z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Performing a coordinated CKDS refresh

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

Coordinated CKDS refresh may be performed on a single instance of ICSF, on a single-system sysplex, or on a multi-system sysplex. The coordinated CKDS refresh operation is initiated from a single ICSF instance and then carried out across all other sysplex members sharing the same active CKDS. This results in the in-storage copy of the CKDS being updated for all ICSF instances in the sysplex that share the same active CKDS as the initiator.

To perform a coordinated CKDS refresh, all members of the sysplex (including sysplex members that are not configured with the same active CKDS) must be at the ICSF FMID HCR7790 level or later. In addition, no system sharing the CKDS can be a CCF system (such as a z900 system).

Before performing a coordinated CKDS refresh, you should disable dynamic CKDS updates on all sysplex members. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.

If you are performing a coordinated CKDS refresh to a new CKDS, you must ensure that the new target CKDS of the refresh contains data set attributes that are consistent with the currently active CKDS. This data set must be allocated, must not be empty, and must be enciphered with the current master key(s). You will optionally be able to use the archive option for renaming the current CKDS to an archive name and the new CKDS to the active CKDS name. The archive data set name must not be allocated or exist on the system prior to performing the coordinated CKDS refresh.

To perform a coordinated CKDS refresh:

  1. Enter option 2, MASTER KEY MGMT, on the ICSF Primary Menu panel to access the Master Key Management panel.
  2. The Master Key Management panel is displayed. To perform a coordinated refresh of the CKDS, specify option 8 and press enter. 
     CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
 OPTION ===>  8

 Enter the number of the desired option.                                       
                                                                              
   1  INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or    
                           activate an updated Cryptographic Key Data Set      
   2  SET MK            -  Set a master key (AES, DES, ECC)               
   3  REENCIPHER CKDS   -  Reencipher the CKDS prior to changing a symmetric   
                           master key                                          
   4  CHANGE SYM MK     -  Change a symmetric master key and activate the      
                           reenciphered CKDS 
   5  INIT/REFRESH/UPDATE PKDS -  Initialize a Public Key Data Set or
                           activate an updated Public Key Data Set or
                           update the Public Key Data Set header              
   6  REENCIPHER PKDS   -  Reencipher the PKDS        
   7  CHANGE ASYM MK    -  Change an asymmetric master key and activate the
                           reenciphered PKDS
   8  COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
   9  COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
  3. The Coordinated Refresh KDS Selection panel is displayed. You are prompted for the KDS type for the coordinated refresh. The coordinated refresh function is only supported for the CKDS. 
    CSFCRC4P ----------- ICSF - Coordinated Refresh KDS Selection ------- 

  Select one Key Data Set type and press ENTER to continue. 

  ==> / CKDS - Cryptographic Key Data Set
  4. The Coordinated KDS Refresh panel is displayed. 
     --------------------  ICSF - Coordinated KDS Refresh --------------------
COMMAND ===>
To perform a coordinated KDS refresh to a new KDS, enter the KDS names below 
and optionally select the rename option. To perform a coordinated KDS refresh 
of the active KDS, simply press enter without entering anything on this panel.                                                                   
                                                                              
    KDS Type ===> CKDS                                                                                                                                      
  Active KDS ===> 'PLEX.TEST.CKDS'                                      
                                                                              
     New KDS ===>                                                             
                                                                              
          Rename Active to Archived and New to Active (Y/N) ===> N            
                                                                              
          Archived KDS ===>                                                                                                                            
                                                                            
Press ENTER to perform a coordinated KDS refresh.                             
Press END to exit to the previous menu.

    The active KDS name is displayed in the Active KDS field for the selected KDS type. You can use this panel to refresh to a new CKDS or to refresh the active CKDS.

    • To refresh to a new CKDS:
      1. Enter the name of the new CKDS in the New KDS field. This data set must be allocated, not empty, and enciphered under the current master key(s).
      2. Optionally the rename option may be used to have the current CKDS renamed to an archive name and the new CKDS renamed to the active CKDS name. The rename option simplifies KDS administration by removing the need to update the ICSF Options Data Set with the name of the new data set after the coordinated CKDS refresh to a new data set completes.
        • If you would like the have the new CKDS renamed to match the name of the current active CKDS:
          1. Type Y in the Rename Active to Archived and the New to Active ( Y / N ) field.
          2. Enter the name under which the currently active CKDS will be archived in the Archived KDS field. The archive KDS name must not be allocated and must not exist on the system prior to performing the coordinated refresh to a new data set.
        • If you do not want to have the new CKDS renamed to match the name of the current active CKDS, type N in the Rename Active to Archived and the New to Active ( Y / N ) field. Remember to change the name of the CKDS in the Installation Options Data Set as described in the z/OS Cryptographic Services ICSF System Programmer’s Guide. The CKDS name must be changed in each cluster member’s Installation Options Data Set after the coordinated KDS refresh function completes successfully. If the Installation Options Data Set is updated with a new CKDS name and the coordinated KDS refresh function fails, ICSF might be configured with an invalid CKDS the next time it is restarted.
      3. Press ENTER to begin the coordinated refresh.
    • To refresh the active CKDS, no input is required on the panel and will be ignored if entered.
      1. Verify that the Active KDS field shows the name of the active CKDS. ICSF should have filled in this field automatically.
      2. Press ENTER to begin the coordinated refresh.
  5. A confirmation panel will be displayed, prompting you to verify that you want to continue with the coordinated refresh. Verify that the information on this confirmation panel is correct. If it is, type Y in the confirmation field provided and press ENTER. The Coordinated KDS Refresh will then start processing.
  6. Verify the dialog results, and address any indicated failures or unexpected results.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014