z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Performing a coordinated CKDS master key change

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

The coordinated KDS change master key option simplifies the procedure for changing symmetric master keys. All systems must be running ICSF FMID HCR7790 or later. Before using this procedure, make sure that your system meets all the requirements outlined in Symmetric Master Keys and the CKDS. If your system does not meet these requirements, do not use this procedure. Instead, use the procedure described in Steps for reenciphering the CKDS and performing a single-system CKDS master key change.

Notes:
  1. Coordinated CKDS change master key is not supported on the IBM zSeries 900. In a sysplex environment, the master key will be changed for all systems in the sysplex that share the active CKDS. None of these systems can be an IBM zSeries 900.
  2. The coordinated KDS reencipher procedure offers further advantages in a sysplex environment. Specifically, a master key change initiated from one ICSF instance in the sysplex will change the master key(s) for all ICSF instances in the sysplex that share the same active CKDS. The instructions that follow assume you are running on a single system. If you are running in sysplex environment, make sure you also understand the information in Changing symmetric master keys and refreshing the CKDS when the CKDS is shared in a sysplex environment before proceeding.
  3. Reenciphering a large CKDS (millions of records) may cause a temporary internal suspension of CKDS update requests running in parallel. If you cannot tolerate a temporary suspension in your workload, and would prefer that update requests are failed instead of suspended, you should disallow dynamic CKDS access prior to performing the coordinated CKDS reencipher. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.
  4. This procedure is only for reenciphering the active CKDS. It is not for reencipherring archived or backup copies of the CKDS that are not currently active.
  5. If you have a combination of PCIXCCs, CEX2Cs, and/or CEX3Cs installed in a sysplex environment, the ICSF instance configured with the cryptographic coprocessor containing the highest level of licensed internal code must initiate the coordinated CKDS change master key. If the coordinated CKDS change master key is not initiated by the ICSF instance containing the highest level of licensed internal code, the operation will fail.
  6. If your system is using multiple coprocessors, they must have the same master key(s). When you change the master key(s) in one coprocessor, you should change the master key(s) in the other coprocessors. Therefore, to reencipher a CKDS under a new master key, the new master key registers in all coprocessors must contain the same value.
  7. If the CKDS contains HMAC keys, it must be reenciphered on a system with a CEX3C and the Sept. 2010 or later licensed internal code.
  8. If the CKDS contains variable-length AES keys, it must be reenciphered on a system with a CEX3C and the Sep. 2011 or later licensed internal code.
  9. If there is a problem reenciphering a CKDS entry, the CSFC0316 message is generated specifying the label for the CKDS problem entry.

Before beginning this procedure, you must:

  • Enter the key parts of the new master key(s) (AES master key, DES master key, or both) that you want to replace the current master key(s). For information about how to do this procedure, see Entering master key parts. The new master key register must be full when you change the master key.
  • Create a new VSAM data set in which the reenciphered keys will be placed to create the new reenciphered CKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active CKDS. For more information about defining a CKDS, see the z/OS Cryptographic Services ICSF System Programmer’s Guide.

Before beginning this procedure, you may optionally:

  • Create an additional VSAM data set to serve as a backup of the new, reenciphered, CKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active CKDS.
  • If you are planning to use the archive option, which is described below, determine a VSAM data set name to use for the archived CKDS data set. This data set must not be allocated and must not exist on the system.

For more information about defining a CKDS, see the z/OS Cryptographic Services ICSF System Programmer’s Guide.

To reencipher the CKDS and change the master key:

  1. Enter option 2, MASTER KEY MGMT, on the ICSF Primary Menu panel to access the Master Key Management panel.
  2. On the Master Key Management panel, select option 9, COORDINATED KDS CHANGE MK. 
     CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
 OPTION ===>  9

 Enter the number of the desired option.                                       
                                                                              
   1  INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or    
                           activate an updated Cryptographic Key Data Set      
   2  SET MK            -  Set a master key (AES, DES, ECC)               
   3  REENCIPHER CKDS   -  Reencipher the CKDS prior to changing a symmetric   
                           master key                                          
   4  CHANGE SYM MK     -  Change a symmetric master key and activate the      
                           reenciphered CKDS 
   5  INIT/REFRESH/UPDATE PKDS -  Initialize a Public Key Data Set or
                           activate an updated Public Key Data Set or
                           update the Public Key Data Set header              
   6  REENCIPHER PKDS   -  Reencipher the PKDS        
   7  CHANGE ASYM MK    -  Change an asymmetric master key and activate the
                           reenciphered PKDS
   8  COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
   9  COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
  3. The Coordinated Change Master Key KDS Selection panel is displayed. You are prompted for the KDS type for the coordinated change master key action. The coordinated change master key action is supported only for a CKDS. 
    CSFCRC4P ----------- ICSF - Coordinated Change Master Key KDS Selection ------- 

  Select one Key Data Set type and press ENTER to continue. 

  ==> / CKDS - Cryptographic Key Data Set
  4. The Coordinated KDS change master key panel is displayed. 
    ------------------- ICSF - Coordinated KDS change master key ------------------
                                                                               
To perform a coordinated KDS change master key, enter the KDS names below 
and optionally select the rename option.                                       
                                                                               
    KDS Type ===> CKDS                                                         
                                                                               
  Active KDS ===> 'PLEX.TEST.CKDS'                                       
                                                                               
     New KDS ===>                                                              
                                                                               
          Rename Active to Archived and New to Active (Y/N) ===> N             
                                                                               
          Archived KDS ===>                                                    
                                                                               
          Create a backup of the reenciphered KDS (Y/N) ===> N                 
                                                                               
          Backup KDS ===>                                                      
                                                                               
Press ENTER to perform a coordinated KDS change master key.                    
Press END to exit to the previous menu.
    The KDS type is displayed in the KDS Type field. The active CKDS is displayed in the Active KDS field.
    1. Enter the name of the new CKDS in the New KDS field. This must be an empty and allocated VSAM data set containing the same data set attributes as the active CKDS. The reenciphered keys will be placed into this new data set to create the new CKDS.
    2. Decide if you want to have the new CKDS renamed to the match the name of the current active CKDS. Having the new CKDS renamed to match the name of the current active CKDS simplifies CKDS administration, because you will not need to update the ICSF Options Data Set with the name of the new data set after the CKDS is reenciphered.
      • If you would like the have the new CKDS renamed to match the name of the current active CKDS:
        1. Type Y in the Rename Active to Archived and the New to Active ( Y / N ) field.
        2. Enter the name under which the currently active CKDS will be archived in the Archived KDS field. This must be a VSAM data set name that is not allocated and does not exist on the system.
      • If you do not want to have the new CKDS renamed to match the name of the current active CKDS, type N in the Rename Active to Archived and the New to Active ( Y / N ) field. Remember to change the name of the CKDS in the Installation Options Data Set as described in the z/OS Cryptographic Services ICSF System Programmer’s Guide. The CKDS name must be changed in each cluster member’s Installation Options Data Set after the coordinated KDS change master key function completes successfully. If the Installation Options Data Set is updated with a new CKDS name and the coordinated KDS change master key function fails, ICSF might be configured with an invalid CKDS the next time it is restarted.
    3. Decide if you want to also create a backup copy of the newly enciphered CKDS. This is an empty and allocated VSAM data set containing the same data set attributes as the active CKDS. The reenciphered keys will be placed into this data set to create the backup CKDS.
  5. Press ENTER to begin the coordinated change master key. This will reencipher the disk copy of the active CKDS under the new master keys to create the new CKDS on disk, and will create an in-storage copy of that new CKDS.
    Note:
    In a sysplex environment, the in-storage copy of the new CKDS will be created for all ICSF instances that share the CKDS. See Changing symmetric master keys and refreshing the CKDS when the CKDS is shared in a sysplex environment for more information.
  6. A confirmation panel will be displayed, prompting you to verify that you want to continue with the coordinated change master key. Verify that the information on this confirmation panel is correct. If it is, type Y in the confirmation field provided and press ENTER.

    The coordinated change master key function will be executed. This function will verify that all ICSF instances sharing the same active CKDS are configured with the same New Master Key registers values. Additionally it will verify that the CKDS names specified for input are valid and are compatible with each other.

  7. Verify the dialog results, and address any indicated failures or unexpected results.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014