Thanks so much, Eric. That looks to have done the trick. One final (!) question, if you don't mind. On the ICSF Administrative Control Functions screen my current documentation shows three functions, Dynamic CKDS Access, PKA Callable Services, and Dynamic PKDS Access. On our machine now the PKA Callable Services option is not present. I assume that's not an issue? Perhaps they are now always enabled.
Thanks, Frank ________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Eric Rossman <[email protected]> Sent: Friday, May 23, 2025 1:44 PM To: [email protected] <[email protected]> Subject: Re: ICSF - PKDS Operations There are master key verification patterns (MKVPs) for all the master keys. On the crypto cards, there are new, current, and old for each of the 4 MKs. In the corresponding KDS, there are MKVPs that are checked against the cards. So, during startup, ICSF will load the KDS and then compare with each of the cards in turn. For each MKVP present in the KDS, we require the card to have a matching MK(VP). As an example, let's say you have a PKDS with just an RSA MKVP present with value 1234. Every time we load that PKDS, we check each card to see if it also has a current MKVP of 1234. If you have just loaded the RSA MK with the key that gives an MKVP of 1234, it would be in the "new" register, not "current". Option 2 only checks the "current" MKVP and is meant for the case where you already have the RSA MK with MKVP 1234 active. Option 5 checks the "new" MKVP and is meant for cases like DR or new machines where you have loaded the new MK with the same value you are using elsewhere (as current) and have an existing PKDS, so you want to "promote" the RSA MK from new to current. Option 5 sounds like your setup: System A has current RSA MKVP of 1234 and a PKDS with RSA MKVP of 1234. System B loads the new RSA MK with that 1234. Then, you point to the PKDS that system A was using and promote new to current. Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Frank Swarbrick Sent: Friday, May 23, 2025 3:08 PM To: [email protected] Subject: [EXTERNAL] Re: ICSF - PKDS Operations Sorry to be dumb, but I am still not clear. We are entering into the new mainframe cards the same keys that are on our current mainframe, and we'll be copying over the same PKDS. So, option 5? When, for option 2, you say "current master keys on the cards match", match what? Thanks again, Frank ________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Eric Rossman <[email protected]> Sent: Friday, May 23, 2025 12:51 PM To: [email protected] <[email protected]> Subject: Re: ICSF - PKDS Operations I understand your confusion. We switched to the new panel in 2010 with HCR7780. Option 2 is meant for refreshing to a PKDS when the current master keys on the cards match. Option 5 is meant for refreshing to a PKDS when the new MKs on the cards match the PKDS. Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Frank Swarbrick Sent: Friday, May 23, 2025 2:18 PM To: [email protected] Subject: [EXTERNAL] ICSF - PKDS Operations We are migrating to a new mainframe management provider with a new mainframe, so we need to load the DES and RSA master keys on to the cryptographic co-processor. Our instructions are based on a prior version of z/OS, so some things have changed. We're now on z/OS 2.5. For the most part I've been able to determine which new functions map to the documented ones, but I'm unclear on which of the new options maps to old option "REFRESH PKDS". These are the ones I am seeing now: ---------------------------- ICSF - PKDS Operations ------ COMMAND ===> Enter the number of the desired option. 1 Initialize an empty PKDS and activate master keys KDSR format? (Y/N) ===> Y 2 Refresh - Activate a PKDS 3 Update an existing PKDS 4 Update an existing PKDS and activate master keys 5 Refresh and activate master keys Enter the name of the PKDS below. PKDS ===> Press ENTER to execute your option. Press END to exit to the previous menu. Thanks, Frank ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
