The Top Secret documentation on converting the encryption method from DES3 to AES states the following:

To convert a security file from Triple-DES encryption to AES encryption:

• Run TSSMAINT to initialize a new security file and to specify the AESENCRYPT option.
  
  
• Run TSSXTEND to copy the old security file to the new security file.

Note: AES encryption is a non-shared environment option.

Do you also need to change the PWENC Control Option to AES (currently set at DES3)? What impact on the system, if any, would there be for this type of effort?

To have the least impact:

1. Format the security file ahead of time using VSAMDEF3, TSSMAIND and TSSMAINS. The new security file would have to be equal to or larger than your current security file. Run a TSSFAR SFSSTATS job to determine what to specify for your input parms for TSSMAIND which will help you calculate how much space you will need. Then you would run TSSMAINS to actually format the security file.
   
   If you need the dataset name and volume to be the same, then you cannot format the security file ahead of time since Top Secret will be active and using the security file with the same dataset name and volume.
   
   
2. Run TSSXTEND and use the backup security files as input. You never want to copy the primary security if it is actively being used by Top Secret. Before running the TSSXTEND, issue a TSS MODIFY BACKUP command to trigger an immediate backup, so you will have the latest snapshot of the security file at the time of the backup.
   
   
3. When you are ready to bring up Top Secret with AES encryption, update your Top Secret started task to point to the new security file and update the Top Secret parameter file to activate AES encryption.
   
   
4. Do a temporary shutdown of Top Secret and restart Top Secret.

These steps will cause the least business impact, since CA Top Secret is running while you prepare it for AES encryption.