For security reasons, your installation may need to clear the master keys. This may be required, for example, prior to turning the processor hardware over for maintenance.

If you have a TKE workstation, you can use it to zeroize all domains that have keys loaded. Refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information.

If you do not have a TKE workstation, you might want to consider nullifying the master keys. To do this you would need to enter a new DES-MK or AES-MK master key, reencipher a dummy CKDS, and change the master key. You would need to perform this operation twice to ensure that the master key is cleared from the auxiliary (old) master key register. You would also need to reset the asymmetric-keys master keys and process the PCIXCC, CEX2C, and CEX3C master keys.

You can also use the zeroize function on the Support Element panel. Besides clearing the master keys, this also clears all domains and installation data.