You normally have to initialize a PKDS only the first time you
start ICSF on a system. However, depending on your system configuration,
on a legacy machine that has a PKDS that doesn't have any keys, the
PKDS will need to be initialized. Until this is done, PKA Callable
Services cannot be enabled.
When you initialize a PKDS, you can copy the disk copy of the PKDS
to create other PKDSs for use on the system. You can also use a PKDS
on another ICSF system if the system has the same master key value.
For a description of how to use the Master Key Entry panels to
enter the master key, see Steps for entering the first master key part. For a description
of how to use the TKE workstation to enter the master
key, refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.
Steps for initializing the PKDS
To initialize the PKDS:
- Return to the Primary Menu panel by pressing END from the Master
Key Entry panel.
- Select Option 2, MASTER KEY, on the Primary Menu panel as shown
in Figure 53.
Figure 53. Selecting the Master Key option on the primary menu panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 2
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Master Key Management panel appears. See Figure 54.
Figure 54. ICSF Master Key Management Panel
CSFMKM00 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 1
Enter the number of the desired option above.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a symmetric (DES or AES) master key
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE MK - Change a symmetric master key and
activate the reenciphered CKDS
5 INITIALIZE PKDS - Initialize or update a PKA Cryptographic
Key Data Set header record
6 REENCIPHER PKDS - Reencipher the PKA Cryptographic Key Data Set
7 REFRESH PKDS - Activate an updated PKA Cryptographic Key Data Set
- Select option 5, INITIALIZE PKDS and the Initialize a PKDS panel
appears. See Figure 55.
Figure 55. ICSF Initialize a PKDS Panel
CSFCMK30 ---------------- ICSF - Initialize a PKDS ----------------
COMMAND ===>
Enter the name of the PKDS to be initialized below.
PKDS ===> 'FIRST.EMPTY.PKDS'
- In the PKDS field, enter the name of the empty VSAM data set that
was created to use as the disk copy of the PKDS.
- The PKDS must now be refreshed to become active. Return to the
previous panel and select option 7.
Figure 56. Refresh PKDS
CSFCMK21 ---------- ICSF - Refresh PKA Cryptographic Key Data Set -------
COMMAND ===>
Enter the name of the new PKDS below.
New PKDS ===> 'PKDS.NEW.MASTER'
Press ENTER to refresh the PKDS.
Press END to exit to the previous menu
When you press ENTER, the PKDS is refreshed and becomes the
in-storage copy.
- In the New PKDS field, enter the name the initialized PKDS to
make it the active PKDS.
|