Note: No refresh is required for keys that are generated by the ICSF panel or callable services.

Note: The archived KDS name cannot be the same name as the active KDS name or new KDS name.

Note: This method cannot be used to change the CKDS format (for example, non-KDSR to KDSR).

---------------------------- ICSF - CKDS Management --------------------------- OPTION ===> 7 Enter the number of the desired option. 1 CKDS OPERATIONS - Initialize a CKDS, activate a different CKDS, (Refresh), or update the header of a CKDS and make it active 2 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric master key 3 CHANGE SYM MK - Change a symmetric master key and activate the reenciphered CKDS 4 COORDINATED CKDS REFRESH - Perform a coordinated CKDS refresh 5 COORDINATED CKDS CHANGE MK - Perform a coordinated CKDS change master key 6 COORDINATED CKDS CONVERSION - Convert the CKDS to use KDSR record format 7 CKDS KEY CHECK - Check key tokens in the active CKDS for format errors

---------------------------- ICSF - CKDS Management --------- CHECK SUCCESSFUL OPTION ===> Enter the number of the desired option. 1 CKDS OPERATIONS - Initialize a CKDS, activate a different CKDS,

Note: If clear keys are in your CKDS, the clear keys are made available in the dumped data set. If you secure (encrypted) keys are in your CKDS, the keys remain encrypted in the dumped data set. Protected keys are not applicable to the CKDS because they are stored in ICSF protected memory only.

Note: Clear keys are never returned from the CKDS by way of any of the ICSF callable services. Only secure (encrypted) keys are returned. This result is by design to prevent disclosure of clear key material.

HCR77C1 -------------- Integrated Cryptographic Service Facility ------ OPTION ===> 5 System Name: SC74 Crypto Domain: 3 Enter the number of the desired option. 1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors 2 KDS MANAGEMENT - Master key set or change, KDS Processing 3 OPSTAT - Installation options 4 ADMINCNTL - Administrative Control Functions 5 UTILITY - ICSF Utilities

------------------------------- ICSF - Utilities ----------------- OPTION ===> 5 Enter the number of the desired option. 1 ENCODE - Encode data 2 DECODE - Decode data 3 RANDOM - Generate a random number 4 CHECKSUM - Generate a checksum and verification and hash pattern 5 CKDS KEYS - Manage keys in the CKDS 6 PKDS KEYS - Manage keys in the PKDS 7 PKCS11 TOKEN - Management of PKCS11 tokens

Tip: Ensure that you have READ access to CSFBRCK CL(CSFSERV).

------------------------------- ICSF - CKDS KEYS ---------------------------- OPTION ===> 1 Active CKDS: SYS1.SC60NEW.SCSFCKDS Keys: 19 Enter the number of the desired option. 1 List and manage all records 2 List and manage records with label key type leave blank for

---------------------------- ICSF - CKDS KEYS List --------- Row 1 to 12 of 1 COMMAND ===> SCROLL ===> PAG Active CKDS: SYS1.SC60NEW.SCSFCKDS Keys: 12 Action characters: A, D, K, M, P, R See the help panel for details. Status characters: - Active A Archived I Inactive Select the records to be processed and press ENTER When the list is incomplete and you want to see more labels, press ENTER Press END to return to the previous menu A S Label Displaying 1 to 12 of 12 Key Type ----------------------------------------------------------------------------- _ - AAAA.FIRST.KEY DATA _ - DATASET.ENCRYPTKEY.001 DATA _ - DATASET.PE01.TEST DATA _ A DATASET.PE03.AC01 DATA _ - KEYLABEL.ANDY.COU1 DATA _ - KEYLABEL.THOMAS.LIU DATA _ - NOSTANDARD.NAMING.CONVENTION DATA _ - PE01.TEST DATA _ I PE01.TEST.ACCESS.KEY DATA _ A PE01.TEST.KEY DATA _ - PE03.SECURE.KEY DATA _ - SC60.TL.AES.EXPORTER.KEY EXPORTER

Note: Ensure that data set encryption keys are always defined as DATA keys.

Note: The ability to archive, recall, and prohibit archive require the KDSR CKDS format.

------------------- ICSF - CKDS Key Attributes and Metadata ------------------- COMMAND ===> SCROLL ===> PAGE Active CKDS: SYS1.SC60NEW.SCSFCKDS Label: DATASET.PE03.AC01 DATA Record status: Active (Archived, Active, Pre-active, Deactivated) Select an action: 1 Modify one or more fields with the new values specified 2 Delete the record ------------------------------------------------------------------------------- More: - Key Attributes Key value is not encrypted Algorithm: AES Key type: DATA Length (bits): 256 Key check value: 16124C ENC-ZERO Key Usage: ENCIPHER DECIPHER

Active CKDS: SYS1.SC60NEW.SCSFCKDS Label: DATASET.PE03.AC01 DATA Record status: Active (Archived, Active, Pre-active, Deactivated) Select an action: 1 Modify one or more fields with the new values specified 2 Delete the record ------------------------------------------------------------------------------- YYYYMMDD YYYYMMDD Record creation date: 20171120 Update date: 00000000 Cryptoperiod start date: 00000000 New value: Cryptoperiod end date: 00000000 New value: Date the record was last used: 20171120 New value: Service called when last used: CSFSAE Date the record was recalled: 00000000 Date the record was archived: 00000000 Archived flag: FALSE New value: Prohibit archive flag: FALSE New value: