z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Refreshing the CKDS at Any Time

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

When you initialize a CKDS for the first time, you can copy the disk copy of the CKDS to create other CKDSs for the system. You can use the dynamic CKDS update callable services to add or update the disk copy of the current in-storage CKDS. For information on using the dynamic CKDS callable services, refer to the z/OS Cryptographic Services ICSF Application Programmer's Guide.

Notes:
  1. Prior to refreshing a CKDS, consider temporarily disallowing dynamic CKDS update services.
  2. You may refresh any CKDS with the REFRESH CKDS option. This includes CKDS that were initialized on systems with master keys. This is the only way to share a CKDS with a system that has cryptographic coprocessors. If you are sharing a CKDS with encrypted keys, the system with no coprocessors can not manage the encrypted keys.

You can refresh the in-storage CKDS with an updated or different disk copy of the CKDS by using these steps. You can refresh the CKDS at any time without disrupting cryptographic functions.

  1. Enter option 2, MASTER KEY, on the ICSF Primary Menu panel to access the Master Key Management Panel.
  2. Select option 1, INIT/REFRESH/UPDATE CKDS and the Initialize a CKDS panel appears.
    Figure 122. ICSF Master Key Management Panel 
     CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
 OPTION ===>  1

 Enter the number of the desired option.                                       
                                                                              
   1  INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or    
                           activate an updated Cryptographic Key Data Set      
   2  SET MK            -  Set a master key (AES, DES, ECC)               
   3  REENCIPHER CKDS   -  Reencipher the CKDS prior to changing a symmetric   
                           master key                                          
   4  CHANGE SYM MK     -  Change a symmetric master key and activate the      
                           reenciphered CKDS 
   5  INIT/REFRESH/UPDATE PKDS -  Initialize a Public Key Data Set or
                           activate an updated Public Key Data Set or
                           update the Public Key Data Set header              
   6  REENCIPHER PKDS   -  Reencipher the PKDS        
   7  CHANGE ASYM MK    -  Change an asymmetric master key and activate the
                           reenciphered PKDS
   8  COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
   9  COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
  3. In the CKDS field, specify the name of the disk copy of the CKDS that you want ICSF to read into storage.
    Figure 123. ICSF Initialize a CKDS Panel 
     CSFCKD10 ---------------- ICSF - Initialize a CKDS  ----------------
 COMMAND ===>


 Enter the number of the desired option.

   1  Initialize an empty CKDS (creates the header and system keys)
         Record authentication required (Y/N) 
   2  REFRESH   -  Activate an updated CKDS

 Enter the name of the CKDS below.

   CKDS ===> 'FIRST.EMPTY.CKDS'
  4. Choose option 2, REFRESH, and press ENTER. ICSF places the disk copy of the specified CKDS into storage. A REFRESH does not disrupt any applications that are running on ICSF. A message that states that the CKDS was refreshed appears on the right of the top line on the panel.
  5. Press END to return to the Primary Menu panel.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014