There are master key verification patterns (MKVPs) for all the master keys.
On the crypto cards, there are new, current, and old for each of the 4 MKs. In
the corresponding KDS, there are MKVPs that are checked against the cards.
So, during startup, ICSF will load the KDS and then compare with each of the
cards in turn. For each MKVP present in the KDS, we require the card to have a
matching MK(VP).
As an example, let's say you have a PKDS with just an RSA MKVP present with
value 1234.
Every time we load that PKDS, we check each card to see if it also has a
current MKVP of 1234.
If you have just loaded the RSA MK with the key that gives an MKVP of 1234, it
would be in the "new" register, not "current".
Option 2 only checks the "current" MKVP and is meant for the case where you
already have the RSA MK with MKVP 1234 active.
Option 5 checks the "new" MKVP and is meant for cases like DR or new machines
where you have loaded the new MK with the same value you are using elsewhere
(as current) and have an existing PKDS, so you want to "promote" the RSA MK
from new to current.
Option 5 sounds like your setup:
System A has current RSA MKVP of 1234 and a PKDS with RSA MKVP of 1234.
System B loads the new RSA MK with that 1234. Then, you point to the PKDS that
system A was using and promote new to current.
Eric Rossman
---------------------------------
ICSF Security Architect
z/OS Security
---------------------------------
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Frank Swarbrick
Sent: Friday, May 23, 2025 3:08 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: ICSF - PKDS Operations
Sorry to be dumb, but I am still not clear.
We are entering into the new mainframe cards the same keys that are on our
current mainframe, and we'll be copying over the same PKDS. So, option 5?
When, for option 2, you say "current master keys on the cards match", match
what?
Thanks again,
Frank
________________________________
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of
Eric Rossman <edros...@us.ibm.com>
Sent: Friday, May 23, 2025 12:51 PM
To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU>
Subject: Re: ICSF - PKDS Operations
I understand your confusion. We switched to the new panel in 2010 with HCR7780.
Option 2 is meant for refreshing to a PKDS when the current master keys on the
cards match. Option 5 is meant for refreshing to a PKDS when the new MKs on the
cards match the PKDS.
Eric Rossman
---------------------------------
ICSF Security Architect
z/OS Security
---------------------------------
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Frank Swarbrick
Sent: Friday, May 23, 2025 2:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] ICSF - PKDS Operations
We are migrating to a new mainframe management provider with a new mainframe,
so we need to load the DES and RSA master keys on to the cryptographic
co-processor. Our instructions are based on a prior version of z/OS, so some
things have changed. We're now on z/OS 2.5. For the most part I've been able
to determine which new functions map to the documented ones, but I'm unclear on
which of the new options maps to old option "REFRESH PKDS". These are the ones
I am seeing now:
---------------------------- ICSF - PKDS Operations ------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty PKDS and activate master keys
KDSR format? (Y/N) ===> Y
2 Refresh - Activate a PKDS
3 Update an existing PKDS
4 Update an existing PKDS and activate master keys
5 Refresh and activate master keys
Enter the name of the PKDS below.
PKDS ===>
Press ENTER to execute your option.
Press END to exit to the previous menu.
Thanks,
Frank
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
