The procedure you need to follow for changing the DES
or AES master key, reenciphering the CKDS, and activating the
new DES or AES master key will differ depending on factors
such as the version of ICSF you are running and your system’s
compatibility mode. Although the details of the various procedures
do differ, they are all guiding you through performing the same significant
actions. Essentially, to change the symmetric keys, you need to:
- Enter the master key parts into the new master key registers (as
described in Entering master key parts).
- Reencipher the CKDS under the new master key. This fills an empty
VSAM data set you created earlier with the reenciphered keys, making
the data set the new CKDS. This new reenciphered CKDS is a disk copy.
- Change the symmetric master keys and make the reenciphered CKDS
the active CKDS.
Starting with ICSF FMID HCR7790, a new option is available
to provide a simplified procedure for changing the symmetric master
keys. Tasks that had once been distinct and spread over multiple panels
and manual steps are now combined in a single panel. Other steps,
due to changes in how ICSF reenciphers the CKDS, are no longer necessary.
This new procedure is called a coordinated CKDS change
master key. This procedure will combine the CKDS reencipher and set
master key steps for both single system environments and sysplex environments.
When in a sysplex environment, the coordinated CKDS change master
key procedure additionally coordinates across all sysplex members
sharing the same active CKDS. This removes the need to perform manual
steps on each system sharing the same CKDS, including bringing the
disk copy of the reenciphered CKDS into storage.
For the additional advantages realized by a coordinated
CKDS change master key, refer to Changing symmetric master keys and refreshing the CKDS when
the CKDS is shared in a sysplex environment.
Use the coordinated CKDS change master key procedure
only if your system (and, if applicable, your sysplex) meets the following
requirements.
- Your system must be running ICSF FMID HCR7790 or later. In a sysplex
environment, all members of the sysplex (including any sysplex members
that are not using the same active CKDS) must be at ICSF FMID HCR7790
or later. The sysplex communication protocol used by the coordinated
change master key procedure is only understood by ICSF FMID HCR7790
and later. For this reason, the coordinated change master key procedure
can only be performed when all systems in the sysplex are at ICSF
FMID HCR7790 and later. Be aware that this procedure will change the
symmetric master keys for all systems in the sysplex that share the
same active CKDS as the member who initiates the procedure.
- None of the systems in the sysplex can be a IBM zSeries 900.
- ICSF on all systems in the sysplex must be running in noncompatibility
mode.
- Do not use the coordinated CKDS procedure to reencipher archived
or backup copies of the CKDS that are not currently active. Only use
it to reencipher the active CKDS.
If your system (and, if applicable, your sysplex) meets
the requirements in the preceding list, you can use the procedure
described in Performing a coordinated CKDS master key change to change your master key.
If your system or sysplex does not meet the requirements
in the preceding list, follow the procedure described in Steps for reenciphering the CKDS and performing a
single-system CKDS master key change. Because this procedure branches into different instructions
based on whether ICSF is running in noncompatibility, compatibility,
or co-existence mode, you should first understand the following background
information on these modes before referring to and performing the
procedure.
ICSF runs in noncompatibility, compatibility, or co-existence
mode with the IBM cryptographic products, and Programmed Cryptographic
Facility (PCF). You specify which mode ICSF runs in by using an
installation option. For a description
of the modes and how to specify an installation option, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
In noncompatibility mode, ICSF allows you to change the master
key with continuous operations. Therefore applications can continue
to run without disruption. However, when ICSF is in compatibility
mode or co-existence mode, you should use a different procedure to
activate the changed master key. This is to ensure that no application
is holding an internal token with the wrong master key.
In all three modes, you enter the new master key and reencipher
the disk copy of the CKDS under the new master key using the master
key panels. In noncompatibility mode, you then activate the new master
key and refresh the in-storage copy of the CKDS with the disk copy
using the master key panels or a utility program.
In compatibility mode and coexistence mode, however, activating
the new master key and refreshing the in-storage copy of the CKDS
does not reencipher internal key tokens under the new master key. ICSF applications
that are holding internal key tokens which have been enciphered under
the wrong master key will fail with a warning message. Applications
that use the PCF macros, run with no warning message and produce erroneous
results.
If you have a PCIXCC, CEX2C, and CEX3C installed, when
you start ICSF, you must go to the Master Key Management panel (Figure 109) and do a set (option 2). This will change the master
keys of all the PCIXCCs, CEX2Cs, and CEX3Cs.
A re-IPL ensures that a program does not access a cryptographic
service that uses a key that is encrypted under a different master
key. If a program is using an operational key, the program should
either re-create or reimport the key, or generate a new key.
If a re-IPL is not practical in your installation, you can use
this alternative method. Stop all cryptographic applications, especially
those using PCF macros, when activating the new master key and refreshing
the in-storage copy of the CKDS. This eliminates all operational keys
that are encrypted under the current master key. When you start ICSF
again, applications using an operational key can either re-create
or reimport the key.
Steps for reenciphering the CKDS and performing a
single-system CKDS master key change
Before beginning this procedure, you must:
Notes:
- Enter the key parts of the new master key that you want to replace
the current master key. For information about how to do this procedure,
see Entering master key parts. The new master key register must be full
when you change the master key.
- Create a new VSAM data set in which the reenciphered keys will
be placed to create the new reenciphered CKDS. This data set must
be allocated and empty, and must contain the same data set attributes
as the active CKDS. For more information about defining a CKDS, refer
to z/OS Cryptographic Services ICSF System Programmer’s Guide.
To reencipher the CKDS and change the master key:
- Select option 3, REENCIPHER CKDS, on the Master Key Management
panel, as shown in Figure 110, and press ENTER.
When
you change the master key, you must first reencipher the disk copy
of the CKDS under the new master key.
Notes:
- If your system is using multiple coprocessors, they must have
the same master key. When you change the master key in one coprocessor,
you should change the master key in the other coprocessors. Therefore,
to reencipher a CKDS under a new master key, the new master key registers
in all coprocessors must contain the same value.
- If the CKDS contains HMAC keys, it must be reenciphered on a system
with a CEX3C and the Sept. 2010 or later licensed internal code.
Figure 110. Selecting the Reencipher CKDS option on the ICSF Master Key Management Panel
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 3
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
8 COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
9 COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
- The Reencipher CKDS panel appears. See Figure 111.
Figure 111. Reencipher CKDS
CSFCMK10 ----------------- ICSF - Reencipher CKDS ------------------
COMMAND ===>
To reencipher all CKDS entries from encryption under the current DES/
Symmetric-keys master key to encryption under the new master key enter
the CKDS names below.
Input CKDS ===> 'CKDS.CURRENT.MASTER'
Output CKDS ===> 'CKDS.NEW.MASTER'
- In the Input CKDS field, enter the name of the CKDS that you want
to reencipher. In the Output CKDS field, enter the name of the data
set in which you want to place the reenciphered keys.
Reenciphering the disk copy of the CKDS does not affect
the in-storage copy of the CKDS. On this panel, you are working with
only a disk copy of the CKDS.
- Press ENTER to reencipher the input CKDS entries and place them
into the output CKDS.
The message REENCIPHER SUCCESSFUL appears
on the top right of the panel if the reencipher succeeds.
- If you have more than one CKDS on disk, specify the information
and press ENTER as many times as you need to reencipher all of them.
Reencipher all your disk copies at this time. When you have reenciphered
all the disk copies of the CKDS, you are ready to change the master
key.
- Press END to return to the Master Key Management panel.
Changing
the master key involves refreshing the in-storage copy of the CKDS
with a disk copy and activating the new master key.
- If you are running in compatibility or co-existence mode, do not select option 4, the Change option. To
activate the changed master key when running in compatibility or co-existence
mode, you need to re-IPL MVS and start ICSF. When you re-IPL MVS
and start ICSF, you activate the changed master key and refresh
the in-storage CKDS.
- If you are running in noncompatibility mode, to change the master
key select option 4, CHANGE MK, on the Master Key Management panel.
When
you press the ENTER key, the Change Master Key panel appears. See Figure 112.
Figure 112. Change Master Key Panel
CSFCMK20 --------------------- ICSF Change Master Key --------------
COMMAND ===>
Enter the name of the new CKDS below:
New CKDS ===> 'CKDS.NEW.MASTER'
When the master key is changed, the new CKDS will become active.
- In the New CKDS field, enter the name of the disk copy of the
CKDS that you want ICSF to place in storage.
You should have already
reenciphered the disk copy of the CKDS under the new master key. The
last CKDS name that you specified in the Output CKDS field on the
Reencipher CKDS panel, which is shown in Figure 60, automatically
appears in this field.
- Press ENTER.
ICSF loads the data set into storage where it
becomes operational on the system. ICSF also places the new master
key into the master key register so it becomes active.
When
you press ENTER, ICSF attempts to change the master key. It displays
a message on the top right of the panel. The message indicates either
that the master key was changed successfully or that an error occurred
that prevented the successful completion of the change process. For
example, if you indicate a data set that is not reenciphered under
the new master key, an error message displays, and the master key
is not changed.
- When changing the master key, remember to change the name of the
CKDS in the Installation Options Data Set.
You can use a utility program to reencipher the CKDSs and change
the master key instead of using the panels. Reenciphering a disk copy of a CKDS and changing the master
key describes
how to use the utility program for these procedures.
|