Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Categories ICSF
Created by Guest
Created on Jun 23, 2022

ICSF: quick rollback to the old master key in case of problems with the coordinated change Master Key

Normally we load the 2 parts of the mk from the TKE. Then from the ICSF we make the option Coordinated xKDS change MK. This process change the new MK in alls systems of the sysplex (re-enchypher included). This process seems very robust. 

But in case you have to back out the change, you have to reload the old mk in TKE and repeat the process.

Would it be possible to roll back from the Old Master key register from ICSF without having to use TKE again?
Idea priority Medium
  • Guest
    Reply
    |
    Jun 24, 2022
    Thank you for the idea. I understand your issue, but ICSF cannot perform a "backwards" reencipher of a KDS. There are a few issues: 1) ICSF has no knowledge of the master key values, so we cannot move the Old Master Key to the New Master Key to enable a fresh reencipher without additional coprocessor capabilities, 2) tokens created after the original re-encipher would be unusable if the CMK was moved to the NMK and the OMK moved to the CMK, 3) the original Old Master Key value would be forever lost, so there is no way to revert back to original state, and finally 4) loading master keys using a TKE is a signed command, and "undoing" that with an unsigned operation from the ICSF host would weaken the security of the system. We spoke with our friends in TKE and they recommended this procedure: Please consider using this feature of the TKE. Many clients do this today. Go the TKE Configuration Migration Tasks application and collect data from the HSM prior to the CCMK event. Collect data from more than one HSM if different HSMs have different settings. If something goes wrong, go back to the TKE Configuration Migration Tasks application and apply the data to any HSMs that should be reset. The apply feature does allow you to apply the settings from one HSM to all the HSMs in a domain group.