z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Symmetric Master Keys and the CKDS

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

The procedure you need to follow for changing the DES or AES master key, reenciphering the CKDS, and activating the new DES or AES master key will differ depending on factors such as the version of ICSF you are running and your system’s compatibility mode. Although the details of the various procedures do differ, they are all guiding you through performing the same significant actions. Essentially, to change the symmetric keys, you need to:

  1. Enter the master key parts into the new master key registers (as described in Entering master key parts).
  2. Reencipher the CKDS under the new master key. This fills an empty VSAM data set you created earlier with the reenciphered keys, making the data set the new CKDS. This new reenciphered CKDS is a disk copy.
  3. Change the symmetric master keys and make the reenciphered CKDS the active CKDS.

Starting with ICSF FMID HCR7790, a new option is available to provide a simplified procedure for changing the symmetric master keys. Tasks that had once been distinct and spread over multiple panels and manual steps are now combined in a single panel. Other steps, due to changes in how ICSF reenciphers the CKDS, are no longer necessary.

This new procedure is called a coordinated CKDS change master key. This procedure will combine the CKDS reencipher and set master key steps for both single system environments and sysplex environments. When in a sysplex environment, the coordinated CKDS change master key procedure additionally coordinates across all sysplex members sharing the same active CKDS. This removes the need to perform manual steps on each system sharing the same CKDS, including bringing the disk copy of the reenciphered CKDS into storage.

For the additional advantages realized by a coordinated CKDS change master key, refer to Changing symmetric master keys and refreshing the CKDS when the CKDS is shared in a sysplex environment.

Use the coordinated CKDS change master key procedure only if your system (and, if applicable, your sysplex) meets the following requirements.

  • Your system must be running ICSF FMID HCR7790 or later. In a sysplex environment, all members of the sysplex (including any sysplex members that are not using the same active CKDS) must be at ICSF FMID HCR7790 or later. The sysplex communication protocol used by the coordinated change master key procedure is only understood by ICSF FMID HCR7790 and later. For this reason, the coordinated change master key procedure can only be performed when all systems in the sysplex are at ICSF FMID HCR7790 and later. Be aware that this procedure will change the symmetric master keys for all systems in the sysplex that share the same active CKDS as the member who initiates the procedure.
  • None of the systems in the sysplex can be a IBM zSeries 900.
  • ICSF on all systems in the sysplex must be running in noncompatibility mode.
  • Do not use the coordinated CKDS procedure to reencipher archived or backup copies of the CKDS that are not currently active. Only use it to reencipher the active CKDS.

If your system (and, if applicable, your sysplex) meets the requirements in the preceding list, you can use the procedure described in Performing a coordinated CKDS master key change to change your master key.

If your system or sysplex does not meet the requirements in the preceding list, follow the procedure described in Steps for reenciphering the CKDS and performing a single-system CKDS master key change. Because this procedure branches into different instructions based on whether ICSF is running in noncompatibility, compatibility, or co-existence mode, you should first understand the following background information on these modes before referring to and performing the procedure.

ICSF runs in noncompatibility, compatibility, or co-existence mode with the IBM cryptographic products, and Programmed Cryptographic Facility (PCF). You specify which mode ICSF runs in by using an installation option. For a description of the modes and how to specify an installation option, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

In noncompatibility mode, ICSF allows you to change the master key with continuous operations. Therefore applications can continue to run without disruption. However, when ICSF is in compatibility mode or co-existence mode, you should use a different procedure to activate the changed master key. This is to ensure that no application is holding an internal token with the wrong master key.

In all three modes, you enter the new master key and reencipher the disk copy of the CKDS under the new master key using the master key panels. In noncompatibility mode, you then activate the new master key and refresh the in-storage copy of the CKDS with the disk copy using the master key panels or a utility program.

In compatibility mode and coexistence mode, however, activating the new master key and refreshing the in-storage copy of the CKDS does not reencipher internal key tokens under the new master key. ICSF applications that are holding internal key tokens which have been enciphered under the wrong master key will fail with a warning message. Applications that use the PCF macros, run with no warning message and produce erroneous results.

If you have a PCIXCC, CEX2C, and CEX3C installed, when you start ICSF, you must go to the Master Key Management panel (Figure 109) and do a set (option 2). This will change the master keys of all the PCIXCCs, CEX2Cs, and CEX3Cs.

A re-IPL ensures that a program does not access a cryptographic service that uses a key that is encrypted under a different master key. If a program is using an operational key, the program should either re-create or reimport the key, or generate a new key.

If a re-IPL is not practical in your installation, you can use this alternative method. Stop all cryptographic applications, especially those using PCF macros, when activating the new master key and refreshing the in-storage copy of the CKDS. This eliminates all operational keys that are encrypted under the current master key. When you start ICSF again, applications using an operational key can either re-create or reimport the key.

Steps for reenciphering the CKDS and performing a single-system CKDS master key change

Notes:
  1. If running in a sysplex, see Running in a Sysplex Environment.
  2. Prior to reenciphering a CKDS, consider temporarily disallowing dynamic CKDS update services. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.
  3. A simplified procedure for changing the symmetric master key and reenciphering the CKDS is described in Performing a coordinated CKDS master key change. However, only systems that are running ICSF FMID HCR7790 or later and that meet other requirements can use this other procedure. If you are interested in using this simplified procedure, refer to the requirements outlined in Symmetric Master Keys and the CKDS.

Before beginning this procedure, you must:

Notes:
  1. Enter the key parts of the new master key that you want to replace the current master key. For information about how to do this procedure, see Entering master key parts. The new master key register must be full when you change the master key.
  2. Create a new VSAM data set in which the reenciphered keys will be placed to create the new reenciphered CKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active CKDS. For more information about defining a CKDS, refer to z/OS Cryptographic Services ICSF System Programmer’s Guide.

To reencipher the CKDS and change the master key:

  1. Select option 3, REENCIPHER CKDS, on the Master Key Management panel, as shown in Figure 110, and press ENTER.

    When you change the master key, you must first reencipher the disk copy of the CKDS under the new master key.

    Notes:
    1. If your system is using multiple coprocessors, they must have the same master key. When you change the master key in one coprocessor, you should change the master key in the other coprocessors. Therefore, to reencipher a CKDS under a new master key, the new master key registers in all coprocessors must contain the same value.
    2. If the CKDS contains HMAC keys, it must be reenciphered on a system with a CEX3C and the Sept. 2010 or later licensed internal code.
    Figure 110. Selecting the Reencipher CKDS option on the ICSF Master Key Management Panel 
     CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
 OPTION ===>  3

 Enter the number of the desired option.                                       
                                                                              
   1  INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or    
                           activate an updated Cryptographic Key Data Set      
   2  SET MK            -  Set a master key (AES, DES, ECC)               
   3  REENCIPHER CKDS   -  Reencipher the CKDS prior to changing a symmetric   
                           master key                                          
   4  CHANGE SYM MK     -  Change a symmetric master key and activate the      
                           reenciphered CKDS 
   5  INIT/REFRESH/UPDATE PKDS -  Initialize a Public Key Data Set or
                           activate an updated Public Key Data Set or
                           update the Public Key Data Set header              
   6  REENCIPHER PKDS   -  Reencipher the PKDS        
   7  CHANGE ASYM MK    -  Change an asymmetric master key and activate the
                           reenciphered PKDS
   8  COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
   9  COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
  2. The Reencipher CKDS panel appears. See Figure 111.
    Figure 111. Reencipher CKDS 
     CSFCMK10 ----------------- ICSF - Reencipher CKDS ------------------
 COMMAND ===>


To reencipher all CKDS entries from encryption under the current DES/
Symmetric-keys master key to encryption under the new master key enter 
the CKDS names below.



    Input CKDS ===> 'CKDS.CURRENT.MASTER'

    Output CKDS ===> 'CKDS.NEW.MASTER'
  3. In the Input CKDS field, enter the name of the CKDS that you want to reencipher. In the Output CKDS field, enter the name of the data set in which you want to place the reenciphered keys.
    Notes:
    1. The output data set should already exist although it must be empty. For more information about defining a CKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
    2. The input CKDS and the output CKDS must have the same VSAM attibutes.

    Reenciphering the disk copy of the CKDS does not affect the in-storage copy of the CKDS. On this panel, you are working with only a disk copy of the CKDS.

  4. Press ENTER to reencipher the input CKDS entries and place them into the output CKDS.

    The message REENCIPHER SUCCESSFUL appears on the top right of the panel if the reencipher succeeds.

  5. If you have more than one CKDS on disk, specify the information and press ENTER as many times as you need to reencipher all of them. Reencipher all your disk copies at this time. When you have reenciphered all the disk copies of the CKDS, you are ready to change the master key.
  6. Press END to return to the Master Key Management panel.

    Changing the master key involves refreshing the in-storage copy of the CKDS with a disk copy and activating the new master key.

  7. If you are running in compatibility or co-existence mode, do not select option 4, the Change option. To activate the changed master key when running in compatibility or co-existence mode, you need to re-IPL MVS and start ICSF. When you re-IPL MVS and start ICSF, you activate the changed master key and refresh the in-storage CKDS.
  8. If you are running in noncompatibility mode, to change the master key select option 4, CHANGE MK, on the Master Key Management panel.

    When you press the ENTER key, the Change Master Key panel appears. See Figure 112.

    Figure 112. Change Master Key Panel 
     CSFCMK20 --------------------- ICSF Change Master Key --------------
 COMMAND ===>


 Enter the name of the new CKDS below:

   New CKDS ===> 'CKDS.NEW.MASTER'

 When the master key is changed, the new CKDS will become active.
  9. In the New CKDS field, enter the name of the disk copy of the CKDS that you want ICSF to place in storage.

    You should have already reenciphered the disk copy of the CKDS under the new master key. The last CKDS name that you specified in the Output CKDS field on the Reencipher CKDS panel, which is shown in Figure 60, automatically appears in this field.

  10. Press ENTER.

    ICSF loads the data set into storage where it becomes operational on the system. ICSF also places the new master key into the master key register so it becomes active.

    When you press ENTER, ICSF attempts to change the master key. It displays a message on the top right of the panel. The message indicates either that the master key was changed successfully or that an error occurred that prevented the successful completion of the change process. For example, if you indicate a data set that is not reenciphered under the new master key, an error message displays, and the master key is not changed.

  11. When changing the master key, remember to change the name of the CKDS in the Installation Options Data Set.

You can use a utility program to reencipher the CKDSs and change the master key instead of using the panels. Reenciphering a disk copy of a CKDS and changing the master key describes how to use the utility program for these procedures.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014