To change the RSA-MK or ECC-MK master key and reencipher the PKDS:
- Enter the key parts of the new master key that you want to replace
the current master key. For information about how to do this procedure,
see Entering master key parts. The new master key register must be full
when you change the master key.
Note:
When the PKA callable
services control is active, the RSA-MK will be set when the final
key part is loaded.
- Select option 6, REENCIPHER PKDS, on the Master Key Management
panel and press ENTER. When you change the master key, you must first
reencipher the disk copy of the PKDS under the new master key.
Note:
If your system is using multiple coprocessors, they must
have the same master key. When you change the master key in one coprocessor,
you should change the master key in the other coprocessors. Therefore,
to reencipher a PKDS under a new master key, the new master key registers
in all coprocessors must contain the same value.
Figure 115. Selecting the Reencipher PKDS Option on the ICSF Master Key Management Panel
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 6
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
3. The Reencipher PKDS panel appears.
Figure 116. Reencipher PKDS
CSFCMK11 ---------------- ICSF - Reencipher PKDS -------------
COMMAND ===>
To reencipher all PKDS entries from encryption under the old RSA master
key and/or current ECC master keys to encryption under the current RSA
master key and/or new ECC master key, enter the PKDS names below.
Input PKDS ===> 'PKDS.CURRENT.MASTER'
Output PKDS ===> 'PKDS.NEW.MASTER'
Press ENTER to reencipher the PKDS.
Press END to exit to the previous menu
- In the Input PKDS field, enter the name of the PKDS that you want
to reencipher. In the Output PKDS field, enter the name of the data
set in which you want to place the reenciphered keys.
Reenciphering
the disk copy of the PKDS does not affect the in-storage copy of the
PKDS. On this panel, you are working with only a disk copy of the
PKDS.
Note:
The output data set should already exist although
it must be empty. For more information about defining a PKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
- Press ENTER to reencipher the input PKDS entries and place them
into the output PKDS.
The message REENCIPHER SUCCESSFUL appears
on the top right of the panel if the reencipher succeeds.
- If you have more than one PKDS on disk, specify the information
and press ENTER as many times as you need to reencipher all of them.
Reencipher all your disk copies at this time. When you have reenciphered
all the disk copies of the PKDS, you are ready to change the master
key.
- Press END to return to the Master Key Management panel.
Changing
the master key involves refreshing the in-storage copy of the PKDS
with a disk copy and activating the new master key.
- To change the master key select option 7, CHANGE ASYM MK, on the
Master Key Management panel.
When you press the ENTER key, the Change
Master Key panel appears.
Figure 117. Change Master Key Panel
CSFCMK22 --------------- ICSF - Change Asymmetric Master Key ---------------------
Enter the name of the new PKDS below.
New PKDS ===>
When the master key is changed, the new PKDS will become active.
- In the New PKDS field, enter the name of the disk copy of the
PKDS that you want ICSF to place in storage.
You should have already
reenciphered the disk copy of the PKDS under the new master key. The
last PKDS name that you specified in the Output PKDS field on the
Reencipher PKDS panel, which is shown in Figure 60, automatically
appears in this field.
- Press ENTER
ICSF loads the data set into storage where it becomes
operational on the system. ICSF also places the new master key into
the master key register so it becomes active.
When you press
ENTER, ICSF attempts to change the master key. It displays a message
on the top right of the panel. The message indicates either that the
master key was changed successfully or that an error occurred that
prevented the successful completion of the change process. For example,
if you indicate a data set that is not reenciphered under the new
master key, an error message displays, and the master key is not changed.
- When changing the master key, remember to change the name of the
PKDS in the Installation Options Data Set.
You can use a utility
program to reencipher the PKDSs instead of using the panels. Reenciphering a PKDS describes how to use the utility program for these
procedures.
|