One way to move from AES128 to AES256 is by using the AESENC control option parameter AESENC(256) and restart Top Secret.

However, in production environments running 24x7 it is not possible to recycle TSS.

This article explains how to move from AES128 to AES256 in a shared environment with two TSS sharing the secfile and when it is not possible to recycle TSS.

2 LPAR with 2 TSS sharing Secfile initialized with AES128

Process to move from AES128 to AES256 with a rolling IPL.

Note: When the security file is shared, all systems sharing the file must use the same encryption. 

                                                         
1. Run TSSMAINT to initialize a new security file with AES256ENCRYPT for AES 256 encryption.  

                                                        
2. Run TSSXTEND to copy the current security file to the new security file. TSSXTEND should be run against a backup of the security file.    

3.- Shutdown LPAR1

4.- IPL LPAR1 with sysplex option off, so no connection to xcf structure. (Update TSS in LPAR1 before starting it to use the new secfile initialized with AES256).

     (TSS in LPAR2 still uses the old secfile).

5.- Shutdown and IPL LPAR2 . (Update TSS in LPAR2 before starting it to use the new secfile initialized with AES256).

6.- TSS in LPAR1 and LPAR2 shares the new secfile .

7.- if everything is fine sysplex parm reactivated.

Note: In order to avoid an out-of-sync between secfiles this process requires that no administration is done in TSS of LPAR2 between IPLs