The step-by-step procedure for changing the DES master key, reenciphering the CKDS, and activating the new DES master key are presented in Steps for changing the DES master key and reenciphering the CKDS. This topic provides some background on the contents of the master key registers during the key change process, and some compatibility mode considerations.

A DES master key and a CKDS that contains keys that are enciphered under that DES master key already exist. When you replace this existing DES master key with the new DES master key, you must reencipher the CKDS under the new DES master key.

For the CCF, if you changed the DES master key previously, the previous DES master key was stored in the auxiliary (or new/old) master key register. The currently active DES master key exists in the master key register. When you enter the key parts of a new DES master key, they displace the previous DES master key in the auxiliary master key register. Therefore, the previous DES master key is lost. This is not true for the PCICC, which has separate registers for the old, new and current master key.

If you are using the Cryptographic Coprocessor Feature (CCF), to make the new DES master key the current active DES master key, you have ICSF swap the contents of the master key register and the auxiliary master key register. If you also have the PCICC, ICSF will change the PCI SYM-MKs. In this way, the new DES master key you have just entered becomes the current DES master key, and the previous DES master key is stored in the auxiliary master key register.

When the new DES master key is placed into the master key register, you must reencipher all disk copies of the CKDS under the new DES master key. Then you are ready to activate the master key. When you change the master key, you have ICSF replace the in-storage copy of the CKDS with the reenciphered disk copy. This also makes the new master key active on the system.

The procedures you use to activate the new master key depend on your system's compatibility mode. ICSF runs in noncompatibility, compatibility, or co-existence mode with the IBM cryptographic products and Programmed Cryptographic Facility (PCF). You specify which mode ICSF runs in by using an installation option. For a description of the modes and how to specify an installation option, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

In noncompatibility mode, ICSF allows you to change the master key with continuous operations. Therefore applications can continue to run without disruption. However, when ICSF is in compatibility mode or co-existence mode, you should use a different procedure to activate the changed master key. This is to ensure that no application is holding an internal token with the wrong master key.

In all three modes, you enter the new master key and reencipher the disk copy of the CKDS under the new master key using the master key panels. In noncompatibility mode, you then activate the new master key and refresh the in-storage copy of the CKDS with the disk copy using the master key panels or a utility program.

In compatibility mode and coexistence mode, however, activating the new master key and refreshing the in-storage copy of the CKDS does not reencipher internal key tokens under the new master key. ICSF applications that are holding internal key tokens which have been enciphered under the wrong master key will fail with a warning message. Applications that use the PCF macros, run with no warning message and produce erroneous results.

If you are using the CCF, the safest method to use when changing the master key in either compatibility or coexistence mode is as follows:

1. Ensure that the name of the new CKDS is in the installation data set.
2. Re-IPL MVS.
3. Start CSF.

If you also have PCICC installed, when you start CSF, you must go to the Master Key Management panel (Figure 58) and do a set (option 2). This will change the master keys of all the PCICC that match the CCF.

A re-IPL ensures that a program does not access a cryptographic service that uses a key that is encrypted under a different master key. If a program is using an operational key, the program should either re-create or reimport the key, or generate a new key.

If a re-IPL is not practical in your installation, you can use this alternative method. Stop all cryptographic applications, especially those using PCF macros, when activating the new master key and refreshing the in-storage copy of the CKDS. This eliminates all operational keys that are encrypted under the current master key. When you start CSF again, applications using an operational key can either re-create or reimport the key.

Steps for changing the DES master key and reenciphering the CKDS

For information about reenciphering a CKDS in a sysplex environment, see Running in a Sysplex Environment.

1. Enter the key parts of the new master key that you want to replace the current master key. For information about how to do this procedure, see Entering master key parts.

   The new master key register must be full when you change the master key.

2. Select option 3, REENCIPHER CKDS, on the Master Key Management panel, as shown in Figure 59, and press ENTER.

   When you change the master key, you must first reencipher the disk copy of the CKDS under the new master key.

   Notes:

   1. If your system is using multiple coprocessors, they must have the same master key. When you change the master key in one coprocessor, you should change the master key in the other coprocessors. Therefore, when you reencipher a CKDS under a new master key, the new master key registers in all coprocessors must contain the same value.
   2. If the CKDS contains HMAC keys, it must be reenciphered on a system with a CEX3C and the Sept. 2010 or later licensed internal code.
   Figure 59. Selecting the Reencipher CKDS option on the ICSF Master Key Management Panel

    CSFMKM00 ---------------- ICSF - Master Key Management  ----------------
    OPTION ===>  1
   
   
    Enter the number of the desired option above.
   
      1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or 
                            activate an updated Cryptographic Key Data Set  
      2 SET MK            - Set a symmetric (DES or AES) master key
      3 REENCIPHER CKDS   - Reencipher the CKDS prior to changing a symmetric
                            master key
      4 CHANGE MK         - Change a symmetric master key and 
                            activate the reenciphered CKDS
      5 INITIALIZE PKDS   - Initialize or update a PKA Cryptographic
                            Key Data Set header record
      6 REENCIPHER PKDS   - Reencipher the PKA Cryptographic Key Data Set
      7 REFRESH PKDS      - Activate an updated PKA Cryptographic Key Data Set
      

3. The Reencipher CKDS panel appears. See Figure 60.
   Figure 60. Reencipher CKDS

    CSFCMK10 ----------------- ICSF - Reencipher CKDS ------------------
    COMMAND ===>
   
   
    To reencipher all CKDS entries from encryption under the current master key
    to encryption under the new master key enter the CKDS names below.
   
   
   
       Input CKDS ===> 'CKDS.CURRENT.MASTER'
   
       Output CKDS ===> 'CKDS.NEW.MASTER'
   
   
    

4. In the Input CKDS field, enter the name of the CKDS that you want to reencipher. In the Output CKDS field, enter the name of the data set in which you want to place the reenciphered keys.
   Notes:

   1. The output data set should already exist although it must be empty. For more information about defining a CKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
   2. The input CKDS and the output CKDS must have the same VSAM attributes.

   Reenciphering the disk copy of the CKDS does not affect the in-storage copy of the CKDS. On this panel, you are working with only a disk copy of the CKDS.

5. Press ENTER to reencipher the input CKDS entries and place them into the output CKDS.

   The message REENCIPHER SUCCESSFUL appears on the top right of the panel if the reencipher succeeds.

6. If you have more than one CKDS on disk, specify the information and press ENTER as many times as you need to reencipher all of them. Reencipher all your disk copies at this time. When you have reenciphered all the disk copies of the CKDS, you are ready to change the master key.
7. Press END to return to the Master Key Management panel.

   Changing the master key involves refreshing the in-storage copy of the CKDS with a disk copy and activating the new master key.

8. If you are running in compatibility or co-existence mode, do not select option 4, the Change option. To activate the changed master key when running in compatibility or co-existence mode, you need to re-IPL MVS and start ICSF. When you re-IPL MVS and start ICSF, you activate the changed master key and refresh the in-storage CKDS. To do this, you must exit the panels at this time.
9. If you are running in noncompatibility mode, to change the master key select option 4, CHANGE MK, on the Master Key Management panel.

   When you press the ENTER key, the Change Master Key panel appears. See Figure 61.

   Figure 61. Change Master Key Panel

    CSFCMK20 --------------------- ICSF Change Master Key --------------
    COMMAND ===>
   
   
    Enter the name of the new CKDS below:
   
      New CKDS ===> 'CKDS.NEW.MASTER'
   
    When the master key is changed, the new CKDS will become active.
   
   
    

10. In the New CKDS field, enter the name of the disk copy of the CKDS that you want ICSF to place in storage.

    You should have already reenciphered the disk copy of the CKDS under the new master key. The last CKDS name that you specified in the Output CKDS field on the Reencipher CKDS panel, which is shown in Figure 60, automatically appears in this field.

11. Press ENTER.

    ICSF loads the data set into storage where it becomes operational on the system. ICSF also places the new master key into the master key register so it becomes active.

    When you press ENTER, ICSF attempts to change the master key. It displays a message on the top right of the panel. The message indicates either that the master key was changed successfully or that an error occurred that prevented the successful completion of the change process. For example, if you indicate a data set that is not reenciphered under the new master key, an error message displays, and the master key is not changed.

    Note:

    Each Cryptographic Coprocessor Feature includes two crypto modules, which ICSF recognizes as C0 and C1. You must enter the new master key into each of the coprocessors, when you perform the change. ICSF activates the new master key of both coprocessors that contain a new master key value that will encipher the CKDS. If you also have PCICCs on your system, load the new master key into all of the coprocessors.

    If only one coprocessor new master key value matches the new CKDS, then that coprocessor will be used. The other coprocessor will remain offline until the new master key is changed to match the other coprocessor.

    When the change occurs, the operator console receives messages that state that the Cryptographic Coprocessor Feature is offline and then online for each coprocessor. These actions should not affect cryptographic operations.

    If there is a problem reenciphering a CKDS entry, then the CSFC0316 message is generated specifying the label for the CKDS problem entry.

12. When changing the master key, remember to change the name of the CKDS in the Installation Options Data Set.

You can use a utility program to reencipher the CKDSs and change the master key instead of using the panels. Reenciphering a disk copy of a CKDS and changing the master key describes how to use the utility program for these procedures.