I am assuming ICF is really ICSF with the IBM mainframe crypto hardware. There is no way to revert to the previous master key. However, if the previous master key is still stored within the crypto hardware and you have an externally (not in CKDS) stored key token whose key value was encrypted under the previous master key then you can use that "old key" token within a program. IBM CCA architecture (Common Crypto Architecture) requires the master key verification pattern (MKVP) of the master key protecting the key value to be within the key token. When ICSF sends the key token to the crypto hardware along with the request, the crypto hardware will verify whether the MKVP within the token matches the MKVP of the value stored within the current master key register and if not, it checks against the MKVP of the value stored within the old master key register. If the MKVP of the old master key register and the MKVP of the token match, the crypto hardware will decrypt the key value using the old master key and reencipher the key value under the contents of the current master key register. The crypto hardware will also return a return code and reason code indicating that this action has occurred. The return code will be 0 and the reason code will be x'2710'.
Another alternative is to reload the old master key assuming that you still have it's key parts stored. And, when finished with whatever recovery is needed, reload the current key values to restore the current master key. Marilyn ATS zSeries Crypto & Security Certified I/T Specialist (301) 240-2624 8/372 Washington Systems Center "WSC: Genesis of the IBM Data Encryption for IMS and DB2 and the IBM Encryption Facility" FAX: (301) 240-2590 8/372 Internet: [EMAIL PROTECTED] Hal Merritt <[EMAIL PROTECTED]> Sent by: IBM Mainframe Discussion List <[email protected]> 11/12/2008 10:06 AM Please respond to IBM Mainframe Discussion List <[email protected]> To [email protected] cc Subject Z/890 Master Key A question has come up if the ICF on the z/890 and z/9 (z/os 1.7) can revert to the previous master key using either the TKE or the ISPF dialog. Anyone done this? TIA NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
