You only have to initialize a CKDS the first time you start ICSF on
a system. When you initialize a CKDS, you can copy the disk copy of
the CKDS to create other CKDSs for use on the system. You can also
use a CKDS on another ICSF system if the system has the same master
key value.
Note:
Use of a CKDS on another system depends
both upon where the CKDS was initialized and the cryptographic hardware
type of the other system. At any time, you can read
a different disk copy into storage. For information about how to read
a disk copy into storage, see Performing a single system CKDS refresh.
For a description of how to use the Master Key Entry panels to
enter the master key, see Steps for entering the first master key part. For a description
of how to use the TKE workstation to enter the
master key, refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.
Steps for initializing a CKDS
For information about initializing a CKDS in a sysplex environment,
see Running in a Sysplex Environment.
There are two formats of the CKDS: a fixed-length record (supported
by all releases of ICSF) and a new, variable-length record (supported
by HCR7780 and later releases). You can use the following steps to
initialize either format of CKDS.
To initialize the CKDS:
- Return to the Primary Menu panel by pressing END from the Master
Key Entry panel.
- Select Option 2, MASTER KEY MGMT, on the Primary Menu panel as
shown in Figure 96.
Figure 96. Selecting the Master Key option on the primary menu panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 2
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Master Key Management panel appears. See Figure 97.
Figure 97. ICSF Master Key Management Panel
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 1
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
8 COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
9 COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
- Select option 1, INIT/REFRESH/UPDATE CKDS and the Initialize
a CKDS panel appears. See Figure 98. If AES master keys
are supported, a different panel appears (Figure 99).
Figure 98. ICSF Initialize a CKDS Panel
CSFCKD10 ---------------- ICSF - Initialize a CKDS ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS (creates the header and system keys)
Record authentication required (Y/N)
2 REFRESH - Activate an updated CKDS
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
Figure 99. ICSF Initialize a CKDS Panel if AES master keys are supported
CSFCKD20 ---------------- ICSF - Initialize a CKDS ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS
Record authentication required? (Y/N) ===>
2 REFRESH - Activate an updated CKDS
3 Update an existing CKDS
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
- In the CKDS field, enter the name of the empty VSAM data set that
was created to use as the disk copy of the CKDS.
The name you enter
can be the same name that is specified in the CKDSN keyword option
in the installation options data set. You can also initialize
a data set that might serve as a backup. For information about
creating a CKDS and specifying the CKDS name in the installation options
data set, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
- Choose option 1, Initialize an empty CKDS, and press ENTER.
To
improve performance, answer N to Record authentication
required.
ICSF creates the header record in the disk copy
of the CKDS. Next, ICSF sets the DES or AES master key,
if any. ICSF then adds the required system key to the CKDS and refreshes
the CKDS. When ICSF completes all these steps, the message INITIALIZATION
COMPLETE appears. If you did not enter a master key into the
new master key register previously, the message NMK REGISTER
NOT FULL appears and the initialization process ends. You must
enter a master key into the new master key register to initialize
the CKDS.
Note:
If any part of the option 1 fails, you
must delete the CKDS and start over. If the failure occurs when one
of the master keys has been set and prior to the system key being
created, you will need to reset the master key.
When you complete the entire process, a CKDS and zero or more
master keys exist on your system. You can now generate keys using
functions like the key generate callable service and the key generator
utility program (KGUP) or convert PCF keys to ICSF keys using
the conversion program. ICSF services use the keys to perform the
cryptographic functions you request.
Updating the CKDS with the AES master key
On systems that support the AES master key, you can add the AES
master key to any existing CKDS. It is also possible to add the DES
master key to a CKDS that was initialized with only the AES master
key.
These are the steps to update the CKDS:
- Load the new AES master key by using the master key entry panels
or by using TKE. The AES master key must be loaded on all active coprocessors.
- From the Primary Menu, select option 2, MASTER KEY MGMT:
Figure 100. Selecting the Master Key option on the primary menu panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 2
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
- Select option 1, INIT/REFRESH/UPDATE CKDS.
Figure 101. ICSF Master Key Management Panel
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 1
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
8 COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
9 COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
- The Initialize a CKDS panel appears. In the CKDS field, enter
the name of an existing, initialized CKDS.
Figure 102. ICSF Initialize a CKDS Panel if AES master keys are supported
CSFCKD20 ---------------- ICSF - Initialize a CKDS ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS
Record authentication required? (Y/N) ===>
2 REFRESH - Activate an updated CKDS
3 Update an existing CKDS
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
- Choose option 3, Update an existing CKDS and press ENTER.
ICSF will check the status of the new master key registers and the
master key verification pattern of the master key is written to the
CKDS header record. Note that all the CKDS' that you wish to update
should be processed prior to going to step 6.
- In the CKDS field, enter the name of the updated CKDS that will
be the active CKDS.
- Select option 2, REFRESH and press ENTER.
The in-storage copy of the CKDS will be updated with your updated
CKDS.
Figure 103. ICSF Initialize a CKDS Panel
CSFCKD20 ---------------- ICSF - Initialize a CKDS ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS
Record authentication required? (Y/N) ===>
2 REFRESH - Activate an updated CKDS
3 Update an existing CKDS
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
- Return to the Master Key Management panel by pressing END. Choose option 2, SET MK and press ENTER.
ICSF sets the AES master key and your system can be used to encrypt
AES key operations.
Figure 104. ICSF Master Key Management Panel
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 2
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
8 COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
9 COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
|