IBM Crypto Education Community

 View Only

 Setting Master key in a sysplex system

ahmed talaat's profile image
ahmed talaat posted Tue February 25, 2025 05:48 AM

Hello,

I have a problem in ICSF which states that :

( If I have 3 systems in sysplex , system A, B and system C. If I configured system A and System B to have the same master key and the same CKDS, PKDS AND TKDS. System C uses the different master key and the different CKDS, PKDS AND TKDS. Now I modified in the procedure of csf in system C  to take the same CKDS, PKDS AND TKDS of System A and B, but the master key still different between system C and system B,A. I want to make the master key in C is the same of A and B to encipher with the same key of A and B.)

Radosław Skorupka's profile image
Radosław Skorupka posted Tue June 17, 2025 04:23 PM

You need to have single set of KDS (CKDS, PKDS and TKDS) shared among MVS A, B, C. 

You have to set same MK (master key) on all systems (LPARs). 

However when you change MK on MVS C, you will loose content of CKDS.C, PKDS.C, and TKDS.C 

If you don't have any keys inside, that's OK. 

Otherwise you have to do the following:

Perform coordinated MK change on MVS C - that include re-encipher of CKDS, PKDS and TKDS.

Now you have same MK in MVS A,B,C. And both KDS sets are available (readable). 

But you still have TWO sets of KDS's while you want to have single set. 

Well, you have to move the keys from CKDS.C to CKDS.AB. And do the same for PKDS and TKDS. 

Assuming you don't have same labels (key names) you can simply copy VSAM records from CKDS.C to CKDS.AB, etc. 

HTH

Eric Rossman's profile image
Eric Rossman posted Wed June 18, 2025 10:08 AM

I'm going to STRONGLY recommend against directly copying VSAM records. We recently had a customer do that and it caused quite a lot of grief. 

Radosław Skorupka's profile image
Radosław Skorupka posted Sat June 28, 2025 10:18 AM

Eric, 

Thank you for the advice. 

Actually I took this method from the "Transporting_AES_DATA_key" by Philippe Richard (2017). I also tried it several time with no issues, obviously it is not a proof that there is no risk.

Well, I consider this method as a "quick and dirty", however I would like to know what problems may occur and when. 

Assumptions:

same KDS format (KDSR, KDRSL, etc.). 

same ICSF version (FMID, PTF) level.

BTW: What about panel function "xKDS KEY CHECK    - Check key tokens in the active xKDS for format errors" ? Shouldn't it check the KDS against potential problems caused by IDCADMS record REPRO?

Eric Rossman's profile image
Eric Rossman posted Mon July 07, 2025 11:30 AM

There is no checking that the record being copied from one place to another is the correct format, under the correct MK, or even if it is a valid record for any ICSF KDS.

What makes it so risky is that the processing is happening outside of ICSF's awareness. KDS KEY CHECK will not be able to detect it because the DASD copy will have been updated and the in-store version will not have been. If you do a KDS refresh (CKDS or PKDS), it should be detected if the format is wrong but we are not looking at the MKVP since it shouldn't be possible to have a token in the KDS with the wrong MKVP if you use the correct, supported method to update the KDS.

Short answer: If you use IDCAMS to update the KDS and break something, the ICSF service team will be unable to support your setup until you fix whatever you broke.

Related Content