When the Cryptographic Coprocessor Feature clears the master keys, reenter the same master keys using these steps:

1. Check the status of the PKA callable services. If they are enabled, use the Administrative Control Functions to disable them. See Steps for enabling and disabling PKA services for details.
2. Retrieve the key parts, checksums, verification patterns, and hash patterns you used when you entered the master keys originally.

   These values should be stored in a secure place as specified in your enterprises security process.

3. Access the Master Key Entry panels and enter the master keys as described in Steps for entering the first master key part.
4. When you enter the new DES master key, select option 2, MASTER KEY, from the primary menu. The Master Key Management panel appears. See Figure 58.

   To activate the DES master key you just entered, you need to set it.

5. To set the DES master key, choose option 2 on the panel and press ENTER.
   Figure 58. Selecting the Set Host Master Key Option on the ICSF Master Key Management Panel

    CSFMKM00 ---------------- ICSF - Master Key Management  ----------------
    OPTION ===>  1
   
   
    Enter the number of the desired option above.
   
      1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or 
                            activate an updated Cryptographic Key Data Set 
      2 SET MK            - Set a symmetric (DES or AES) master key
      3 REENCIPHER CKDS   - Reencipher the CKDS prior to changing a symmetric
                            master key
      4 CHANGE MK         - Change a symmetric master key and 
                            activate the reenciphered CKDS
      5 INITIALIZE PKDS   - Initialize or update a PKA Cryptographic
                            Key Data Set header record
      6 REENCIPHER PKDS   - Reencipher the PKA Cryptographic Key Data Set
      7 REFRESH PKDS      - Activate an updated PKA Cryptographic Key Data Set
      

   When you select option 2, ICSF checks that the states of the registers are correct. ICSF then transfers the DES master key from the new master key register to the master key register. This process sets the DES master key.

   When ICSF attempts to set the DES master key, it displays a message on the top right of the Master Key Management panel. The message indicates either that the master key was successfully set, or that an error prevented the completion of the set process.

   Notes:

   1. If your system is using both crypto modules provided by a Cryptographic Coprocessor Feature, ICSF sets the DES master key for each crypto module whose new DES master key enciphers the in-storage CKDS. You should reenter the DES master key into the new master key register for each of the crypto modules.
   2. The operator console receives messages that state that the crypto module is offline and then online for each crypto module. These actions should not affect cryptographic operations. However, if a crypto module does not have either a current DES master key or a new DES master key that enciphers the current in-storage CKDS, the crypto module is left offline.

   When you set the reentered DES master key, the DES master key that enciphers the existing CKDS now exists.

6. You can now change the DES master key, if you choose to, for security reasons. Continue with Steps for changing master keys.