Coordinated CKDS refresh may be performed on a single instance
of ICSF, on a single-system sysplex, or on a multi-system sysplex.
The coordinated CKDS refresh operation is initiated from a single
ICSF instance and then carried out across all other sysplex members
sharing the same active CKDS. This results in the in-storage copy
of the CKDS being updated for all ICSF instances in the sysplex that
share the same active CKDS as the initiator.
To perform a coordinated CKDS refresh, all members of the sysplex
(including sysplex members that are not configured with the same active
CKDS) must be at the ICSF FMID HCR7790 level or later. In addition,
no system sharing the CKDS can be a CCF system (such as a z900 system).
Before performing a coordinated CKDS refresh, you should disable
dynamic CKDS updates on all sysplex members. For more information,
refer to Steps for disallowing dynamic CKDS updates during CKDS administration
updates.
If you are performing a coordinated CKDS refresh to a new CKDS,
you must ensure that the new target CKDS of the refresh contains data
set attributes that are consistent with the currently active CKDS.
This data set must be allocated, must not be empty, and must be enciphered
with the current master key(s). You will optionally be able to use
the archive option for renaming the current CKDS to an archive name
and the new CKDS to the active CKDS name. The archive data set name
must not be allocated or exist on the system prior to performing the
coordinated CKDS refresh.
To perform a coordinated CKDS refresh:
- Enter option 2, MASTER KEY MGMT, on the ICSF Primary Menu panel
to access the Master Key Management panel.
- The Master Key Management panel is displayed. To perform a coordinated
refresh of the CKDS, specify option 8 and press enter.
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 8
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
8 COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
9 COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
- The Coordinated Refresh KDS Selection panel is displayed. You
are prompted for the KDS type for the coordinated refresh. The coordinated
refresh function is only supported for the CKDS.
CSFCRC4P ----------- ICSF - Coordinated Refresh KDS Selection -------
Select one Key Data Set type and press ENTER to continue.
==> / CKDS - Cryptographic Key Data Set
- The Coordinated KDS Refresh panel is displayed.
-------------------- ICSF - Coordinated KDS Refresh --------------------
COMMAND ===>
To perform a coordinated KDS refresh to a new KDS, enter the KDS names below
and optionally select the rename option. To perform a coordinated KDS refresh
of the active KDS, simply press enter without entering anything on this panel.
KDS Type ===> CKDS
Active KDS ===> 'PLEX.TEST.CKDS'
New KDS ===>
Rename Active to Archived and New to Active (Y/N) ===> N
Archived KDS ===>
Press ENTER to perform a coordinated KDS refresh.
Press END to exit to the previous menu.
The
active KDS name is displayed in the Active KDS field
for the selected KDS type. You can use this panel to refresh to a
new CKDS or to refresh the active CKDS.
- To refresh to a new CKDS:
- Enter the name of the new CKDS in the New KDS field.
This data set must be allocated, not empty, and enciphered under the
current master key(s).
- Optionally the rename option may be used to have the current CKDS
renamed to an archive name and the new CKDS renamed to the active
CKDS name. The rename option simplifies KDS administration by removing
the need to update the ICSF Options Data Set with the name of the
new data set after the coordinated CKDS refresh to a new data set
completes.
- If you would like the have the new CKDS renamed to match the name
of the current active CKDS:
- Type Y in the Rename Active to Archived and the
New to Active ( Y / N ) field.
- Enter the name under which the currently active CKDS will be archived
in the Archived KDS field. The archive KDS name
must not be allocated and must not exist on the system prior to performing
the coordinated refresh to a new data set.
- If you do not want to have the new CKDS renamed to match the name
of the current active CKDS, type N in the Rename
Active to Archived and the New to Active ( Y / N ) field. Remember
to change the name of the CKDS in the Installation Options Data Set
as described in the z/OS Cryptographic Services ICSF System Programmer’s Guide. The CKDS name must be changed in each cluster member’s
Installation Options Data Set after the coordinated KDS refresh function
completes successfully. If the Installation Options Data Set is updated
with a new CKDS name and the coordinated KDS refresh function fails,
ICSF might be configured with an invalid CKDS the next time it is
restarted.
- Press ENTER to begin the coordinated refresh.
- To refresh the active CKDS, no input is required on the panel
and will be ignored if entered.
- Verify that the Active KDS field shows the
name of the active CKDS. ICSF should have filled in this field automatically.
- Press ENTER to begin the coordinated refresh.
- A confirmation panel will be displayed, prompting you to verify
that you want to continue with the coordinated refresh. Verify that
the information on this confirmation panel is correct. If it is, type
Y in the confirmation field provided and press ENTER. The Coordinated
KDS Refresh will then start processing.
- Verify the dialog results, and address any indicated failures
or unexpected results.
|