z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Setting DES and AES master keys for the first time when sharing a CKDS in a sysplex environment

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

Setting symmetric master keys for the first time in a sysplex environment can be accomplished using:

  • the optional TKE Workstation (Group of coprocessors and/or group of domains function). See the z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information.
  • Master Key Entry
  • PPINIT

Before setting symmetric master keys for the first time in a sysplex environment, you will need to allocate an empty CKDS. For information about defining a CKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

Once you have allocated an empty CKDS, all LPARs that will share this CKDS must update their ICSF options data set to use this CKDS as their active CKDS. On the first LPAR that starts ICSF, you will load the symmetric master keys, initialize the CKDS, and set the symmetric master keys. On all other LPARs that will share the same active CKDS, you will only load the same master keys, and then set the master key. You should only initialize the CKDS once from the first LPAR that started ICSF.

Note:
AES master keys are only supported with FMID HCR7751 running on z9 and z10 servers with a CEX2C and the Nov. 2008 or later licensed internal code (LIC), and on later releases with a CEX2C or CEX3C. ICSF releases before HCR7751 do not support secure AES keys and require APAR OA26579 for toleration.

Using master key entry

Master key entry may be used to set master keys in a sysplex environment. First, load your master keys in the first LPAR as described in Entering master key parts (CCF and PCICC) or Entering master key parts (PCIXCC, CEX2C, or CEX3C). Next, you will initialize the CKDS from the first LPAR as described in Steps for initializing a CKDS (CCF and PCICC) or Steps for initializing a CKDS (PCIXCC, CEX2C, or CEX3C). Finally, for all subsequent LPARs, enter the master keys as described in Reentering master keys when they have been cleared (CCF and PCICC) or Reentering master keys when they have been cleared (PCIXCC, CEX2C, or CEX3C).

Using Pass Phrase Initialization

The Pass Phrase Initialization utility can be used to set master keys an initialize the CKDS and PKDS in a sysplex environment.

  1. Start ICSF in the first LPAR and follow the instructions in Using the Pass Phrase Initialization Utility.
  2. Once the first LPAR has been successfully initialized, start ICSF in the other LPARs that are sharing the same active CKDS.
  3. From each LPAR that is sharing the same active CKDS, go to the Pass Phrase Initialization panel, and:
    1. Enter the same pass phrase as entered on the first LPAR
    2. If running on a non-CCF system:
      1. Select 'Reinitialize System'
      2. Enter the same CKDS name and PKDS name as entered on the first LPAR
      If running on a CCF system:
      1. Respond N to 'Initialize the CKDS and PKDS'
      2. Respond to the remaining questions as for the first LPAR
      3. Enter the same CKDS name and PKDS name as entered on the first LPAR

These steps will load and set the same master keys as in the first LPAR and activate the same CKDS.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014