The step-by-step procedure for changing the DES master key, reenciphering
the CKDS, and activating the new DES master key are presented in Steps for changing the DES master key and reenciphering the
CKDS. This topic provides some background on the contents
of the master key registers during the key change process, and some
compatibility mode considerations.
A DES master key and a CKDS that contains keys that are enciphered
under that DES master key already exist. When you replace this existing
DES master key with the new DES master key, you must reencipher the
CKDS under the new DES master key.
For the CCF, if you changed the DES master key previously,
the previous DES master key was stored in the auxiliary (or new/old)
master key register. The currently active DES master key exists in
the master key register. When you enter the key parts of a new DES
master key, they displace the previous DES master key in the auxiliary
master key register. Therefore, the previous DES master key is lost. This
is not true for the PCICC, which has separate registers for the old,
new and current master key.
If you are using the Cryptographic Coprocessor Feature (CCF), to
make the new DES master key the current active DES master key, you
have ICSF swap the contents of the master key register and the auxiliary
master key register. If you also have the PCICC, ICSF will change
the PCI SYM-MKs. In this way, the new DES master key you have just
entered becomes the current DES master key, and the previous DES master
key is stored in the auxiliary master key register.
When the new DES master key is placed into the master key register,
you must reencipher all disk copies of the CKDS under the new DES
master key. Then you are ready to activate the master key. When you
change the master key, you have ICSF replace the in-storage copy
of the CKDS with the reenciphered disk copy. This also makes the new
master key active on the system.
The procedures you use to activate the new master key depend on
your system's compatibility mode. ICSF runs in noncompatibility,
compatibility, or co-existence mode with the IBM cryptographic products
and Programmed Cryptographic Facility (PCF). You specify which mode ICSF runs
in by using an installation option. For a description of the
modes and how to specify an installation option, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
In noncompatibility mode, ICSF allows you to change the master
key with continuous operations. Therefore applications can continue
to run without disruption. However, when ICSF is in compatibility
mode or co-existence mode, you should use a different procedure to
activate the changed master key. This is to ensure that no application
is holding an internal token with the wrong master key.
In all three modes, you enter the new master key and reencipher
the disk copy of the CKDS under the new master key using the master
key panels. In noncompatibility mode, you then activate the new master
key and refresh the in-storage copy of the CKDS with the disk copy
using the master key panels or a utility program.
In compatibility mode and coexistence mode, however, activating
the new master key and refreshing the in-storage copy of the CKDS
does not reencipher internal key tokens under the new master key. ICSF applications
that are holding internal key tokens which have been enciphered under
the wrong master key will fail with a warning message. Applications
that use the PCF macros, run with no warning message and produce erroneous
results.
If you are using the CCF, the safest method to use when
changing the master key in either compatibility or coexistence mode
is as follows:
- Ensure that the name of the new CKDS is in the installation data
set.
- Re-IPL MVS.
- Start CSF.
If you also have PCICC installed, when you start CSF, you must
go to the Master Key Management panel (Figure 58) and
do a set (option 2). This will change the master keys of all the PCICC
that match the CCF.
A re-IPL ensures that a program does not access a cryptographic
service that uses a key that is encrypted under a different master
key. If a program is using an operational key, the program should
either re-create or reimport the key, or generate a new key.
If a re-IPL is not practical in your installation, you can use
this alternative method. Stop all cryptographic applications, especially
those using PCF macros, when activating the new master key and refreshing
the in-storage copy of the CKDS. This eliminates all operational keys
that are encrypted under the current master key. When you start CSF
again, applications using an operational key can either re-create
or reimport the key.
Steps for changing the DES master key and reenciphering the
CKDS
For information about reenciphering a CKDS in a sysplex environment,
see Running in a Sysplex Environment.
- Enter the key parts of the new master key that you want to replace
the current master key. For information about how to do this procedure,
see Entering master key parts.
The new master key register must be
full when you change the master key.
- Select option 3, REENCIPHER CKDS, on the Master Key Management
panel, as shown in Figure 59, and press ENTER.
When
you change the master key, you must first reencipher the disk copy
of the CKDS under the new master key.
Notes:
- If your system is using multiple coprocessors, they must have
the same master key. When you change the master key in one coprocessor,
you should change the master key in the other coprocessors. Therefore,
when you reencipher a CKDS under a new master key, the new master
key registers in all coprocessors must contain the same value.
- If the CKDS contains HMAC keys, it must be reenciphered on a system
with a CEX3C and the Sept. 2010 or later licensed internal code.
Figure 59. Selecting the Reencipher CKDS option on the ICSF Master Key Management Panel
CSFMKM00 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 1
Enter the number of the desired option above.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a symmetric (DES or AES) master key
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE MK - Change a symmetric master key and
activate the reenciphered CKDS
5 INITIALIZE PKDS - Initialize or update a PKA Cryptographic
Key Data Set header record
6 REENCIPHER PKDS - Reencipher the PKA Cryptographic Key Data Set
7 REFRESH PKDS - Activate an updated PKA Cryptographic Key Data Set
- The Reencipher CKDS panel appears. See Figure 60.
Figure 60. Reencipher CKDS
CSFCMK10 ----------------- ICSF - Reencipher CKDS ------------------
COMMAND ===>
To reencipher all CKDS entries from encryption under the current master key
to encryption under the new master key enter the CKDS names below.
Input CKDS ===> 'CKDS.CURRENT.MASTER'
Output CKDS ===> 'CKDS.NEW.MASTER'
- In the Input CKDS field, enter the name of the CKDS that you want
to reencipher. In the Output CKDS field, enter the name of the data
set in which you want to place the reenciphered keys.
Reenciphering the disk copy of the CKDS does not affect
the in-storage copy of the CKDS. On this panel, you are working with
only a disk copy of the CKDS.
- Press ENTER to reencipher the input CKDS entries and place them
into the output CKDS.
The message REENCIPHER SUCCESSFUL appears
on the top right of the panel if the reencipher succeeds.
- If you have more than one CKDS on disk, specify the information
and press ENTER as many times as you need to reencipher all of them.
Reencipher all your disk copies at this time. When you have reenciphered
all the disk copies of the CKDS, you are ready to change the master
key.
- Press END to return to the Master Key Management panel.
Changing
the master key involves refreshing the in-storage copy of the CKDS
with a disk copy and activating the new master key.
- If you are running in compatibility or co-existence mode, do not select option 4, the Change option. To
activate the changed master key when running in compatibility or co-existence
mode, you need to re-IPL MVS and start ICSF. When you re-IPL MVS
and start ICSF, you activate the changed master key and refresh
the in-storage CKDS. To do this, you must exit the panels at this
time.
- If you are running in noncompatibility mode, to change the master
key select option 4, CHANGE MK, on the Master Key Management panel.
When
you press the ENTER key, the Change Master Key panel appears. See Figure 61.
Figure 61. Change Master Key Panel
CSFCMK20 --------------------- ICSF Change Master Key --------------
COMMAND ===>
Enter the name of the new CKDS below:
New CKDS ===> 'CKDS.NEW.MASTER'
When the master key is changed, the new CKDS will become active.
- In the New CKDS field, enter the name of the disk copy of the
CKDS that you want ICSF to place in storage.
You should have already
reenciphered the disk copy of the CKDS under the new master key. The
last CKDS name that you specified in the Output CKDS field on the
Reencipher CKDS panel, which is shown in Figure 60, automatically
appears in this field.
- Press ENTER.
ICSF loads the data set into storage where it
becomes operational on the system. ICSF also places the new master
key into the master key register so it becomes active.
When
you press ENTER, ICSF attempts to change the master key. It displays
a message on the top right of the panel. The message indicates either
that the master key was changed successfully or that an error occurred
that prevented the successful completion of the change process. For
example, if you indicate a data set that is not reenciphered under
the new master key, an error message displays, and the master key
is not changed.
Note:
Each Cryptographic Coprocessor Feature includes two crypto
modules, which ICSF recognizes as C0 and C1. You must enter the
new master key into each of the coprocessors, when you perform the
change. ICSF activates the new master key of both coprocessors that
contain a new master key value that will encipher the CKDS. If
you also have PCICCs on your system, load the new master key into
all of the coprocessors.
If only one coprocessor new master
key value matches the new CKDS, then that coprocessor will be used.
The other coprocessor will remain offline until the new master key
is changed to match the other coprocessor.
When the change
occurs, the operator console receives messages that state that the Cryptographic Coprocessor Feature is
offline and then online for each coprocessor. These actions should
not affect cryptographic operations.
If there is
a problem reenciphering a CKDS entry, then the CSFC0316 message is
generated specifying the label for the CKDS problem entry.
- When changing the master key, remember to change the name of the
CKDS in the Installation Options Data Set.
You can use a utility program to reencipher the CKDSs and change
the master key instead of using the panels. Reenciphering a disk copy of a CKDS and changing the master
key describes
how to use the utility program for these procedures.
|