Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Setting DES and AES master keys for the first time when sharing a CKDS in a sysplex environment z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
|
Setting symmetric master keys for the first time in a sysplex environment can be accomplished using:
Before setting symmetric master keys for the first time in a sysplex environment, you will need to allocate an empty CKDS. For information about defining a CKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide. Once you have allocated an empty CKDS, all LPARs that will share this CKDS must update their ICSF options data set to use this CKDS as their active CKDS. On the first LPAR that starts ICSF, you will load the symmetric master keys, initialize the CKDS, and set the symmetric master keys. On all other LPARs that will share the same active CKDS, you will only load the same master keys, and then set the master key. You should only initialize the CKDS once from the first LPAR that started ICSF. Note:
AES master keys are only supported with FMID HCR7751
running on z9 and z10 servers with a CEX2C and the Nov. 2008 or later licensed internal code (LIC), and on later
releases with a CEX2C or CEX3C. ICSF releases before HCR7751 do not
support secure AES keys and require APAR OA26579 for toleration. Using master key entryMaster key entry may be used to set master keys in a sysplex environment. First, load your master keys in the first LPAR as described in Entering master key parts (CCF and PCICC) or Entering master key parts (PCIXCC, CEX2C, or CEX3C). Next, you will initialize the CKDS from the first LPAR as described in Steps for initializing a CKDS (CCF and PCICC) or Steps for initializing a CKDS (PCIXCC, CEX2C, or CEX3C). Finally, for all subsequent LPARs, enter the master keys as described in Reentering master keys when they have been cleared (CCF and PCICC) or Reentering master keys when they have been cleared (PCIXCC, CEX2C, or CEX3C). Using Pass Phrase InitializationThe Pass Phrase Initialization utility can be used to set master keys an initialize the CKDS and PKDS in a sysplex environment.
These steps will load and set the same master keys as in the first LPAR and activate the same CKDS. |
Copyright IBM Corporation 1990, 2014
|