When changing the PKA master keys, you must reencipher the private keys.

1. To reencipher the PKDS when the PKA SMK and ASYM-MK have been changed, go to the Master Key Management panel and select option 6.
   Note:

   Only keys enciphered under the SMK and the ASYM-MK are reenciphered. PKDS reencipher will not be able to reencipher private keys encrypted under the CCF key management key (KMMK) if the KMMK does not equal the SMK. If this is the case, see Steps for setting the SMK equal to the KMMK when you reencipher.
   Figure 69. Selecting the Reencipher PKDS Option on the Master Key Management Panel

    CSFMKM00 ---------------- ICSF - Master Key Management  ----------------
    OPTION ===>  6
   
   
    Enter the number of the desired option above.
   
      1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or 
                            activate an updated Cryptographic Key Data Set 
      2 SET MK            - Set a symmetric (DES or AES) master key
      3 REENCIPHER CKDS   - Reencipher the CKDS prior to changing a symmetric
                            master key
      4 CHANGE MK         - Change a symmetric master key and 
                            activate the reenciphered CKDS
      5 INITIALIZE PKDS   - Initialize or update a PKA Cryptographic
                            Key Data Set header record
      6 REENCIPHER PKDS   - Reencipher the PKA Cryptographic Key Data Set
      7 REFRESH PKDS      - Activate an updated PKA Cryptographic Key Data Set
      

2. The Reencipher PKDS panel appears. In the Input PKDS field, specify the name of the PKDS that you want ICSF to reencipher under the current SMK and ASYM-MK.

   In the Ouput PKDS field, specify the name of an empty VSAM data set. ICSF places the reenciphered keys in this data set.

   Figure 70. Reencipher PKDS

    CSFCMK11 ---------------- ICSF - Reencipher PKDS -------------
    COMMAND ===> 
   
   
     To reencipher all PKDS entries from encryption under the old RSA master 
     key and/or current ECC master keys to encryption under the current RSA 
     master key and/or new ECC master key, enter the PKDS names below.
   
   
       Input PKDS   ===> 'PKDS.CURRENT.MASTER'
   
       Output PKDS ===> 'PKDS.NEW.MASTER'
      
   Press ENTER to reencipher the PKDS.
   Press END   to exit to the previous menu
      

   Press enter to reencipher the PKDS. Once successful, you have to refresh the PKDS. Return to the Master Key Management panel and select option 7.

   Figure 71. Selecting the Activate PKDS Option on the Master Key Management Panel

    CSFMKM00 ---------------- ICSF - Master Key Management  ----------------
    OPTION ===>  7
   
   
    Enter the number of the desired option above.
   
      1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or 
                            activate an updated Cryptographic Key Data Set 
      2 SET MK            - Set a symmetric (DES or AES) master key
      3 REENCIPHER CKDS   - Reencipher the CKDS prior to changing a symmetric
                            master key
      4 CHANGE MK         - Change a symmetric master key and 
                            activate the reenciphered CKDS
      5 INITIALIZE PKDS   - Initialize or update a PKA Cryptographic
                            Key Data Set header record
      6 REENCIPHER PKDS   - Reencipher the PKA Cryptographic Key Data Set
      7 REFRESH PKDS      - Activate an updated PKA Cryptographic Key Data Set
      

   The Refresh PKDS panel appears. Enter the name of the PKDS that you want ICSF to use. The PKDS must have already been reenciphered under the current Signature/Asymmetric-keys master key.

   Figure 72. Refresh PKDS

    CSFCMK21 ---------- ICSF - Refresh PKA Cryptographic Key Data Set -------
    COMMAND ===> 
   
   
    Enter the name of the new PKDS below.
   
       New PKDS ===> 'PKDS.NEW.MASTER'
   
   Press ENTER to refresh the PKDS.
   Press END   to exit to the previous menu
      

   When you press ENTER, the PKDS becomes active.