00C (12) | A key identifier was passed to a service or
token. It is checked in detail to ensure that it is a valid token,
and that the fields within it are valid values. There is a token validation
value (TVV) in the token, which is a non-cryptographic value. This
value was again computed from the rest of the token, and compared
to the stored TVV. If these two values are not the same, this reason
code is returned.
User action: The contents
of the token have been altered because it was created by ICSF or
TSS. Review your program to see how this could have been caused. |
016 (22) | The ID number in the request field
is not valid. The PAN data is incorrect for VISA CVV. |
017 (23) | Offset length not correct for data
to be inserted. |
018 (24) | A key identifier was passed to a service. The
master key verification pattern in the token shows that the key was
created with a master key that is neither the current master key nor
the old master key. Therefore, it cannot be reenciphered to the current
master key.
User action: Re-import the key
from its importable form (if you have it in this form), or repeat
the process you used to create the operational key form. If you cannot
do one of these, you cannot repeat any previous cryptographic process
that you performed with this token.
REASONCODES:
ICSF 2714 (10004) |
019 (025) | A length parameter has an incorrect value. The
value in the length parameter could have been zero (when a positive
value was required) or a negative value. If the supplied value was
positive, it could have been larger than your installation’s
defined maximum, or for MDC generation with no padding, it could have
been less than 16 or not an even multiple of 8.
User
action: Check the length you specified. If necessary, check your
installation’s maximum length with your ICSF administrator.
Correct the error. |
01D (29) | A key identifier was passed to a service or
token. It is checked in detail to ensure that it is a valid token,
and that the fields within it are valid values. There is a token validation
value (TVV) in the token, which is a non-cryptographic value. This
value was again computed from the rest of the token, and compared
to the stored TVV. If these two values are not the same, this reason
code is returned.
User action: The contents
of the token have been altered because it was created by ICSF or
TSS. Review your program to see how this could have been caused.
REASONCODES: ICSF 2710 (10000) |
01E (30) | A key label was supplied for a key identifier
parameter. This label is the label of a key in the in-storage CKDS
or the PKDS. Either the key could not be found, or a key record with
that label and the specific type required by the ICSF callable service
could not be found. For a retained key label, this error code is also
returned if the key is not found in the PCICC, PCIXCC, CEX2C,
or CEX3C specified in the PKDS record.
User
action: Check with your administrator if you believe that this
key should be in the in-storage CKDS or the PKDS. The administrator
may be able to bring it into storage. If this key cannot be in storage,
use a different label.
REASONCODES: ICSF
271C (10012) |
01F (31) | The control vector did not specify a DATA key.
REASONCODES: ICSF 272C (10028) |
020 (32) | You called the CKDS key
record create callable service, but the key_label parameter
syntax was incorrect.
User action: Correct key_label syntax.
REASONCODES: ICSF 3EA0 (16032) |
021 (33) | The rule_array parameter contents
or a parameter value is not correct.
User action:
Refer to the rule_array parameter described in this publication under
the appropriate callable service for the correct value.
REASONCODES: ICSF 7E0 (2016) |
022 (34) | A rule_array keyword combination
is not valid.
REASONCODES: ICSF 7E0 (2016) |
023 (35) | The rule_array_count parameter
contains a number that is not valid.
User action:
Refer to the rule_array_count parameter described in
this publication under the appropriate callable service for the correct
value.
REASONCODES: ICSF 7DC (2012) |
027 (39) | A control vector violation occurred.
REASONCODES: This reason code also corresponds to
these ICSF reason codes: 272C (10028), 2730 (10032), 2734 (10036),
2744 (10052), 2768 (10088), 278C (10124), 3E90 (16016), 2724 (10020). |
028 (40) | The service code does not contain numerical
data.
REASONCODES: ICSF BE0 (3040) |
029 (41) | The key_form parameter is neither
IM nor OP. Most constants, these included, can be supplied in lower
or uppercase. Note that this parameter is 4 bytes long, so the value
IM or OP is not valid. They must be padded on the right with blanks.
User action: Review the value provided and change
it to IM or OP, as required. |
02A (42) | The expiration date is not numeric (X'F0' through X'F9').
The parameter must be character representations of numerics or hexadecimal
data.
User action: Review the numeric parameters
or fields required in the service that you called and change to the
format and values required.
REASONCODES:
ICSF BE0 (3040) |
02B (43) | The value specified for the key_length parameter
of the key generate callable service is not valid.
User
action: Review the value provided and change it as appropriate.
REASONCODES: See also the ICSF reason code 80C (2060)
or 2710 (10000) for additional information. |
02C (44) | The CKDS key record create
callable service requires that the key created not already exist in
the CKDS. A key of the same label was found.
User
action: Make sure the application specifies the correct label.
If the label is correct, contact your ICSF security administrator
or system programmer. |
02D (45) | An input character is not in the code table.
User action: Correct the code table or the source
text. |
02F (47) | A source key token is unusable because it contains
data that is not valid or undefined.
REASONCODES:
This reason code also corresponds to these ICSF reason codes: 83C
(2108), 2754 (10068), 2758 (10072), 275C (10076), 2AFC (11004), 2B04
(11012), 2B08 (11016), 2B10 (11024). Please see those reason codes
for additional information. |
030 (48) | One or more keys has a master key verification
pattern that is not valid.
This reason code also corresponds to
these ICSF reason codes: 2714 (10004) and 2B0C (11020). Please see
those reason codes for additional information. |
031 (49) | Key identifiers contain a version number. The
version number in a supplied key identifier (internal or external)
is inconsistent with one or more fields in the key identifier, making
the key identifier unusable.
User action:
Use a token containing the required version number.
REASONCODES: ICSF 2738 (10040) |
033 (51) | The encipher and decipher callable services
sometime require text (plaintext or ciphertext) to have a length that
is an exact multiple of 8 bytes. Padding schemes always create ciphertext
with a length that is an exact multiple of 8. If you want to decipher
ciphertext that was produced by a padding scheme, and the text length
is not an exact multiple of 8, then an error has occurred. The CBC
mode of enciphering requires a text length that is an exact multiple
of 8.
The ciphertext translate callable service cannot process
ciphertext whose length is not an exact multiple of 8.
The value
that the text_length parameter specifies is
not a multiple of the cryptographic algorithm block length.
User action: Review the requirements of the service
you are using. Either adjust the text you are processing or use another
process rule. |
038 (56) | The master key verification pattern in the OCV
is not valid. |
03D (61) | The keyword supplied with the key_type parameter
is not valid.
REASONCODES: This reason code
also corresponds to these ICSF reason codes: 2720 (10016), 2740 (10048),
274C (10060). Please see those reason codes for additional information. |
03E (62) | The source key was not found.
REASONCODES:
ICSF 271C (10012) |
03F (63) | This check is based on the first byte in the
key identifier parameter. The key identifier provided is either an
internal token, where an external or null token was required; or an
external or null token, where an internal token was required. The
token provided may be none of these, and, therefore, the parameter
is not a key identifier at all. Another cause is specifying a key_type of
IMP-PKA for a key in importable form.
User action:
Check the type of key identifier required and review what you have
provided. Also check that your parameters are in the required sequence.
REASONCODES: ICSF 7F8 (2040) |
040 (64) | The supplied private key can be used only for
digital signature. Key management services are disallowed.
User action: Supply a key with key management enabled.
OR
This
service requires an RSA private key that is for signature use. The
specified key may be used for key management purposes only.
User action: Re-invoke the service with a supported
private key.
OR
This service requires an RSA private
key that is translatable. The specified key may not be used in the
PKA Key Translate callable service.
User
action: Re-invoke the service with a supported private key. To
make a key translatable, XLATE-OK must be turned on. |
041 (65) | The RSA public or private key specified a modulus
length that is incorrect for this service.
User
action: Re-invoke the service with an RSA key with the proper
modulus length. `
REASONCODES: ICSF 2B18
(11032) and 2B58 (11096) |
042 (66) | The recovered encryption block was not a valid
PKCS-1.2 or zero-pad format. (The format is verified according to
the recovery method specified in the rule-array.) If the recovery
method specified was PKCS-1.2, refer to PKCS-1.2 for the possible
error in parsing the encryption block.
User action:
Ensure that the parameters passed to CSNDSYI or CSNFSYI are
correct. Possible causes for this error are incorrect values for the
RSA private key or incorrect values in the RSA_enciphered_key parameter,
which must be formatted according to PKCS-1.2 or zero-pad rules when
created.
REASONCODES: ICSF 2B20 (11040) |
043 (67) | DES or RSA encryption failed. |
044 (68) | DES or RSA decryption failed. |
046 (70) | Identifier tag for optional block is invalid:
conflicts with IBM reserved tag, is a duplicate to a tag already found,
is bad in combination with a tag already found when parsing a section
of optional blocks, or is otherwise invalid.
User
action: Check the TR-31 key block header for correctness. |
048 (72) | The value specified for length parameter for
a key token, key, or text field is not valid.
User
action: Correct the appropriate length field parameter.
REASONCODES: This reason code also corresponds to
these ICSF reason codes: 2AF8 (11000) and 2B14 (11028). Please see
those reason codes for additional information. |
05A (90) | Access is denied for this request. This is due
to an access control point in the ICSF role either being disabled
or an access control point being enabled that restricts the use of
a parameter such as a rule array keyword.
User
action: Check the reference information for the callable service
to determine which access control points are involved in the request.
Contact the ICSF administrator to determine if the access control
points are in the correct state. The access control points can be
enabled/disabled using the TKE workstation. |
064 (100) | A request was made to the Clear PIN generate
or Encrypted PIN verify callable service, and the PIN_length parameter
has a value outside the valid range. The valid range is from 4 to
16, inclusive.
User action: Correct the value
in the PIN_length parameter to be within the valid range
from 4 to 16.
REASONCODES: ICSF BBC (3004) |
065 (101) | A request was made to the Clear PIN generate
callable service, and the PIN_check_length parameter
has a value outside the valid range. The valid range is from 4 to
16, inclusive.
User action: Correct the value
in the PIN_check_length parameter to be within the
valid range from 4 to 16.
REASONCODES:
ICSF BC0 (3008) |
066 (102) | The value of the decimalization table is not
valid.
REASONCODES: ICSF BE0 (3040) |
067 (103) | The value of the validation date is not valid.
REASONCODES: ICSF BE0 (3040) |
068 (104) | The value of the customer-selected PIN is not
valid or the PIN length does not match the value specified.
REASONCODES: ICSF BE0 (3040) |
069 (105) | A request was made to the Clear PIN generate
callable service, and the PIN_check_length parameter
has a value outside the valid range. The valid range is from 4 to
16, inclusive.
User action: Correct the value
in the PIN_check_length parameter to be within the
valid range from 4 to 16.
REASONCODES:
ICSF BE0 (3040) |
06A (106) | A request was made to the Encrypted PIN Translate
or the Encrypted PIN verify callable service, and the PIN block value
in the input_PIN_profile or output_PIN_profile parameter
has a value that is not valid.
User action:
Correct the PIN block value. |
06B (107) | A request was made to the Encrypted PIN Translate
callable service and the format control value in the input_PIN_profile or output_PIN_profile parameter
has a value that is not valid. The valid values are NONE or PBVC.
User action: Correct the format control value to
either NONE or PBVC. |
06C (108) | The value of the PAD data is not valid.
REASONCODES: ICSF B08 (3016) |
06D (109) | The extraction method keyword is not valid. |
06E (110) | The value of the PAD data is not numeric character
date.
REASONCODES: ICSF BE0 (3040) |
06F (111) | A request was made to the Encrypted PIN Translate
callable service. The sequence_number parameter was required,
but was not the integer value 99999.
User action:
Specify the integer value 99999. |
074 (116) | The supplied PIN value is incorrect.
User action: Correct the PIN value.
REASONCODES: ICSF BBC (3004) |
079 (121) | The source_key_identifier or inbound_key_identifier you
supplied is not a valid string.
User action:
In an ANSI X9.17 service, check that you specified a valid ASCII string
for the source_key_identifier or inbound_key_identifier parameter. In
the PKA key generate service, an invalid exponent or modulus length
was specified. |
07A (122) | The outbound_KEK_count or inbound_KEK_count you
supplied is not a valid ASCII hexadecimal string.
User
action: Check that you specified a valid ASCII hexadecimal string
for the outbound_KEK_count or inbound_KEK_count parameter. |
081 (129) | A Required Rule Array keyword was not specified.
User action: Refer to the rule_array parameter
described in this publication under the appropriate callable service
for the correct value. |
09A (154) | This check is based on the first byte in the
key identifier parameter. The key identifier provided is either an
internal token, where an external or null token was required; or an
external or null token, where an internal token was required. The
token provided may be none of these, and, therefore, the parameter
is not a key identifier at all. Another cause is specifying a key_type of
IMP-PKA for a key in importable form.
User action:
Check the type of key identifier required and review what you have
provided. Also check that your parameters are in the required sequence.
REASONCODES: ICSF 7F8 (2040) |
09B (155) | The value that the generated_key_identifier parameter
specifies is not valid,or it is not consistent with the value that
the key_form parameter specifies. |
09C (156) | A keyword is not valid with the specified parameters.
REASONCODES: ICSF 2790 (10128) |
09D (157) | The rule_array parameter contents
are incorrect.
User action: Refer to the rule_array parameter
described in this publication under the appropriate callable service
for the correct value.
REASONCODES: ICSF
7E0 (2016) |
09F (159) | A parameter requires Rule Array keyword that
is not specified.
User action: Refer to the rule_array parameter described in this publication
under the appropriate callable service for the correct value. |
0A0 (160) | The key_type and the key_length are not
consistent.
User action: Review the key_type parameter
provided and match it with the key_length parameter. |
A2 (162) |
A request was made to the Remote Key Export
callable service, and the certificate_parms parameter contains
incorrect values. One or more of the offsets and/or lengths for the
modulus, public exponent, and/or digital signature would indicate
overlap between two or all three of the fields within the certificate parameter.
User Action: Correct the values in the certificate_parms
parameter to indicate the actual offsets and lengths of the modulus,
public exponent, and digital signature within the certificate parameter. |
A4 (164) | Two parameters (perhaps the plaintext and ciphertext
areas, or text_in and text_out areas) overlap
each other. That is, some part of these two areas occupy the same
address in memory. This condition cannot be processed.
User
action: Determine which two areas are responsible, and redefine
their positions in memory. |
0A5 (165) | The contents of a chaining vector passed to
a callable service are not valid. If you called the MAC generation
callable service, or the MDC generation callable service with a MIDDLE
or LAST segmenting rule, the count field has a number that is not
valid. If you called the MAC verification callable service, then this
will have been a MIDDLE or LAST segmenting rule.
User
action: Check to ensure that the chaining vector is not modified
by your program. The chaining vector returned by ICSF should only
be used to process one message set, and not intermixed between alternating
message sets. This means that if you receive and process two or more
independent message streams, each should have its own chaining vector.
Similarly, each message stream should have its own key identifier.
If
you use the same chaining vector and key identifier for alternating
message streams, you will not get the correct
processing performed.
REASONCODES: ICSF
7F4 (2036) |
0B4 (180) | A null key token was passed in the key identifier
parameter. When the key type is TOKEN, a valid token is required.
User action: Supply a valid token to the key identifier
parameter. |
0B5 (181) | This check is based on the first byte in the
key identifier parameter. The key identifier provided is either an
internal token, where an external or null token was required; or an
external or null token, where an internal token was required. The
token provided may be none of these, and, therefore, the parameter
is not a key identifier at all. Another cause is specifying a key_type of
IMP-PKA for a key in importable form.
User action:
Check the type of key identifier required and review what you have
provided. Also check that your parameters are in the required sequence.
This
reason code also corresponds to these ICSF reason codes: 7F8 (2040),
2B24 (11044) and 3E98 (16024). Please see those reason codes for additional
information. |
0B7 (183) | A cross-check of the control vector the key
type implies has shown that it does not correspond with the control
vector present in the supplied internal key identifier.
User action: Change either the key type or key identifier.
REASONCODES: ICSF 273C (10044) |
0B8 (184) | An input pointer is null. |
0CC (204) | A memory allocation failed. |
14F (335) | The requested function is not implemented on
the coprocessor. |
154 (340) | One of the input control vectors
has odd parity. |
157 (343) | Either the data block or the buffer
for the block is too small. |
159 (345) | Insufficient storage space exists
for the data in the data block buffer. |
15A (346) | The requested command is not valid
in the current state of the cryptographic hardware component. |
176 (374) | Less data was supplied than expected
or less data exists than was requested.
REASONCODES:
ICSF 7D4 (2004) and ICSF 7E0 (2016) |
181 (385) | The cryptographic hardware component
reported that the data passed as part of the command is not valid
for that command. |
197 (407) | A PIN block consistency check error
occurred.
REASONCODES: ICSF BC8 (3016) |
1B9 (441) | One or more input parameters indicates the key
to be processed should be partial, but the key is not partial according
to the CV or other control bits of the key.
User
action: Check that the partial key option of any input parameters
is consistent with the partial key setting of any key tokens being
used. |
25D (605) | The number of output bytes is greater
than the number that is permitted. |
2BF (703) | A new master key value was found to be one of
the weak DES keys. |
2C0 (704) | The new master key would have the same master
key verification pattern as the current master key. |
2C1 (705) | The same key-encrypting key was specified for
both exporter keys. |
2C2 (706) | While deciphering ciphertext that had been created
using a padding technique, it was found that the last byte of the
plaintext did not contain a valid count of pad characters.
Note
that some cryptographic processing has taken place, and the clear_text parameter
may contain some or all of the deciphered text.
User
action: The text_length parameter was not reduced.
Therefore, it contains the length of the base message, plus the length
of the padding bytes and the count byte. Review how the message was
padded prior to being enciphered. The count byte that is not valid
was created prior to the message’s encipherment.
You may
need to check whether the ciphertext was not created using a padding
scheme. Otherwise, check with the creator of the ciphertext on the
method used to create it. You could also look at the plaintext to
review the padding scheme used, if any.
REASONCODES:
ICSF 7EC (2028) |
2C3 (707) | The master key registers are not in the state
required for the requested function.
User action:
Contact your ICSF administrator. |
2CA (714) | A reserved parameter was not a null pointer
or an expected value.
REASONCODES: ICSF 844
(2116) |
2CB (715) | You supplied a pad_character that
is not valid for a Transaction Security System compatibility parameter for which ICSF supports
only one value; or, you supplied a KEY keyword and a non-zero master_key_version_number in
the Key Token Build service; or, you supplied a non-zero regeneration
data length for a DSS key in the PKA Generate service.
User action: Check that you specified the valid
value for the TSS compatibility parameter.
REASONCODES:
ICSF 834 (2100) |
2CF (719) | The RSA-OAEP block did not verify when it decomposed.
The block type is incorrect (must be X'03').
User
action: Recreate the RSA-OAEP block.
REASONCODES:
ICSF 2B38 (11064) |
2D0 (720) | The RSA-OAEP block did not verify when it decomposed.
The random number I is not correct (must be non-zero with the high-order
bit equal to zero).
User action: Recreate
the RSA-OAEP block.
REASONCODES: ICSF
2B40 (11072) |
2D1 (721) | The RSA-OAEP block did not verify when it decomposed.
The verification code is not correct (must be all zeros).
User action: Recreate the RSA-OAEP block.
REASONCODES: ICSF 2BC3 (11068) |
2F8 (760) | The RSA public or private key specified a modulus
length that is incorrect for this service.
User
action: Re-invoke the service with an RSA key with the proper
modulus length.
REASONCODES: ICSF 2B48
(11080) |
302 (770) | A reserved field in a parameter, probably a
key identifier, has a value other than zero.
User
action: Key identifiers should not be changed by application
programs for other uses. Review any processing you are performing
on key identifiers and leave the reserved fields in them at zero.
This
reason code also corresponds to these ICSF reason codes: 7E8 (2024)
and 2B00 (11008). Please see those reason codes for additional information.
REASONCODES: ICSF 2B00 (11008) |
30F (783) | The command is not permitted by the Function
Control Vector value.
REASONCODES: ICSF Return
code 12, reason code 2B0C (11020) |
401 (1025) | Registered public key or retained private key
name already exists. |
402 (1026) | Registered public key or retained private key
name does not exist. |
405 (1029) | There is an error in the Environment Identification
data. |
40B (1035) | The signature does not match the certificate
signature during an RKX call.
User Action: Check
that the key used to check the signatures is the correct. |
41A (1050) | A KEK RSA-enciphered at this node (EID) cannot
be imported at this same node. |
41C (1052) | Token identifier of the trusted block's
header section is in the range 0x20 and 0xFF.
User
Action: Check the token identifier of the trusted block. |
41D (1053) | The Active flag in the trusted block's trusted
block section 0x14 is not disabled.
User Action: Use
the trusted block create callable service to create an inactive/external
trusted block. |
41E (1054) | Token identifier of the trusted block's header
section is not 0x1E (external).
User Action: Use
the trusted block create callable service to create an inactive/external
trusted block. |
41F (1055) | The Active flag of the trusted block's trusted
block section 0x14 is not enabled.
User Action: Use
the trusted block create callable service to create an active/external
trusted block. |
420 (1056) | Token identifier of the trusted block's header
section is not 0x1F (internal).
User Action: Use
the PKA public key import callable service to import the trusted block. |
421 (1057) | Trusted block rule section 0x12 Rule ID does
not match input parameter rule ID.
User Action: Verify
the trusted block used has the rule section specified. |
422 (1058) | Trusted block contains a value that is too small/too
large. |
423 (1059) | A trusted block parameter that must have a value
of zero (or a grouping of bits set to zero) is invalid. |
424 (1060) | Trusted block public key section failed consistency
checking. |
425 (1061) | Trusted block contains extraneous sections or
subsections (TLVs).
User Action: Check the
trusted block for undefined sections of subsections. |
426 (1062) | Trusted block contains missing sections or subsections
(TLVs).
User Action: Check the trusted block
for required sections and subsections applicable to the callable service
invoked. |
427 (1063) | Trusted block contains duplicate sections or
subsections (TLVs).
User Action: Check the
trusted block's sections and subsections for duplicates. Multiple
rule sections are allowed. |
428 (1064) | Trusted block expiration date has expired (as
compared to the 4764 clock).
User Action: Validate
the expiration date in the trusted block's trusted information section's
Activation and Expiration Date TLV Object. |
429 (1065) | Trusted block expiration date is at a date prior
to the activation date.
User Action: Validate
the expiration date in the trusted block's trusted information section's
Activation and Expiration Date TLV Object. |
42A (1066) | Trusted Block Public Key Modulus bit length
is not consistent with the byte length. The bit length must be less
than or equal to byte length * 8 and greater than (byte length -
1) * 8. |
42B (1067) | Trusted block Public Key Modulus Length in bits
exceeds the maximum allowed bit length as defined by the Function
Control Vector. |
42C (1068) | One or more trusted block sections or TLV Objects
contained data which is invalid (an example would be invalid label
data in label section 0x13). |
42D (1069) | Trusted block verification was attempted by
a function other than CSNDDSV, CSNDKTC, CSNDKPI, CSNDRKX, or CSNDTBC. |
42E (1070) | Trusted block rule ID contained within a Rule
section contains invalid characters. |
42F (1071) | The source key's length or CV does not match
what is expected by the rule section in the trusted block that was
selected by the rule ID input parameter. |
430 (1072) | The activation data is not valid.
User Action: Validate the activation data in the
trusted block's trusted information section's Activation and Expiration
Date TLV Object. |
431 (1073) | The source-key label does not match the
template in the export key DES token parameters TLV object of the
selected trusted block rule section. |
432 (1074) | The control-vector value specified in
the common export key parameters TLV object in the selected rule section
of the trusted block contains a control vector that is not valid. |
433 (1075) | The source-key label template in the
export key DES token parameters TLV object in the selected rule section
of the trusted block contains a label template that is not valid. |
7D1 (2001) | TKE: DH generator
is greater than the modulus. |
7D2 (2002) | TKE: DH registers
are not in a valid state for the requested operation. |
7D3 (2003) | TKE: TSN does not
match TSN in pending change buffer. |
7D4 (2004) | A length parameter
has an incorrect value. The value in the length parameter could have
been zero (when a positive value was required) or a negative value.
If the supplied value was positive, it could have been larger than
your installation’s defined maximum, or for MDC generation with
no padding, it could have been less than 16 or not an even multiple
of 8.
User action: Check the length you specified.
If necessary, check your installation’s maximum length with your ICSF administrator.
Correct the error.
REASONCODES: TSS 019
(025) |
7D5 (2005) | TKE: PCB data exceeds
maximum data length. |
7D8 (2008) | Two parameters (perhaps
the plaintext and ciphertext areas, or text_in and text_out areas)
overlap each other. That is, some part of these two areas occupy the
same address in memory. This condition cannot be processed.
User action: Determine which two areas are responsible,
and redefine their positions in memory.
REASONCODES:
TSS 0A4 (164) |
7D9 (2009) | TKE: ACI can not load
both loads and profiles in one call. |
7DA (2010) | TKE: ACI can only
load one role or one profile at a time. |
7DB (2011) | TKE: DH transport
key algorithm match. |
7DC (2012) | The rule_array_count parameter
contains a number that is not valid.
User action:
Refer to the rule_array_count parameter described in
this publication under the appropriate callable service for the correct
value.
REASONCODES: TSS 023 (035) |
7DD (2013) | TKE: Length of hash
pattern for keypart is not valid for DH transport key algorithm specified. |
7DE (2014) | TKE: PCB buffer is
empty. |
7DF (2015) | An error occurred in the Domain Manager. |
7E0 (2016) | The rule_array parameter
contents are incorrect. One or more of the rules specified are
not valid for this service OR some of the rules specified together
may not be combined.
User action: Refer
to the rule_array parameter described in this publication
under the appropriate callable service for the correct value. |
7E2 (2018) | The form parameter
specified in the random number generate callable service should be
ODD, EVEN, or RANDOM. One of these values was not supplied.
User action: Change your parameter to use one of
the required values for the form parameter.
REASONCODES: TSS 021 (033) |
7E3 (2019) | TKE: Signature in
request CPRB did not verify. |
7E4 (2020) | TKE: TSN in request
CPRB is not valid. |
7E8 (2024) | A reserved field in
a parameter, probably a key identifier, has a value other than zero.
User action: Key identifiers should not be changed
by application programs for other uses. Review any processing you
are performing on key identifiers and leave the reserved fields in
them at zero. |
7EB (2027) | TKE: DH transport
key hash pattern doesn't match. |
7EC (2028) |
While deciphering
ciphertext that had been created using a padding technique, it was
found that the last byte of the plaintext did not contain a valid
count of pad characters. Note that all cryptographic processing has
taken place, and the clear_text parameter contains the
deciphered text.
When deciphering ciphertext that had been created
using Galois/Counter Mode (GCM) either through PKCS #11 Secret key
decrypt (CSFPSKD or CSFPSKD6) or Symmetric Key Decipher (CSNBSYD,
CSNBSYD1, CSNESYD, or CSNESYD1), the GCM tag provided did not match
the data provided. No cleartext was returned.
User
action: The text_length parameter was not reduced.
Therefore, it contains the length of the base message, plus the length
of the padding bytes and the count byte. Review how the message was
padded prior to it being enciphered. The count byte that is not valid
was created prior to the message’s encipherment.
You may
need to check whether the ciphertext was not created using a padding
scheme. Otherwise, check with the creator of the ciphertext on the
method used to create it. You could also look at the plaintext to
review the padding scheme used, if any.
If using GCM, verify
that the parameters provided (ciphertext, additional authenticated
data, and tag) match those provided to, or returned from, the corresponding
call to PKCS #11 Secret key encrypt (CSFPSKE or CSFPSKE6) or Symmetric
Key Encipher (CSNBSYE, CSNBSYE1, CSNESYE, or CSNESYE1).
REASONCODES: TSS 2C2 (706) |
7ED (2029) | TKE: Request data
block hash does not match hash in CPRB. |
7EE (2030) | TKE: DH supplied hash
length is not correct. |
7EF (2031) | Reply data block too
large. |
7F0 (2032) | The key_form, key_type_1,
and key_type_2 parameters for the key generate callable
service form a combination, a three-element string. This combination
is checked against all valid combinations. Your combination was not
found among this list.
User action: Check
the allowable combinations described for each parameter in Key Generate
callable service and correct the appropriate parameter(s). |
7F1 (2033) | TKE: Change type does
not match PCB change type. |
7F4 (2036) | The contents of a
chaining vector or the chaining data passed to a callable
service are not valid. If you called the MAC generation callable service,
or the MDC generation callable service with a MIDDLE or LAST segmenting
rule, the count field has a number that is not valid. If you called
the MAC verification callable service, then this will have been a
MIDDLE or LAST segmenting rule. If you called the Symmetric Key
Encipher, Symmetric Key Decipher, PKCS#11 Secret Key Encrypt or PKCS
#11 Secret Key Decrypt, the chaining data passed is unusable, either
because a CONTINUE or FINAL was not preceded by an INITIAL or CONTINUE,
or because an attempt was made to continue chaining calls after a
partial block has been processed.
User action:
Check to ensure that the chaining vector or chaining data is
not modified by your program. The chaining vector or chaining
data returned by ICSF should only be used to process one message
set, and not intermixed between alternating message sets. This means
that if you receive and process two or more independent message streams,
each should have its own chaining vector. Similarly, each message
stream should have its own key identifier.
If you use the same
chaining vector and key identifier for alternating message streams,
you will not get the correct processing performed.
REASONCODES: TSS 0A5 (165) |
7F6 (2038) | No RSA private key
information was provided in the supplied token.
User
action: Check that the token supplied was of the correct type
for the service. |
7F8 (2040) | This check is based
on the first byte in the key identifier parameter. The key identifier
provided is either an internal token, where an external or null token
was required; or an external or null token, where an internal token
was required. The token provided may be none of these, and, therefore,
the parameter is not a key identifier at all. Another cause is specifying
a key_type of IMP-PKA for a key in importable form.
User action: Check the type of key identifier required
and review what you have provided. Also check that your parameters
are in the required sequence.
REASONCODES:
TSS 03F (063) and TSS 09A (154) |
7FC (2044) | The caller must be in task mode, not SRB mode. |
800 (2048) | The key_form is
not valid for the key_type
User action:
Review the key_form and key_type parameters.
For a key_type of IMP-PKA, the secure key import callable
service supports only a key_form of OP. |
802 (2050) | A UKPT keyword was
specified, but there is an error in the PIN_profile key
serial number.
User action: Correct the PIN
profile key serial number. |
803 (2051) | Invalid message length
in OAEP-decoded information. |
804 (2052) | A single-length key,
passed to the secure key import callable service in the clear_key parameter,
must be padded on the right with binary zeros. The fact that it is
a single-length key is identified by the key_form parameter,
which identifies the key as being DATA, MACGEN, MACVER, and so on.
User action: If you are providing a single-length
key, pad the parameter on the right with zeros. Alternatively, if
you meant to pass a double-length key, correct the key_form parameter
to a valid double-length key type. |
805 (2053) | No message found in
OAEP-decoded information. |
806 (2054) | Invalid RSA enciphered
key cryptogram; OAEP optional encoding parameters failed validation. |
807 (2055) | The RSA public key
is too small to encrypt the DES key. |
808 (2056) | The key_form parameter
is neither IM nor OP. Most constants, these included, can be supplied
in lower or uppercase. Note that this parameter is 4 bytes long, so
the value IM or OP is not valid. They must be padded on the right
with blanks.
User action: Review the value
provided and change it to IM or OP, as required.
REASONCODES:
TSS 029 (041) |
80C (2060) | The value specified
for the key_length parameter of the key generate
callable service is not valid.
User action:
Review the value provided and change it as appropriate.
REASONCODES: TSS 02B (043) |
810 (2064) | The key_type and
the key_length are not consistent.
User action:
Review the key_type parameter provided and match it with
the key_length parameter.
REASONCODES:
TSS 0A0 (160) |
811 (2065) | A null key token was not specified for a key
identifier parameter.
User action: Check
the service description and determine which key identifier parameter
must be a null token. |
813 (2067) | TKE: A key part register
is in an invalid state. This includes the case where an attempt is
made to load a FIRST key part, but a register already contains a key
or key part with the same key name.
User action:
Supply a different label name for the key part register or clear the
existing key part register with the same label name. |
814 (2068) | You supplied a key
identifier or token to the key generate, key import, multiple
secure key import, key export, or CKDS key
record write callable service. This key identifier holds an importer
or exporter key, and the NOCV bit is on in the token. Only programs
running in supervisor state or in a system key (key 0–7) may
provide a key identifier with this bit set on. Your program was not
running in supervisor state or a system key.
User
action: Either use a different key identifier, or else run in
supervisor state or a system key. |
815 (2069) | TKE: The control vector
in the key part register does not match the control vector in the
key structure. |
816 (2070) | TKE: All key part
registers are already in use.
User action:
Either free existing key part registers by loading keys from ICSF
or clearing selected key part registers from TKE or select another PCIXCC,
CEX2C, or CEX3C for loading the key part register. |
817 (2071) | TKE: The key part
hash pattern supplied does not match the hash pattern of the key part
currently in the register. |
818 (2072) | A request was made
to the key generate callable service to generate double-length keys
of SINGLE effective length, in the IMEX form. This request is valid
only if the KEK_key_identifier_1 parameter identifies
a NOCV importer, and the caller (wrongly) supplies a CV importer.
The combination of IMEX for the key_form parameter and
a CV importer key-encrypting key can only be used for single-length
keys.
User action: Either use a key identifier
that holds (or identifies) a NOCV importer, or specify a single-length
key in the key_type parameter. |
81B (2075) | TKE: The length of
the key part received is different from the length of the accumulated
value already in the key part register. |
81C (2076) | A request was made
to the key import callable service to import a single-length key.
However, the right half of the key in the source_key_identifier parameter
is not zeros. Therefore, it appears to identify the right half of
a double-length key. This combination is not valid. This error does
not occur if you are using the word TOKEN in the key_type parameter.
User action: Check that you specified the value
in the key_type parameter correctly, and that you are
using the correct or corresponding source_key_identifier parameter. |
81D (2077) | TKE: An error occurred
storing or retrieving the key part register data.
User
action: Verify that the selected PCIXCC, CEX2C, or CEX3C is
functioning correctly and retry the operation. |
81F (2079) | An encrypted symmetric
key token was passed to the service. Either an encrypted key token
is not supported for this service (CSNDPKE) or the required hardware
is not present (CSNBSYD and CSNBSYE). |
824 (2084) | The key token is not
valid for the CSNBTCK service. If the source_key_identifier is
an external token, then the KEK_key_identifier cannot
be marked as CDMF.
User action: Correct the
appropriate key identifiers. |
828 (2088) | The origin_identifier or destination_identifier you
supplied is not a valid ASCII hexadecimal string.
User
action: Check that you specified a valid ASCII string for the origin_identifier or destination_identifier parameter. |
829 (2089) | The algorithm does
not match the algorithm of the key identifier.
User
action: Make sure the rule_array keywords specified
are valid for the type of key specified. Refer to the rule_array parameter
described in this publication under the appropriate callable service
for the valid values. |
82C (2092) | The source_key_identifier or inbound_key_identifier you
supplied in an ANSI X9.17 service is not a valid ASCII hexadecimal
string.
User action: Check that you specified
a valid ASCII string for the source_key_identifier or inbound_key_identifier parameter.
REASONCODES: TSS 079 (121) |
82D (2093) | Key identifiers contain
a version number. The version number in a supplied key identifier
(internal or external) is inconsistent with one or more fields in
the key identifier, making the key identifier unusable.
User action: Use a token containing the required
version number. |
82F (2095) | The value in the key_form parameter is incompatible with the value
in the key_type parameter.
User
action: Ensure compatibility of the selected parameters. |
830 (2096) | The outbound_KEK_count or inbound_KEK_count you
supplied is not a valid ASCII hexadecimal string.
User
action: Check that you specified a valid ASCII hexadecimal string
for the outbound_KEK_count or inbound_KEK_count parameter.
REASONCODES: TSS 07A (122) |
831 (2097) | The value in the key_identifier_length parameter is incompatible
with the value in the key_type parameter.
User action: Ensure compatibility of the selected
parameters. |
832 (2098) | Either a key bit length
that was not valid was found in an AES key token (length not 128,
192, or 256 bits) or a version X'01' DES token had a token-marks
field that was not valid. |
833 (2099) | Encrypted key length
in an AES key token was not valid when an encrypted key is present
in the token. |
834 (2100) | You supplied a pad_character that
is not valid for a Transaction Security System compatibility parameter for which ICSF supports
only one value; or, you supplied a KEY keyword and a non-zero master_key_version_number in
the Key Token Build service; or, you supplied a non-zero regeneration
data length for a DSS key in the PKA Generate service.
User action: Check that you specified the valid
value for the TSS compatibility parameter.
REASONCODES:
TSS 2CB (715) |
838 (2104) | An input character
is not in the code table.
User action: Correct
the code table or the source text.
REASONCODES:
TSS 02D (045) |
83C (2108) | An unused field must
be binary zeros, and an unused key identifier field generally must
be zeros.
User action: Correct the parameter
list.
REASONCODES: TSS 02F (047) |
83F (2111) | There is an inconsistency between the wrapping
information in the key token and the request to wrap a key. |
840 (2112) | The length is incorrect
for the key type.
User action: Check the key
length parameter. DATA keys may have a length of 8, 16, or 24. DATAXLAT
and MAC keys must have a length of 8. All other keys should have a
length of 16. Also check that the parameters are in the required sequence. |
841 (2113) | A key token contains
invalid payload.
User action: Recreate the
key token. |
844 (2116) | Parameter contents
or a parameter value is not correct.
User action:
Specify a valid value for the parameter.
REASONCODES:
TSS 021 (033) |
846 (2118) | Invalid value(s) in TR-31 key block header.
User action: Check the TR-31 key block header for
correctness. Also check that the PADDING optional block is the last
optional block in a set of optional blocks. |
847 (2119) | “Mode" value in the TR-31 header is
invalid or is not acceptable in the chosen operation.
User
action: Check the TR-31 key block header for correctness. |
849 (2121) | “Algorithm" value in the TR-31 header
is invalid or is not acceptable in the chosen operation.
User action: Check the TR-31 key block header for
correctness. |
84A (2122) | If importing a TR-31 key block, the exportability
byte in the TR-31 header contains a value that is not supported.
If exporting a TR-31 key block, the requested exportability is inconsistent
with the key block. For example a ‘B' Key Block Version ID
key can only be wrapped by a KEK that is wrapped in CBC mode, the
ECB mode KEK violates ANSI X9.24.
User action: Check
the TR-31 key block header for correctness. |
84B (2123) | The length of the cleartext key in the TR-31
block is invalid, for example the algorithm is “D" for single-DES
but the key length is not 64 bits.
User action: Check
that the values in the TR-31 header are consistent with the key fields. |
84D (2125) | The Key Block Version ID in the TR-31 header
contains an invalid value.
User action: Check
the TR-31 key block header for correctness. |
84E (2126) | The key usage field in the TR-31 header contains
a value that is not supported for import of the key into CCA.
User action: Check the TR-31 key block header for
correctness. |
84F (2127) | The key usage field in the TR-31 header contains
a value that is not valid with the other parameters in the header.
User action: Check the TR-31 key block header for
correctness |
851 (2129) | A parameter to a TR-31 service such as a TR-31
key block, a set of optional blocks, or a single optional block contains
invalid characters. It may be that the parameter contains EBCDIC characters
when ASCII is expected or vice-versa, or the wrong characters were
found in a field which only accepts a limited range of characters.
For example some length fields can be populated by characters '0'
- '9' and 'A' - 'F', while other length fields can only contain characters
'0' - '9'.
User action: Check the TR-31
parameters for correctness |
852 (2130) | The CV carried in the TR-31 key block optional
blocks is inconsistent with other attributes of the key
User action: Check the TR-31 key block header for
correctness. |
853 (2131) | The MAC validate step failed for a parameter.
This may result from tampering, corruption, or attempting to use a
different key to validate the MAC from the one used to generate it.
User action: Check each parameter which includes
a MAC for correctness. If the parameter is wrapped by a key-encrypting-key
(KEK), ensure that the correct KEK is supplied. |
856 (2134) | The requested PIN decimalization table does
not exist or no PIN decimalization tables have been stored in the
coprocessor. |
857 (2135) | The supplied PIN decimalization table is not
in the list of active tables stored in the coprocessor. |
85E (2142) | This code can be generated for the following
reasons:
- On a call to Key Generate2, either or both of the key usage fields
for generated_key_identifier_1 and generated_key_identifier_2 contain incorrect values
or are in conflict. See Table 40 for the valid combinations.
- On a call to Key Translate2 using the REFORMAT Encipherment rule
and providing a variable-length AES token, the key usage fields for input_key_token contain disallowed values or prohibit
the operation.
User action: Call Key Generate2 or Key
Translate2 using key tokens whose key usage fields contain a valid
combination. |
85F (2143) | On a call to Key Translate2 using the REFORMAT
Encipherment rule and providing a variable-length AES token, the key
management fields for input_key_token contain disallowed values or
prohibit the operation.
User action: Call
Key Translate2 using a key token whose key-management fields contain
allowed values. |
861 (2145) |
When exporting a key under an AES KEK, it
was found that the KEK was weaker than the key being wrapped. This
operation is disallowed because the “Variable-length Symmetric
Token - disallow weak wrap" access control point is enabled.
User action: If weak key wrapping is to be allowed,
disable access control point "Variable-length Symmetric Token - disallow
weak wrap" using the TKE workstation. |
863 (2147) | The key type that was to be generated by this
callable service is not valid.
User action: Refer
to the parameters described in this publication under the appropriate
callable service for the correct parameter values. |
865 (2149) | The key that was to be generated by this callable
service is stronger than the input material.
User
action: Validate the key material is is at least as strong as
the key to be generated. |
86A (2154) | At least one key token passed to this callable
service does not have the required key type for the specified function.
User action: Refer to the parameters described in
this publication under the appropriate callable service for the correct
parameter values. |
86E (2156) | Multiple ECC tokens were passed to this callable
service. The curve types of the all the token parameters do not match.
User action: Check that the curve types of the input
ECC tokens are the same. |
871 (2161) | The requested or default wrapping method conflicts
with one or both input tokens.
User action:
On the call to the CVV Key Combine service, make sure that the desired
wrapping method (either specified as a rule_array keyword
or the default wrapping method) is consistent with the wrapping method
of the input token(s). For example, an input token that can only be
wrapped in the enhanced method (ENH-ONLY flag on in the CV) cannot
produce an output token wrapped in the original method (ECB mode). |
BB9 (3001) | SET block decompose
service was called with an encrypted OAEP block with a block contents
identifier that indicates a PIN block is present. No PIN encrypting
key was supplied to process the PIN block. The block contents identifier
is returned in the block_contents_identifier parameter.
User action: Supply a PIN encrypting key and resubmit
the job. |
BBB (3003) | An output parameter
is too short to hold the output of the request. The length parameter
for the output parameter has been updated with the required length
for the request.
User action: Update the size
of the output parameter and length specified in the length field and
resubmit the request. |
BBC (3004) | A request was made
to the Clear PIN generate or Encrypted PIN verify callable service,
and the PIN_length parameter has a value outside the valid
range. The valid range is from 4 to 16, inclusive.
User
action: Correct the value in the PIN_length parameter
to be within the valid range from 4 to 16.
REASONCODES:
TSS 064 (100) |
BBE (3006) | The UDX verb in the PCICC,
PCIXCC, CEX2C, or CEX3C is not authorized to be executed. |
BC0 (3008) | A request was made
to the Clear PIN generate callable service, and the PIN_check_length parameter
has a value outside the valid range. The valid range is from 4 to
16, inclusive.
User action: Correct the value
in the PIN_check_length parameter to be within the
valid range from 4 to 16.
REASONCODES:
TSS 065 (101) |
BC1 (3009) | For PKCS #11 attribute
processing, an attribute has been specified in the template that is
not consistent with another attribute of the object being created
or updated.
User action: Correct the template
for the object. |
BC3 (3011) | The CRT value (p,
q, Dp, Dq or U) is longer than the length allowed by the parameter
block for clear key processing on an accelerator. A modulus whose
length is less than or equal to 1024 bits is 64 bytes in length.
A modulus whose length is greater than 1024 bits but less than or
equal to 2048 bits is 128 bytes in length.
User
action: Reconfigure CEX2A as a CEX2C or CEX3A as a CEX3C to make
use of the key (if the CRT value is not in error and there is no CEX2C
or CEX3C installed).
REASONCODES: TSS
065 (101) |
BC4 (3012) | A request was made
to the Clear PIN generate callable service to generate a VISA-PVV
PIN, and the trans_sec_parm field has a value outside
the valid range. The field being checked in the trans_sec_parm is
the key index, in the 12th byte. This trans_sec_parm field
is part of the data_array parameter.
User
action: Correct the value in the key index, held within the trans_sec_parm field
in the data_array parameter, to hold a number from the
valid range.
REASONCODES: TSS 069 (105) |
BC5 (3013) | The AES clear key
value LRC in the token failed validation.
User
action: Correct the AES clear key value.
REASONCODES:
TSS 06A (106) |
BC8 (3016) | A request was made
to the Encrypted PIN Translate or the Encrypted PIN verify callable
service, and the PIN block value or PADDIGIT value in the input_PIN_profile or output_PIN_profile parameter
has a value that is not valid.
User action:
Correct the PIN block value.
REASONCODES:
TSS 06A (106) |
BCB (3019) | The call to insert
or delete a z/OS PKCS #11 token object failed because the token was
not found in the TKDS data space or a request to delete a PKCS #11
session object failed because the token was not found in the session
data space. |
BCC (3020) | For a PKCS #11 callable
service, the PKCS #11 object specified is the incorrect class for
the request.
User action: Specify the correct
class of object for the service. |
BCD (3021) | The call to add a
z/OS PKCS #11 token failed because the token already exists in the
TKDS data space or a request to add a z/OS PKCS #11 token object failed
because an object with the same handle already exists. |
BCE (3022) | The call to add or
update a z/OS PKCS #11 tokens object failed because the supplied attributes
are too large to be stored in the TKDS. |
BD0 (3024) | A request was made
to the Encrypted PIN Translate callable service and the format control
value in the input_PIN_profile or output_PIN_profile parameter
has a value that is not valid. The valid values are NONE or PBVC.
User action: Correct the format control value to
either NONE or PBVC.
REASONCODES: TSS
06B (107) |
BD1 (3025) | The call to create
a list of z/OS PKCS #11 tokens, a list of objects of a z/OS PKCS #11 token,
the information for a z/OS PKCS #11 token or the attributes of a PKCS
#11 object failed because the length of the output field was insufficient
to hold the data. The length field has been updated with the length
of a single list or entry, token information or object attributes. |
BD2 (3026) | The z/OS PKCS #11
token or object handle syntax is invalid. |
BD3 (3027) | The call to read or
update a z/OS PKCS #11 token or token object failed because the token
or object was not found in the TKDS data space, or if the call to
read or update a PKCS #11 session object failed because the object
was not found. |
BD4 (3028) | A request was made
to the Clear PIN generate callable service. The clear_PIN supplied
as part of the data_array parameter for an GBP-PINO request
begins with a zero (0). This value is not valid.
User
action: Correct the clear_PIN value.
REASONCODES:
TSS 074 (116) |
BD5 (3029) | For PKCS #11 attribute
processing, an invalid attribute was specified in the template. The
attribute is neither a PKCS #11 or vendor-specified attribute
supported by this implementation of PKCS #11.
User
action: Correct the template by removing the invalid attribute
or changing the attribute to a valid attribute. |
BD6 (3030) | An invalid value was
specified for a particular PKCS #11 attribute in a template when creating
or updating an object. |
BD7 (3031) | The certificate specified
in creating a PKCS #11 certificate object was not properly encoded. |
BD9 (3033) | The attribute template
for creating or updating a PKCS #11 object was incomplete. Required
attributes for the object class were not specified in the template. |
BDA (3034) | The call to modify
PKCS #11 object attributes failed because the CKA_MODIFIABLE attribute
was set to false when the object was recreated. |
BDB (3035) | For PKCS #11 attribute
processing, an attribute was specified in the template which can not
be set or updated by the application. See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for
a definition of attributes that can be set or updated by the application.
User action: Remove the offending attribute from
the template. |
BDC (3036) | A request was made
to the Encrypted PIN Translate callable service. The sequence_number parameter
was required, but was not the integer value 99999.
User
action: Specify the integer value 99999.
REASONCODES:
TSS 06F (111) |
BDE (3038) | For a PKCS #11 callable
service, the attributes of the PKCS #11 object specified do not permit
the requested function.
User action: Specify
an object that permits the requested function. |
BDF (3039) | For a PKCS #11 callable
service, where a PKCS #11 key object is required, the specified object
is not of the correct key type for the requested function.
User action: Specify an object that is the correct
class of key. |
BE0 (3040) | The PAN, expiration
date, service code, decimalization table data, validation data, or
pad data is not numeric (X'F0' through X'F9'). The
parameter must be character representations of numerics or hexadecimal
data.
User action: Review the numeric parameters
or fields required in the service that you called and change to the
format and values required.
REASONCODES:
TSS 028 (040), TSS 02A (042), TSS 066 (102), TSS 067 (103), TSS 068
(104), TSS 069 (105), TSS 06E (110) |
BE1 (3041) | PKCS #11 wrap key
callable service failed because the wrapping key object is not of
the correct class to wrap the key specified to be wrapped.
User action: Specify a wrapping key object of the
correct class to wrap the key object. |
BE3 (3043) | PKCS #11 wrap key
callable service failed because the key object to be wrapped does
not exist or the key class does not match the wrapping mechanism.
User action: Specify an existing key object that
is correct for the wrapping mechanism. |
BE4 (3044) | A PKCS #11 session
data space is full. The request to create or update an object failed
and the object was not created or updated.
User
action: Delete unused session objects and cryptographic state
objects from incomplete chained operations to create space for new
or updated objects. |
BE5 (3045) | PKCS #11 wrap key
callable service failed because the key object to be wrapped has CKA_EXTRACTABLE
set to false.
User action: Specify another
key object that can be extracted. |
BE7 (3047) | A clear key was provided when a secure key was
required.
User action: Correct the appropriate
key identifier. |
BEA (3050) | A caller is attempting
to overwrite one token type with another (for example, AES over DES). |
BEC (3052) | A clear key token
was supplied to a service where a secure token is required. |
BED (3053) | A service was called with no parameter list,
but a parameter list was expected.
User action:
Call the service with a parameter list. |
BEE (3054) | A request was made to a callable service with
a key token wrapped with the enhanced X9.24 CBC method. Tokens wrapped
with the enhanced method are not supported by this release of ICSF.
User action: Contact your ICSF administrator to
resolve which key token is to be used. |
BF5 (3061) | The provided asymmetric key identifier can not
be used for the requested function. PKA Key Management Extensions
have been enabled by a CSF.PKAEXTNS.ENABLE profile in the XFACILIT
class. A CSFKEYS profile covering the key includes an ICSF segment,
and the ASYMUSAGE field of that segment restricts the key from being
used for the specified function.
An SMF type 82 subtype 27 record
is logged in the SMF database. |
BF6 (3062) | The provided symmetric key identifier can not
be exported using the provided asymmetric key identifier. PKA Key
Management Extensions have been enabled by a CSF.PKAEXTNS.ENABLE profile
in the XFACILIT class. A CSFKEYS or XCSFKEY profile covering the symmetric
key includes an ICSF segment and the SYMEXPORTABLE field of that segment
places restrictions on how the key can be exported. The SYMEXPORTABLE
field either specifies BYNONE, or else specifies BYLIST but the provided
asymmetric key identifier is not one of those permitted to export
the symmetric key (as identified by the SYMEXPORTCERTS or SYMEXPORTKEYS
fields).
An SMF type 82 subtype 27 record is logged to the SMF database. |
BF7 (3063) | ICSF key store policy
checking is active. The request failed the ICSF token policy check
because the caller is not authorized to the label for the token in
the key data set (CKDS or PKDS). The request is not allowed to continue
because the token check policy is in FAIL mode.
SMF type 82 subtype
25 records are logged in the SMF dataset. An SMF type 80 with event
code qualifier of ACCESS is logged.
The policy is defined
by the CSF.CKDS.TOKEN.CHECK.LABEL.FAIL resource or the CSF.PKDS.TOKEN.CHECK.LABEL.FAIL
resource in the XFACILIT class. |
BF8 (3064) | ICSF key store policy
checking is active. The specified token does not exist in the key
data set (CKDS or PKDS as appropriate). The CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT
resource in the CSFKEYS class is either not defined or the caller
is not authorized to the CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource.
The resource is not in WARNING mode, so the request is not allowed
to continue.
An SMF type 80 record with event qualifier ACCESS
is logged indicating the request failed.
The policy is defined
by the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL or the CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL
resource in the XFACILIT class. |
BF9 (3065) | ICSF token policy
checking is active. The caller is requesting to add a token to the
key data set (CKDS or PKDS as appropriate) that already exists within
the key data set. The request fails.
The policy is defined by the
CSF.CKDS.TOKEN.NODUPLICATES resource or the CSF.PKDS.TOKEN.NODUPLICATES
resource in the XFACILIT class. |
BFB (3067) | The provided symmetric key label refers to an
encrypted CCA key token, and the CSFKEYS profile covering it does
not allow its use in high performance encrypted key operations.
User action: Contact your ICSF or RACF administrator
if you need to use this key in calls to Symmetric Key Encipher (CSNBSYE)
or Symmetric Key Decipher (CSNBSYD). Otherwise, use Encipher (CSNBENC)
or Decipher (CSNBDEC) instead. |
BFC (3068) | A cryptographic operation using a specific PKCS
#11 key object is being requested. The key object has exceeded its
useful life for the operation requested. The request is not processed.
User action: Use a different key. |
BFD (3069) | A cryptographic operation that requires FIPS
140-2 compliance is being requested. Either ICSF has not been configured
to run in FIPS mode or the system environment does not support it.
The request is not processed.
User action: Contact
your ICSF administrator to request that ICSF be configured for either
FIPS standard mode or FIPS compatibility mode. |
BFE (3070) | A cryptographic operation that requires FIPS
140-2 compliance is being requested. The desired algorithm, mode,
or key size is not approved for FIPS 140-2. The request is not processed.
User action: Repeat the request using an
algorithm, mode, and/or key size approved for FIPS 140-2. Refer to z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for this list of approved algorithms, modes,
and key sizes. |
BFF (3071) | An application using a z/OS PKCS #11 token that
is marked ‘Write Protected' is attempting to do one of the
following:
- Store a persistent object in the token.
- Delete the token.
- Reinitialize the token.
ICSF always marks the session object only omnipresent token as ‘Write
Protected.' ICSF will also mark an ordinary token ‘Write
Protected' if it contains objects not supported by this release
of ICSF.
User action: Use a z/OS PKCS #11
token that is not marked ‘Read Only' or, if this is an ordinary
token (not the omnipresent token), attempt the delete or reinitialization
from a different member of the sysplex. |
C04 (3076) | A symmetric key token was supplied in a key
identifier parameter which is wrapped using the enhanced X9.24 key
wrapping method. The token can not be rewrapped to the original method
because the wrapping flag in the control vector prohibits this wrapping. |
C07 (3079) | A request was made to use a key token wrapped
with the X9.24 enhanced wrapping method introduced in HCR7780. Key
tokens wrapped with the enhanced method can not be used on this release.
Also, key tokens wrapped with the enhanced method can not be updated
or deleted from the CKDS on this release.
User
Action: Run your application on a release that support the enhanced
wrapping method. |
C08 (3080) | Use of an ECC token has been attempted. The
usage of this type of token is not supported on the release of ICSF
currently running.
User Action: Check the
ICSF release for support of this token type. |
C0B (3083) | The specified key token buffer length is of
insufficient size for the buffer to contain the output key token.
User action: Specify a key token buffer
that is sufficiently large enough to receive the output key token. |
C0C (3084) | The key token associated with the specified
key label is not a DES or AES key token, but this callable service
is only compatible with DES and AES key tokens.
User
action: Either modify the program logic to utilize only key labels
for DES and/or AES key tokens, or use an ICSF callable service that
supports all of the symmetric key token types. |
C0D (3085) | Rule array keyword specifies a function not
supported by this hardware. For example, ECC specified in rule array
for PKA Key Token Change callable service but request is being executed
on a system that does not support ECC keys.
User
Action: Specify a different, supported, rule array keyword, or
execute the service on a system that supports the function. |
C0E (3086) | Specified token is not supported by this hardware.
For example, an ECC token is being used but request is being executed
on a system that does not support ECC keys.
User
Action: Specify a different, supported, token, or execute the
request on a system that supports the function. |
C0F (3087) | A coordinated KDS refresh was attempted to an
empty KDS. The new KDS of a coordinated KDS refresh must be initialized
and must contain the same MKVP values as the active KDS.
User action: Perform a coordinated KDS refresh using
a new KDS that is initialized and that contains the same MKVP values
as the active KDS. |
C10 (3088) | A coordinated KDS change master key was attempted
and either the new KDS or backup KDS contained a different LRECL attribute
from the active KDS. The new KDS and optionally the backup KDS must
contain the same LRECL attribute as the active KDS during a coordinate
KDS change master key.
User action: Perform
a coordinated KDS change master key using a new KDS and optionally
a backup KDS with the same LRECL attribute as the active KDS. |
C11 (3089) | The new KDS specified for a coordinated KDS
change master key was not empty when the operation began. The new
KDS must be empty before performing a coordinated KDS change master
key.
User action: Perform the coordinated
KDS change master key with a new KDS that is empty. |
C12 (3090) | The backup KDS specified for a coordinated KDS
change master key was not empty when the operation began. When using
the optional backup function, the backup KDS must be empty before
performing a coordinated KDS change master key.
User
action: Perform the coordinated KDS change master key with a
backup KDS that is empty. |
C13 (3091) | The new KDS specified for a coordinated KDS
refresh contains different MKVPs than the active KDS. In order to
perform a coordinated KDS refresh, the new KDS specified must contain
the same MKVPs as the active KDS.
User action: Perform
the coordinated KDS refresh with a new KDS that contains the same
MKVPs as the active KDS. |
C1F (3103) | The new KDS specified for either a coordinated
KDS refresh or coordinated KDS change master key is not a valid data
set name.
User action: Specify a valid data
set name for the new KDS when performing either a coordinated KDS
refresh or coordinated KDS change master key. |
C20 (3104) | The backup KDS specified for a coordinated KDS
change master key is not a valid data set name.
User
action: Specify a valid data set name for the backup KDS when
performing a coordinated KDS change master key. |
C21 (3105) | A coordinated KDS refresh or coordinated KDS
change master key was attempted while at least one ICSF instance in
the sysplex was below the HCR7790 FMID level. The coordinated KDS
refresh and coordinated KDS change master key functions are only available
when all ICSF instances in the sysplex, regardless of active KDS,
are running at the HCR7790 FMID level or higher.
User
action: Remove or upgrade ICSF instances in the sysplex that
are running below the HCR7790 FMID level and retry the function. |
C22 (3106) | Either a coordinated KDS refresh or coordinated
KDS change master key was attempted while another coordinated KDS
refresh or coordinated KDS change master key was still in progress.
The coordinated KDS function was initiated by this ICSF instance.
Only one coordinated KDS function may execute at a time in the sysplex.
User action: Wait for the previous coordinated
KDS function to complete and retry the function. |
C23 (3107) | A coordinated KDS change master key was attempted
using a new KDS with the same name as the active KDS. The new KDS
name must be different from the active KDS when performing a coordinated
KDS change master key.
User action: Specify
a new KDS with a different name from the active KDS and retry the
function. Coordinated KDS change master key requires the new KDS to
be allocated and match the same VSAM attributes as the active KDS. |
C24 (3108) | A coordinated KDS change master key was attempted
using a backup KDS with the same name as the active KDS. When using
the backup function, the backup KDS name must be different from the
active KDS when performing a coordinated KDS change master key.
User action: Specify a backup KDS with a different
name from the active KDS and retry the function. Coordinated KDS
change master key requires the backup KDS to be allocated and match
the same VSAM attributes as the active KDS. |
C25 (3109) | A coordinated KDS change master key was attempted
using a new KDS with the same name as the backup KDS. If a backup
KDS is specified, its name must be different from the new KDS.
User action: Specify a backup KDS with a different
name from the new KDS and retry the function. The backup KDS is optional.
Coordinated KDS change master key requires the new KDS, and optionally
the backup KDS, to be allocated and match the same VSAM attributes
as the active KDS. |
C26 (3110) | A coordinated KDS refresh or coordinated KDS
change master key was attempted using an archive KDS name that is
not valid.
User action: Specify a valid data
set name for the archive KDS and retry the function. The archive data
set name is optional. The optional archive KDS name must not exist
on the system prior to performing a coordinated KDS refresh or a coordinated
KDS change master key. |
C27 (3111) | A coordinated KDS change master key was attempted
using an archive KDS with the same name as the backup KDS. When using
the archive and backup functions, the archive KDS name must be different
from the backup KDS.
User action: Specify
an archive KDS with a different name from the backup KDS and retry
the function. The archive KDS name and the backup KDS are optional.
The archive KDS name must not exist on the system prior to performing
a coordinated KDS refresh or a coordinated KDS change master key.
The backup KDS must be allocated and match the same VSAM attributes
as the active KDS. |
C28 (3112) | A coordinated KDS refresh or a coordinated KDS
change master key was attempted using an archive KDS with the same
name as the active KDS. When using the archive function, the archive
KDS name must be different from the active KDS.
User
action: Specify an archive KDS with a different name from the
active KDS and retry the function. The archive KDS name must not exist
on the system prior to performing a coordinated KDS refresh or a coordinated
KDS change master key. |
C29 (3113) | A coordinated KDS refresh or a coordinated KDS
change master key was attempted using an archive KDS with the same
name as the new KDS. When using the archive function, the archive
KDS name must be different from the new KDS.
User
action: Specify an archive KDS with a different name than the
new KDS and retry the function. The archive KDS name must not exist
on the system prior to performing a coordinated KDS refresh or a coordinated
KDS change master key. |
C2A (3114) | Either a coordinated KDS refresh or coordinated
KDS change master key was attempted while another coordinated KDS
refresh or coordinated KDS change master key was still in progress.
The coordinated KDS function was initiated by another ICSF instance
in the sysplex. Only one coordinated KDS function may execute at a
time in the sysplex.
User action: Wait for
the previous coordinated KDS function to complete and retry the function. |
C30 (3120) | A coordinated KDS change master key was attempted
on an active KDS that was not initialized. The active KDS must be
initialized before performing a coordinated KDS change master key.
User action: Initialize the active KDS and
retry the function |
C31 (3121) | The archive option was specified for a coordinated
KDS refresh of the active KDS. The archive option is only valid for
coordinated KDS refreshes to a new KDS or coordinated KDS change master
key.
User action: Do not specify an archive
data set when performing a coordinated KDS refresh of the active KDS. |
C3C (3132) | The archive data set name specified for coordinated
KDS refresh or coordinated KDS change master key is too long. The
archive data set name must allow enough space for renaming the KDS
VSAM data and index portions within 44 characters.
User
action: Specify a shorter name for the archive data set name
to allow enough space for renaming the KDS VSAM data and index portions
within 44 characters. The archive data set name is optional. When
specified, the archive data set name must not exist on the system
prior to performing the coordinated KDS function. |
C3D (3133) | During a coordinated KDS refresh or coordinated
KDS change master key with the archive option specified, the active
KDS could not be renamed to the archive data set name. This failure
occurred because the active KDS VSAM data and index suffix names were
not valid for performing the rename.
User action: Consider
alternate names for the active KDS VSAM data and index suffixes. The
archive data set name is optional. When specified the archive data
set name must not exist on the system prior to performing the coordinated
KDS function. |
C3E (3134) | A coordinated KDS change master key attempted
to use a new KDS that is currently another sysplex members active
KDS. Performing a coordinated KDS change master key to another sysplex
members active KDS is not allowed as it would alter all sysplex members
configured in that sysplex KDS cluster (same active KDS).
User action: Specify a new KDS that is not currently
the active KDS of another sysplex member and retry the function. |
F9F (3999) | On a call to CKDS Key Record
Delete or CKDS Key Record Write2, the label refers
to a Variable-length Symmetric key token with an unrecognized algorithm
or key type in the associated data section. Only key tokens with a
recognized algorithm or key type can be managed on this release of
ICSF.
User action: Call CKDS Key
Record Delete or CKDS Key Record Write2 on a release
of ICSF which recognizes the algorithm and key type of this token. |
FA0 (4000) | The encipher and decipher
callable services sometime require text (plaintext or ciphertext)
to have a length that is an exact multiple of 8 bytes. Padding schemes
always create ciphertext with a length that is an exact multiple of
8. If you want to decipher ciphertext that was produced by a padding
scheme, and the text length is not an exact multiple of 8, then an
error has occurred. The CBC mode of enciphering requires a text length
that is an exact multiple of 8.
The ciphertext translate callable
service cannot process ciphertext whose length is not an exact multiple
of 8.
User action: Review the requirements
of the service you are using. Either adjust the text you are processing
or use another process rule.
REASONCODES:
TSS 033 (051) |
1388 (5000) | Target cryptographic
module is not available in the configuration.
User
action: Correct the target cryptographic module parameter and
resubmit. |
138C (5004) | Format of the cryptographic
request message is not valid.
User action:
Correct the request and resubmit it. |
1390 (5008) | Length of the cryptographic
request message is not valid.
User action:
Message length of request must be nonzero, a multiple of eight, and
less than the system maximum. Correct the request and resubmit it. |
1782 (6018) | One or more of the parameters passed to this
callable service are in error.
User action: Refer
to the parameter descriptions in this publication under the appropriate
callable service to ensure the parameter values specified by your
application are valid. |
2710 (10000) | A key identifier was
passed to a service or token. It is checked in detail to ensure that
it is a valid token, and that the fields within it are valid values.
There is a token validation value (TVV) in the token, which is a non-cryptographic
value. This value was again computed from the rest of the token, and
compared to the stored TVV. If these two values are not the same,
this reason code is returned.
User action:
The contents of the token have been altered because it was created
by ICSF or TSS. Review your program to see how this could have been
caused.
REASONCODES: TSS 0C (12) and 1D
(29) |
2714 (10004) | A key identifier was
passed to a service. The master key verification pattern in the token
shows that the key was created with a master key that is neither the
current master key nor the old master key. Therefore, it cannot be
reenciphered to the current master key.
User action:
Re-import the key from its importable form (if you have it in this
form), or repeat the process you used to create the operational key
form. If you cannot do one of these, you cannot repeat any previous
cryptographic process that you performed with this token.
REASONCODES: TSS 030 (048) |
271C (10012) | A key label was supplied
for a key identifier parameter. This label is the label of a key in
the in-storage CKDS or the PKDS. Either the key could not be found,
or a key record with that label and the specific type required by
the ICSF callable service could not be found. For a retained key
label, this error code is also returned if the key is not found in
the PCICC, PCIXCC, CEX2C, or CEX3C specified in the PKDS
record.
User action: Check with your administrator
if you believe that this key should be in the in-storage CKDS or
the PKDS. The administrator may be able to bring it into storage.
If this key cannot be in storage, use a different label.
REASONCODES: TSS 01E (030) |
2720 (10016) | You specified a value
for a key_type parameter that is not an ICSF-defined
name.
User action: Review the ICSF key types
and use the appropriate one.
REASONCODES:
TSS 03D (061) |
2724 (10020) | You specified the
word TOKEN for a key_type parameter, but the corresponding
key identifier, which implies the key type to use, has a value that
is not valid in the control vector field. Therefore, a valid key type
cannot be determined.
User action: Review
the value that you stored in the corresponding key identifier. Check
that the value for key_type is obtained from the appropriate key_identifier parameter.
REASONCODES: TSS 027 (039) |
272C (10028) | Either the left half of the control vector in a key identifier
(internal or external) equates to a key type that is not valid for
the service you are using, or the value is not that of any ICSF control
vector. For example, an exporter key-encrypting key is not valid in
the key import callable service.
User action:
Determine which key identifier is in error and use the key identifier
that is required by the service.
REASONCODES:
TSS 027 (039) |
2730 (10032) | Either the right half of the control vector in a key identifier
(internal or external) equates to a key type that is not valid for
the service you are using, or the value is not that of any ICSF control
vector. For example, an exporter key-encrypting key is not valid in
the key import callable service.
User action:
Determine which key identifier is in error and use the key identifier
that is required by the service.
REASONCODES:
TSS 027 (039) |
2734 (10036) | Either the complete
control vector (CV) in a key identifier (internal or external) equates
to a key type that is not valid for the service you are using, or
the value is not that of any ICSF control vector.
The difference
between this and reason codes 10028 and 10032 is that each half of
the control vector is valid, but as a combination,
the whole is not valid. For example, the left half of the control
vector may be the importer key-encrypting key and the right half may
be the input PIN-encrypting (IPINENC) key.
User
action: Determine which key identifier is in error and use the
key identifier that is required by the service.
REASONCODES:
TSS 027 (039) |
2738 (10040) | Key identifiers contain
a version number. The version number in a supplied key identifier
(internal or external) is inconsistent with one or more fields in
the key identifier, making the key identifier unusable.
User action: Use a token containing the required
version number.
REASONCODES: TSS 031 (049) |
273C (10044) | A cross-check of the
control vector the key type implies has shown that it does not correspond
with the control vector present in the supplied internal key identifier.
User action: Change either the key type or key identifier.
REASONCODES: TSS 0B7 (183) |
2740 (10048) | The key_type parameter
does not contain one of the valid types for the service or the keyword
TOKEN.
User action: Check the supplied parameter
with the ICSF key types. If you supplied the keyword TOKEN, check
that you have padded it on the right with blanks.
REASONCODES:
TSS 03D (061) |
2744 (10052) | A null key identifier
was supplied and the key_type parameter contained the
word TOKEN. This combination of parameters is not valid.
User action: Use either a null key identifier or
the word TOKEN, not both.
REASONCODES:
TSS 027 (039) |
2748 (10056) | You called the key
import callable service. The importer key-encrypting key is a NOCV
importer and you specified TOKEN for the key_type parameter.
This combination is not valid.
User action:
Specify a value in the key_type parameter for the operational
key form. |
274C (10060) | You called the key
export callable service. A label was supplied in the key_identifier parameter
for the key to be exported and the key_type was TOKEN.
This combination is not valid because the service needs a key type
in order to retrieve a key from the CKDS.
User
action: Specify the type of key to be exported in the key_type parameter.
REASONCODES: TSS 03D (061) |
2754 (10068) | A flag in a key identifier
indicates the master key verification pattern (MKVP) is not present
in an internal key token. This setting is not valid.
User
action: Use a token containing the required flag values.
REASONCODES: TSS 02F (047) |
2758 (10072) | A flag in a key identifier
indicates the encrypted key is not present in an external token. This
setting is not valid.
User action: Use a token
containing the required flag values.
REASONCODES:
TSS 02F (047) |
275C (10076) | A flag in a key identifier
indicates the control vector is not present. This setting is not valid.
User action: Use a token containing the required
flag values.
REASONCODES: TSS 02F (047) |
2760 (10080) | An ICSF private
flag in a key identifier has been set to a value that is not valid.
User action: Use a token containing the required
flag values. Do not modify ICSF or the reserved flags for your own
use. |
2768 (10088) | If you supplied a
label in the key_identifier parameter, a record with the
supplied label was found in the CKDS, but the key type (CV) is not
valid for the service. If you supplied an internal key token for the key_identifier parameter,
it contained a key type that is not valid.
User
action: Check with your ICSF administrator if you believe that
this key should be in the in-storage CKDS. The administrator may be
able to bring it into storage. If this key cannot be in storage, use
a different label.
REASONCODES: TSS 027
(039) |
276C (10092) | You supplied a source
key that does not have odd parity and specified ENFORCE as the parity
rule on the rule_array parameter for either the ANSI X9.17
key export, ANSI X9.17 key import, or ANSI X9.17 key translate callable
service.
User action: Either supply an ODD
parity key or change the rule_array parameter to specify
a parity rule of IGNORE. |
2770 (10096) | The transport key
you specified is a single-length key, which cannot be used to encrypt
a double-length AKEK or (*KK).
User action:
Use a double-length AKEK for the transport key. |
2774 (10100) | You specified a transport
key that cannot be notarized and specified the keyword NOTARIZE in
the rule_array parameter. The transport key may have already
been partially notarized.
User action: Use
a transport key that allows notarization or change the rule_array parameter
keyword to CPLT-NOT. |
2778 (10104) | The AKEK you specified
is either partially notarized or is a partial AKEK, which is not valid
for this service.
User action: Use a correct
AKEK that is not partially notarized. A partially notarized key can
be used as a transport key if you specify CPLT-NOT in the rule_array parameter. |
277C (10108) | You did not supply
a partial AKEK for the key_identifier parameter of the
key part import service.
User action: Correct
the key_id parameter. |
2780 (10112) | The transport key
you specified has not been partially notarized and you have specified
CPTL-NOT for the rule_array parameter.
User
action: Use a transport key that has been partially notarized
or change the rule_array parameter. |
2784 (10116) | You attempted to export
an AKEK with a CCA key export service, which is not supported.
User action: Use the ANSI X9.17 Key Export callable
service. |
2788 (10120) | The internal key token
you supplied, or the key token that was retrieved by the label you
supplied, contains a flag setting or data encryption algorithm bit
that is not valid for this service.
User action:
Ensure that you supply a key token, or label, for a non-ANSI key type. |
278C (10124) | The key identifier
you supplied cannot be exported because there is a prohibit-export
restriction on the key.
User action: Use the
correct key for the service.
REASONCODES:
TSS 027 (039) |
2790 (10128) | The keyword you supplied
in the rule_array parameter is not consistent or not valid
with another parameter you specified. For example, the keyword SINGLE
is not valid with the key type of EXPORTER in the key token build
callable service.
User action: Correct either
the rule_array parameter or the other parameter.
REASONCODES: TSS 09C (156) |
2791 (10129) | S390 KEKs with NOCV (flagged as such by the
MASK_NOCV bit in the flags field of the token), are not permitted
in the RKX service. |
2AF8 (11000) | The value specified
for length parameter for a key token, key, or text field is not valid.
User action: Correct the appropriate length field
parameter.
REASONCODES: TSS 048 (072) |
2AFC (11004) | The hash value (of
the secret quantities) in the private key section of the internal
token failed validation. The values in the token are corrupted. You
cannot use this key.
User action: Recreate
the token using the appropriate combination of the PKA key token build,
PKA key generate, and PKA key import callable services.
REASONCODES: TSS 02F (047) |
2B00 (11008) | The public or private
key values are not valid. (For example, the modulus or an exponent
is zero.) You cannot use the key.
User action:
You may need to recreate the token using the PKA key token build or
PKA key import callable service or regenerate the key values on another
platform.
REASONCODES: TSS 302 (770) |
2B04 (11012) | The internal or external
private key token contains flags that are not valid.
User
action: You may need to recreate the token using the PKA key
token build or PKA key import callable service.
REASONCODES:
TSS 02F (047) |
2B08 (11016) | The calculated hash
of the public information in the PKA token does not match the hash
in the private section of the token. The values in the token are corrupted.
User action: Verify the public key section and the
key name section of the token. If the token is still rejected, then
you need to recreate the token using the appropriate combination of
the PKA key token build, PKA key generate, and PKA key import callable
services.
REASONCODES: TSS 02F (047) |
2B0C (11020) | The hash pattern of
the PKA master key (SMK or KMMK) in the supplied internal PKA private
key token does not match the current system’s PKA master key.
This indicates the system PKA master key has changed since the token
was created. You cannot use the token.
User action:
Recreate the token using the appropriate combination of the PKA key
token build, PKA key generate, and PKA key import callable services.
REASONCODES: TSS 030 (048) |
2B10 (11024) | The PKA tokens have
incomplete values, for example, a PKA public key token without modulus.
User action: Recreate the key.
REASONCODES:
TSS 02F (047) |
2B14 (11028) | The modulus of the
PKA key is too short for processing the hash or PKCS block.
User action: Either use a PKA key with a larger
modulus size, use a hash algorithm that generates a smaller hash (digital
signature services), or specify a shorter DATA key size (symmetric
key export, symmetric key generate).
REASONCODES:
TSS 048 (072) |
2B18 (11032) | The supplied private
key can be used only for digital signature. Key management services
are disallowed.
User action: Supply a key
with key management enabled.
REASONCODES:
TSS 040 (064) |
2B20 (11040) | The recovered encryption
block was not a valid PKCS-1.2 or zero-pad format. (The format is
verified according to the recovery method specified in the rule-array.)
If the recovery method specified was PKCS-1.2, refer to PKCS-1.2
for the possible error in parsing the encryption block.
User action: Ensure that the parameters passed to
CSNDSYI or CSNFSYI are correct. Possible causes for this
error are incorrect values for the RSA private key or incorrect values
in the RSA_enciphered_key parameter, which must be
formatted according to PKCS-1.2 or zero-pad rules when created.
REASONCODES: TSS 42 (66) |
2B24 (11044) | The first section
of a supplied PKA token was not a private or public key section.
User action: Recreate the key.
REASONCODES:
TSS 0B5(181) |
2B28 (11048) | The eyecatcher on
the PKA internal private token is not valid.
User
action: Reimport the private token using the PKA key import callable
service. |
2B2C (11052) | An incorrect PKA token
was supplied. One of the following situations is possible:
- The service requires a private key token of the correct type.
- The supplied token may be of a type that is not supported on this
system.
User action: Check that the supplied
token is:
- a PKA private key token of the correct type.
- a type supported by this system.
|
2B30 (11056) | The input PKA token
contains length fields that are not valid.
User
action: Recreate the key token. |
2B38 (11064) | The RSA-OAEP block
did not verify when it decomposed. The block type is incorrect (must
be X'03').
User action: Recreate the
RSA-OAEP block.
REASONCODES: TSS 2CF (719) |
2B3C (11068) | The RSA-OAEP block
did not verify when it decomposed. The verification code is not correct
(must be all zeros).
User action: Recreate
the RSA-OAEP block.
REASONCODES: TSS 2D1
(721) |
2B40 (11072) | The RSA-OAEP block
did not verify when it decomposed. The random number I is not correct
(must be non-zero with the high-order bit equal to zero).
User action: Recreate the RSA-OAEP block.
REASONCODES: TSS 2D0 (720) |
2B48 (11080) | The RSA public or
private key specified a modulus length that is incorrect for this
service.
User action: Re-invoke the service
with an RSA key with the proper modulus length.
REASONCODES:
See reason codes 41 (65) and 2F8 (760) |
2B4C (11084) | This service requires
an RSA public key and the key identifier specified is not a public
key.
User action: Re-invoke the service with
an RSA public key. |
2B50 (11088) | This service requires
an RSA private key that is for signature use only.
User
action: Re-invoke the service with a supported private key. |
2B54 (11092) | There was an invalid
subsection in the PKA token.
User action:
Correct the PKA token. |
2B58 (11096) | This service requires
an RSA private key that is for signature use. The specified key may
be used for key management purposes only.
User
action: Re-invoke the service with a supported private key.
REASONCODES: TSS 040 (064) |
3E80 (16000) | RACF failed your request
to use this service.
User action: Contact
your ICSF or RACF administrator if you need this service. |
3E84 (16004) | RACF failed your request
to use the key label. This may be caused by either CSFKEYS or XCSFKEY
class, depending on the setting of the Granular Keylabel Access Controls
and the type of token provided.
User action:
Contact your ICSF or RACF administrator if you need this key. |
3E8C (16012) | You requested the
conversion service, but you are not running in an authorized state.
User action: You must be running in supervisor state
to use the conversion service. Contact your ICSF administrator. |
3E90 (16016) | The input/output field
contained a valid internal token with the NOCV bit on or encryption
algorithm mark, but the key type was incorrect or did not match the
type of the generated or imported key. Processing failed.
User action: Correct the calling application.
REASONCODES: TSS 027 (039) |
3E94 (16020) | You requested dynamic
CKDS update services for a system key, which is not allowed.
User action: Correct the calling application.
REASONCODES: TSS 0B5 (181) |
3E98 (16024) | You called the CKDS key record write callable service, but the key
token you supplied is not valid.
User action:
Check with your ICSF administrator if you believe that this key
should be in the in-storage CKDS. The administrator may be able to
bring it into storage. If this key cannot be in storage, use a different
label. |
3EA0 (16032) | Invalid syntax for
CKDS or PKDS label name.
User action: Correct key_label syntax.
REASONCODES: TSS 020 (032) |
3EA4 (16036) | The CKDS key
record create callable service requires that the key created not already
exist in the CKDS or PKDS. A key of the same label was found.
User action: Make sure the application specifies
the correct label. If the label is correct, contact your ICSF security
administrator or system programmer.
REASONCODES:
TSS 02C (044) |
3EA8 (16040) | Data in the PKDS record
did not match the expected data. This occurs if the record does not
contain a null PKA token and CHECK was specified.
User
action: If the record is to be overwritten regardless of its
content, specify OVERLAY. |
3EAC (16044) | One or more key labels
specified as input to the PKA key generate or PKA key import service
incorrectly refer to a retained private key. If generating a retained
private key, this error may result from one of these conditions:
- The private key name of the retained private key being generated
is the same as an existing PKDS record, but the PKDS record label
was not specified as the input skeleton (source) key identifier.
- The label specified in the generated_key_token parameter
as the target for the retained private key was not the same as the
private key name
If generating or importing a non-retained key, this error
occurs when the label specified as the target key specifies a retained
private key. The retained private key cannot be over-written.
User action: Make sure the application specifies
the correct label. If the label is correct, contact your ICSF security
administrator or system programmer. |
3EB0 (16048) | Retained keys on the
PKDS cannot be deleted or updated using the PKDS key
record delete or PKDS key record write callable
services, respectively.
User action: Use the
retained key delete callable service to delete retained keys. |
Reason code 0, return code 308 (776) | RACF failed your request to use this service.
User action: Contact your ICSF or RACF administrator
if you need this service. |
Reason code 1, return code 308 (776) | RACF failed your request to use the key label.
User action: Contact your ICSF or RACF administrator
if you need this key. |
06E (110)-PAN, 028 (040)-ser. code, 02A (042)-exp.
date, 066 (102)-dec table, 067 (103)-val. table, 06C (198)-pad data | The PAN, expiration date, service code, decimalization
table data, validation data, or pad data is not numeric (X'F0' through X'F9').
The parameter must be character representations of numerics or hexadecimal
data.
User action: Review the numeric parameters
or fields required in the service that you called and change to the
format and values required. |