The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

The length of the data that is passed to the installation exit. The length can be from X'00000000' to X'7FFFFFFFFF' (2 gigabytes). The data is defined in the exit_data parameter.

The data that is passed to the installation exit.

The number of keywords you supplied in the rule_array parameter. The count must be between 0 and 4, inclusive.

Keywords that provide control information to the callable service. The keywords must be 8 bytes of contiguous storage with the keyword left-justified in its 8-byte location and padded on the right with blanks.

The length of the input_key_token in bytes. The maximum value allowed is 900.

A variable length string variable containing the key token to be translated or reformatted.

If the REFORMAT keyword is specified and the input_key_token is an AES CIPHER key (version X‘05'), the key must have the following characteristics:

• Key-usage field 1 allows the key to be used for encryption and decryption and has no UDX bits set (UDX bits are not supported in version ‘04'X AES tokens)
• Key-usage field 2 allows the key to be used for Cipher Block Chaining (CBC) mode or Electronic Code Book (ECB) mode
• Key-management field 1 allows export using symmetric, unauthenticated asymmetric, and authenticated asymmetric transport keys, and allows export using DES, AES, and RSA transport keys
• Key-management field 2 indicates that the key is complete

If the REFORMAT and AES keywords are specified and input_key_token was encrypted under the old master key, the token will be returned encrypted under the current master key.

The length of the input_KEK_identifier in bytes. When the input_KEK_identifier is a token, the value must be between the actual length of the token and 725. When the input_KEK_identifier is a label, the value must be 64.

If the REFORMAT keyword is specified, and input_key_token is an AES key token, this parameter must be zero.

A variable length string variable containing the internal key token or the key label of an internal key token record in the CKDS. The internal key token contains the key-encrypting key used to decipher the key.

If input_KEK_length is zero, this parameter is ignored.

If the TRANSLAT keyword is specified and the input_key_token is an external DES key, the input_KEK_identifier must be an internal DES token that contains a control vector that specifies an IMPORTER or IKEYXLAT key type. The control vector for an IMPORTER key must have the XLATE bit set to 1.

If the TRANSLAT keyword is specified and the input_key_token is an external variable-length key token, the input_KEK_identifier must be an internal variable-length key token containing an IMPORTER key-encrypting key. The IMPORTER key must have the TRANSLAT bit on in key-usage field 1 of the token.

If the REFORMAT keyword is specified and input_key_token is an external DES key token, this parameter may be an IMPORTER, IKEYXLAT, EXPORTER, or OKEYXLAT key type.

If an internal token was supplied and was encrypted under the old master key, the token will be returned encrypted under the current master key.

The length of the output_KEK_identifier in bytes. When the output_KEK_identifier is a token, the value must be between the actual length of the token and 725. When the output_KEK_identifier is a label, the value must be 64.

If the REFORMAT keyword is specified, this value must be zero.

A variable length string variable containing the internal key token or the key label of an internal key token record in the CKDS. The internal key token contains the key-encrypting key used to encipher the key.

If output_KEK_length is zero, this parameter is ignored.

If the output_key_token is an external DES key, the output_KEK_identifier must be an internal DES token that contains a control vector that specifies an EXPORTER or OKEYXLAT key type. The control vector for an EXPORTER key must have the XLATE bit set to 1.

If the input_key_token is an external variable-length key token, the output_KEK_identifier must be an internal variable-length key token containing an EXPORTER key-encrypting key. The EXPORTER key must have the TRANSLAT bit on in key-usage field 1 of the token.

If an internal token was supplied and was encrypted under the old master key, the token will be returned encrypted under the current master key.

On input, the length of the output area provided for the output_key_token. This must be between 64 and 900 bytes and provide sufficient space for the output key. On output, the parameter is updated with the length of the token copied to the output_key_token.

If the REFORMAT keyword is specified and the input_key_token is an AES DATA key (version X‘04'), output_key_token must contain an AES CIPHER key (version X‘05') on input. This token must have the following characteristics:

• Algorithm is AES
• Key type CIPHER
• Key-usage field 2 either allows the key to be used for Cipher Block Chaining (CBC) mode or allows the key to be used for Electronic Code Book (ECB) mode

Otherwise, this field is ignored on input.

On output, a variable length string variable containing the key token that was translated or reformatted.

If the REFORMAT keyword is specified and the input_key_token is an AES DATA key (version X‘04'), on output, output_key_token will be updated with the following characteristics:

• Key-usage field 1 allows the key to be used for encryption and decryption
• Key-management field 1 allows export using symmetric, unauthenticated asymmetric, and authenticated asymmetric transport keys, and allows export using DES, AES, and RSA transport keys
• Key-management field 2 indicates that the key is complete