If you have multiple systems sharing a PKDS and make changes to the
PKA master keys, you must reencipher and activate the PKDS. A
PCICC, PCIXCC, CEX2C, or CEX3C is required on your system
for this process.
Note:
If a system has a CEX3C coprocessor with
the Sep. 2011 or later LIC, the PKA callable services control will
not be activated and the steps to disable/enable the PKA callable
service control are not applicable in the following procedure.
Assume you have two systems, A and B sharing a PKDS data
set, OLDPKDS. The steps to reencipher and activate are:
- From SYSTEM A, disable PKA callable services if active. To do
this, enter a 'D' prior to the function (see Steps for enabling and disabling PKA callable services and
PKDS updates).
- On SYSTEM B, disable Dynamic PKDS Access. To do this, enter a
'D' prior to the function (see Steps for enabling and disabling PKA callable services and
PKDS updates).
- On system A, load the new master keys (see PKA master keys and the PKDS).
- On system A, reencipher OLDPKDS, creating NEWPKDS (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering
the PKDS).
- On system A, change master keys (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering
the PKDS).
- On system A, enable PKA callable services if active (see Steps for enabling and disabling PKA callable services and
PKDS updates).
- On system A, enable Dynamic PKDS Access (see Steps for enabling and disabling PKA callable services and
PKDS updates).
- On system B, disable PKA callable services if active (see Steps for enabling and disabling PKA callable services and
PKDS updates).
- On system B, load the new master keys (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering
the PKDS).
- On system B, change master keys (see Steps for changing the RSA-MK or ECC-MK master key and reenciphering
the PKDS).
- On system B, enable PKA callable services if active (see Steps for enabling and disabling PKA callable services and
PKDS updates).
- On system B, enable Dynamic PKDS Access (see Steps for enabling and disabling PKA callable services and
PKDS updates).
|