the CKDS sysplex cluster. When performing a single-system CKDS refresh or a coordinated CKDS refresh, you should disable dynamic CKDS updates on all sysplex members.

To change symmetric master keys, use the coordinated CKDS master key change function described in Performing a coordinated CKDS master key change. This capability is only available if your system and/or sysplex meets the necessary requirements outlined in Symmetric Master Keys and the CKDS.

If your environment does not meet the necessary requirements for performing a coordinated CKDS master key change, use the single-system CKDS change master key process. The single-system process should be performed on an instance running the latest level of ICSF. On the other CKDS sysplex cluster members, enter the master keys as described in Reentering master keys when they have been cleared (CCF and PCICC) or Reentering master keys when they have been cleared (PCIXCC, CEX2C, or CEX3C). Reenciphering the CKDS is not necessary on the other CKDS sysplex cluster members.

When using the manual single system process, it is recommended to disable dynamic CKDS updates on all sysplex members.