If you are running with the Cryptographic Coprocessor Feature, this service requires
that the ANSI system keys be installed on the CKDS.
The following table shows the access control points
in the ICSF role that control the function of this service.
Table 47. Required access control points for Key Part ImportRule array keyword | Access control point |
---|
FIRST | Key Part Import - first key part | MIDDLE or LAST | Key Part Import - middle and last | ADD-PART | Key Part Import - ADD-PART | COMPLETE | Key Part Import - COMPLETE | WRAP-ECB or WRAP-ENH and default key-wrapping
method setting does not match keyword | Key Part Import - Allow wrapping override keywords | A “replicated key-halves" key (both cleartext
halves of a double-length key are equal) is not as secure as a double-length
key with key halves that are not the same. The key part import service
verb enforces the key-halves restriction documented above when the Key Part Import - Unrestricted access control point
is disabled in the ICSF role.
This table lists the required cryptographic hardware for each server
type and describes restrictions for this callable service.
Table 48. Key part import required hardwareServer | Required
cryptographic hardware | Restrictions |
---|
IBM zSeries 900 | Cryptographic Coprocessor Feature | Only
key type AKEK is supported
ENH-ONLY, USECONFG, WRAP-ENC and WRAP-ECB
not supported. | PCI Cryptographic Coprocessor | ICSF
routes all requests to the PCI Cryptographic Coprocessor except for key type of AKEK. AKEK
is always processed on the Cryptographic Coprocessor Feature.
Key type AKEK is not supported.
ENH-ONLY,
USECONFG, WRAP-ENC and WRAP-ECB not supported. | IBM zSeries 990
IBM zSeries 890 | PCI X Cryptographic Coprocessor
Crypto Express2 Coprocessor | AKEK
key types are not supported.
ENH-ONLY, USECONFG, WRAP-ENC and WRAP-ECB
not supported. | IBM
System z9 EC
IBM System z9 BC | Crypto
Express2 Coprocessor | AKEK
key types are not supported.
ENH-ONLY, USECONFG, WRAP-ENC and WRAP-ECB
not supported. |
|