To change the RSA-MK or ECC-MK master key and reencipher the PKDS:

1. Enter the key parts of the new master key that you want to replace the current master key. For information about how to do this procedure, see Entering master key parts. The new master key register must be full when you change the master key.
   Note:

   When the PKA callable services control is active, the RSA-MK will be set when the final key part is loaded.
2. Select option 6, REENCIPHER PKDS, on the Master Key Management panel and press ENTER. When you change the master key, you must first reencipher the disk copy of the PKDS under the new master key.
   Note:

   If your system is using multiple coprocessors, they must have the same master key. When you change the master key in one coprocessor, you should change the master key in the other coprocessors. Therefore, to reencipher a PKDS under a new master key, the new master key registers in all coprocessors must contain the same value.
   Figure 115. Selecting the Reencipher PKDS Option on the ICSF Master Key Management Panel

    CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
    OPTION ===>  6
   
   
    Enter the number of the desired option.                                       
                                                                                 
      1  INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or    
                              activate an updated Cryptographic Key Data Set      
      2  SET MK            -  Set a master key (AES, DES, ECC)               
      3  REENCIPHER CKDS   -  Reencipher the CKDS prior to changing a symmetric   
                              master key                                          
      4  CHANGE SYM MK     -  Change a symmetric master key and activate the      
                              reenciphered CKDS 
      5  INIT/REFRESH/UPDATE PKDS -  Initialize a Public Key Data Set or
                              activate an updated Public Key Data Set or
                              update the Public Key Data Set header              
      6  REENCIPHER PKDS   -  Reencipher the PKDS        
      7  CHANGE ASYM MK    -  Change an asymmetric master key and activate the
                              reenciphered PKDS     

   3. The Reencipher PKDS panel appears.

   Figure 116. Reencipher PKDS

    CSFCMK11 ---------------- ICSF - Reencipher PKDS -------------
    COMMAND ===> 
   
   
    To reencipher all PKDS entries from encryption under the old RSA master 
    key and/or current ECC master keys to encryption under the current RSA 
    master key and/or new ECC master key, enter the PKDS names below.
   
        Input PKDS   ===> 'PKDS.CURRENT.MASTER'
   
       Output PKDS ===> 'PKDS.NEW.MASTER'
      
   Press ENTER to reencipher the PKDS.
   Press END   to exit to the previous menu
      

3. In the Input PKDS field, enter the name of the PKDS that you want to reencipher. In the Output PKDS field, enter the name of the data set in which you want to place the reenciphered keys.

   Reenciphering the disk copy of the PKDS does not affect the in-storage copy of the PKDS. On this panel, you are working with only a disk copy of the PKDS.

   Note:

   The output data set should already exist although it must be empty. For more information about defining a PKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
4. Press ENTER to reencipher the input PKDS entries and place them into the output PKDS.

   The message REENCIPHER SUCCESSFUL appears on the top right of the panel if the reencipher succeeds.

5. If you have more than one PKDS on disk, specify the information and press ENTER as many times as you need to reencipher all of them. Reencipher all your disk copies at this time. When you have reenciphered all the disk copies of the PKDS, you are ready to change the master key.
6. Press END to return to the Master Key Management panel.

   Changing the master key involves refreshing the in-storage copy of the PKDS with a disk copy and activating the new master key.

7. To change the master key select option 7, CHANGE ASYM MK, on the Master Key Management panel.

   When you press the ENTER key, the Change Master Key panel appears.

   Figure 117. Change Master Key Panel

   CSFCMK22 --------------- ICSF - Change Asymmetric Master Key ---------------------
   
   Enter the name of the new PKDS below.
   
   New PKDS ===>
   
   When the master key is changed, the new PKDS will become active.

8. In the New PKDS field, enter the name of the disk copy of the PKDS that you want ICSF to place in storage.

   You should have already reenciphered the disk copy of the PKDS under the new master key. The last PKDS name that you specified in the Output PKDS field on the Reencipher PKDS panel, which is shown in Figure 60, automatically appears in this field.

9. Press ENTER

   ICSF loads the data set into storage where it becomes operational on the system. ICSF also places the new master key into the master key register so it becomes active.

   When you press ENTER, ICSF attempts to change the master key. It displays a message on the top right of the panel. The message indicates either that the master key was changed successfully or that an error occurred that prevented the successful completion of the change process. For example, if you indicate a data set that is not reenciphered under the new master key, an error message displays, and the master key is not changed.

10. When changing the master key, remember to change the name of the PKDS in the Installation Options Data Set.

    You can use a utility program to reencipher the PKDSs instead of using the panels. Reenciphering a PKDS describes how to use the utility program for these procedures.