If you have multiple systems sharing a PKDS and make changes to the PKA master keys, you must reencipher and activate the PKDS. A PCICC, PCIXCC, CEX2C, or CEX3C is required on your system for this process.

Assume you have two systems, A and B sharing a PKDS data set, OLDPKDS. The steps to reencipher and activate are:

1. From SYSTEM A, disable PKA callable services if active. To do this, enter a 'D' prior to the function (see Steps for enabling and disabling PKA callable services and PKDS updates).
2. On SYSTEM B, disable Dynamic PKDS Access. To do this, enter a 'D' prior to the function (see Steps for enabling and disabling PKA callable services and PKDS updates).
3. On system A, load the new master keys (see PKA master keys and the PKDS).
4. On system A, reencipher OLDPKDS, creating NEWPKDS (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering the PKDS).
5. On system A, change master keys (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering the PKDS).
6. On system A, enable PKA callable services if active (see Steps for enabling and disabling PKA callable services and PKDS updates).
7. On system A, enable Dynamic PKDS Access (see Steps for enabling and disabling PKA callable services and PKDS updates).
8. On system B, disable PKA callable services if active (see Steps for enabling and disabling PKA callable services and PKDS updates).
9. On system B, load the new master keys (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering the PKDS).
10. On system B, change master keys (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering the PKDS).
11. On system B, enable PKA callable services if active (see Steps for enabling and disabling PKA callable services and PKDS updates).
12. On system B, enable Dynamic PKDS Access (see Steps for enabling and disabling PKA callable services and PKDS updates).