SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

Use of NOCV keys are controlled by an access control point in the PCIXCC. Creation of NOCV key-encrypting keys is only available for standard IMPORTERs and EXPORTERs.

Systems with the Cryptographic Coprocessor Feature

The key import callable service cannot be used to import ANSI key-encrypting keys. For information on importing these types of keys, refer to ANSI X9.17 Key Import (CSNAKIM and CSNGKIM). To use NOCV key-encrypting keys or to import DATAM or DATAMV keys, NOCV-enablement keys must be installed in the CKDS.

This service will mark an imported KEK as a NOCV-KEK by suppling a valid IMPORTER or EXPORTER token in the target_key_identifier field with the NOCV-KEK flag enabled. The type of the token must match the key type of the imported key.

This service will mark DATA and key-encrypting key tokens with the system encryption algorithm if the request is processed on the CCF. The service propagates the data encryption algorithm mark on the operational KEK unless token copying overrides this:

• The imported token is marked with the DES or CDMF encryption algorithm marks of the KEK token
• The imported token is marked with the system's default encryption algorithm when the KEK is marked SYS-ENC
• To override the encryption algorithm marks of the KEK, supply a valid token in the target_key_identifier field of the same key type being imported. The mark of the target_key_identifier token are used to mark the imported key token.

Key Import operations which specify a NOCV key-encrypting key as either the importer key or the target and also specify a source or key-encrypting key which contains a control vector not supported by the Cryptographic Coprocessor Feature will fail.

Systems with the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor

Use of NOCV keys are controlled by an access control point in the PCIXCC, CEX2C, or CEX3C.

This service will mark an imported KEK as a NOCV-KEK:

• If a token is supplied in the target token field, it must be a valid importer or exporter token. If the token fails token validation, processing continues, but the NOCV flag will not be copied
• The source token (key to be imported) must be a importer or exporter with the default control vector.
• If the target token is valid and the NOCV flag is on and the source token is valid and the control vector of the target token is exactly the same as the source token, the imported token will have the NOCV flag set on.
• If the target token is valid and the NOCV flag is on and the source token is valid and the control vector of the target token is NOT exactly the same as the source token, a return code will be given.
• All other scenarios will complete successfully, but the NOCV flag will not be copied

The software bit used to mark the imported token with export prohibited is not supported on a PCIXCC, CEX2C, or CEX3C. The internal token for an export prohibited key will have the appropriate control vector that prohibits export.

The following table shows the access control points in the ICSF role that control the function of this service.

To use a NOCV key-encrypting key with the key import service, the NOCV KEK usage for import-related functions access control point must be enabled in addition to one or both of the access control points listed.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 45. Key import required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	Propagation of token markings is only relevant when this service is processed on the Cryptographic Coprocessor Feature. If the key_type is MACD or IMP-PKA, the control vectors of supplied internal tokens must all be supported by the Cryptographic Coprocessor Feature, since processing for these key types will not be routed to a PCI Cryptographic Coprocessor. DATAC is not supported. Key_type CIPHER, DECIPHER and ENCIPHER require a PCICC.
	PCI Cryptographic Coprocessor	ICSF routes the request to a PCI Cryptographic Coprocessor if: The key_type cannot be processed on the Cryptographic Coprocessor Feature. The control vector of the source_key_identifier or the importer_key_identifier cannot be processed on the Cryptographic Coprocessor Feature.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	Key_type DATAXLAT is not supported. DES and CDMF markings are not made on DATA and key-encrypting keys and are ignored on the IMPORTER key-encrypting key. IMP-PKA keys are not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor	Key_type DATAXLAT is not supported. DES and CDMF markings are not made on DATA and key-encrypting keys and are ignored on the IMPORTER key-encrypting key. IMP-PKA keys are not supported.