IBM Crypto Education Community

 View Only

 Setting Master key in a sysplex system

ahmed talaat's profile image
ahmed talaat posted Tue February 25, 2025 05:48 AM

Hello,

I have a problem in ICSF which states that :

( If I have 3 systems in sysplex , system A, B and system C. If I configured system A and System B to have the same master key and the same CKDS, PKDS AND TKDS. System C uses the different master key and the different CKDS, PKDS AND TKDS. Now I modified in the procedure of csf in system C  to take the same CKDS, PKDS AND TKDS of System A and B, but the master key still different between system C and system B,A. I want to make the master key in C is the same of A and B to encipher with the same key of A and B.)

Radosław Skorupka's profile image
Radosław Skorupka posted Tue June 17, 2025 04:23 PM

You need to have single set of KDS (CKDS, PKDS and TKDS) shared among MVS A, B, C. 

You have to set same MK (master key) on all systems (LPARs). 

However when you change MK on MVS C, you will loose content of CKDS.C, PKDS.C, and TKDS.C 

If you don't have any keys inside, that's OK. 

Otherwise you have to do the following:

Perform coordinated MK change on MVS C - that include re-encipher of CKDS, PKDS and TKDS.

Now you have same MK in MVS A,B,C. And both KDS sets are available (readable). 

But you still have TWO sets of KDS's while you want to have single set. 

Well, you have to move the keys from CKDS.C to CKDS.AB. And do the same for PKDS and TKDS. 

Assuming you don't have same labels (key names) you can simply copy VSAM records from CKDS.C to CKDS.AB, etc. 

HTH

Eric Rossman's profile image
Eric Rossman posted Wed June 18, 2025 10:08 AM

I'm going to STRONGLY recommend against directly copying VSAM records. We recently had a customer do that and it caused quite a lot of grief. 

Related Content