To exploit clear key DES and AES instructions on the CPACF, ICSF
can generate and format clear DES and AES tokens
with
a clear key value to be used in callable services and stored
in the cryptographic key data set (CKDS). With clear key support on
the CKDS, clear keys do not have to appear in application storage
during use. Clear key tokens on the CKDS can be referenced by label
name in these callable services:
- Symmetric Key Encipher
- Symmetric Key Decipher
- Symmetric MAC Generate
- Symmetric MAC Verify
On systems sharing the CKDS without this support, it is highly
recommended that you SAF-protect the label name of the clear key tokens
on the other systems. This will provide additional security for your
installation. See System authorization facility (SAF) controls for more information.