- return_code
-
Direction: Output | Type: Integer |
The return code specifies the general result of the callable
service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.
- reason_code
-
Direction: Output | Type: Integer |
The reason code specifies the result of the callable service
that is returned to the application program. Each return code has
different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.
- exit_data_length
-
Direction: Input/Output | Type: Integer |
The length of the data that is passed to the installation
exit. The length can be from X'00000000' to X'7FFFFFFFFF' (2
gigabytes). The data is defined in the exit_data parameter.
- exit_data
-
Direction: Input/Output | Type: String |
The data that is passed to the installation exit.
- rule_array_count
-
Direction: Input | Type: Integer |
The number of keywords you supplied in the rule_array parameter.
The count must be between 0 and 4, inclusive.
- rule_array
-
Direction: Input | Type: String |
Keywords that provide control information to the callable
service. The keywords must be 8 bytes of contiguous storage with the
keyword left-justified in its 8-byte location and padded
on the right with blanks.
Keyword | Meaning |
---|
Encipherment
(optional) |
REFORMAT | Reformat the input_key_token.
- When input_key_token is a DES key token, reformat with
the Key Wrapping Method specified.
- When input_key_token is an operational AES key token,
either reformat an AES DATA key (version X‘04') to an AES
CIPHER key (version X‘05') or the reverse (version X'05'
to version X'04').
|
TRANSLAT | Translate the input_key_token from
encipherment under the input_KEK_identifier to encipherment
under the output_KEK_identifier. This is the default. |
Key Wrapping Method (optional, valid only if input_key_token is
an external DES key token) |
USECONFG | Specifies that the system default
configuration should be used to determine the wrapping method. This
is the default.
The system default key wrapping method can be
specified using the DEFAULTWRAP parameter in the installation options
data set. See the z/OS Cryptographic Services ICSF System Programmer’s Guide. |
WRAP-ENH | Use enhanced key wrapping method,
which is compliant with the ANSI X9.24 standard. |
WRAP-ECB | Use original key wrapping method, which uses
ECB wrapping for DES key tokens. |
Translation Control (optional, valid
only with WRAP-ENH) |
ENH-ONLY | Restrict rewrapping of the output_key_token.
Once the token has been wrapped with the enhanced method, it cannot
be rewrapped using the original method. |
Algorithm
(optional) |
AES | Specifies that the input key is an AES key.
Where used, the key-encrypting keys will be AES transport keys. |
DES | Specifies that the input key is a DES key. Where
used, the key-encrypting keys will be DES transport keys. This is
the default. |
HMAC | Specifies that the input key is an HMAC key.
Where used, the key-encrypting keys will be AES transport keys. |
- input_key_length
-
Direction: Input | Type: Integer |
The length of the input_key_token in
bytes. The maximum value allowed is 900.
- input_key_token
-
Direction: Input/Output | Type: String |
A variable length string variable containing the key token
to be translated or reformatted.
If the REFORMAT keyword is
specified and the input_key_token is an AES CIPHER key (version X‘05'),
the key must have the following characteristics:
- Key-usage field 1 allows the key to be used for encryption and
decryption and has no UDX bits set (UDX bits are not supported in
version ‘04'X AES tokens)
- Key-usage field 2 allows the key to be used for Cipher Block Chaining
(CBC) mode or Electronic Code Book (ECB) mode
- Key-management field 1 allows export using symmetric, unauthenticated
asymmetric, and authenticated asymmetric transport keys, and allows
export using DES, AES, and RSA transport keys
- Key-management field 2 indicates that the key is complete
If the REFORMAT and AES keywords are specified and input_key_token was
encrypted under the old master key, the token will be returned encrypted
under the current master key.
- input_KEK_length
-
Direction: Input | Type: Integer |
The length of the input_KEK_identifier in bytes.
When the input_KEK_identifier is a token, the value must
be between the actual length of the token and 725. When the input_KEK_identifier is
a label, the value must be 64.
If the REFORMAT keyword is specified,
and input_key_token is an AES key token, this parameter must
be zero.
- input_KEK_identifier
-
Direction: Input/Output | Type: String |
A variable length string variable containing the internal
key token or the key label of an internal key token record in the
CKDS. The internal key token contains the key-encrypting key used
to decipher the key.
If input_KEK_length is
zero, this parameter is ignored.
If the TRANSLAT keyword
is specified and the input_key_token is an external DES key,
the input_KEK_identifier must be an internal DES token that
contains a control vector that specifies an IMPORTER or IKEYXLAT key
type. The control vector for an IMPORTER key must have the XLATE bit
set to 1.
If the TRANSLAT keyword is specified and
the input_key_token is an external variable-length key token,
the input_KEK_identifier must be an internal variable-length
key token containing an IMPORTER key-encrypting key. The IMPORTER
key must have the TRANSLAT bit on in key-usage field 1 of the
token.
If the REFORMAT keyword is
specified and input_key_token is an external DES key token,
this parameter may be an IMPORTER, IKEYXLAT, EXPORTER, or OKEYXLAT
key type.
If an internal token was supplied and was encrypted
under the old master key, the token will be returned encrypted under
the current master key.
- output_KEK_length
-
Direction: Input | Type: Integer |
The length of the output_KEK_identifier in
bytes. When the output_KEK_identifier is a token, the value
must be between the actual length of the token and 725. When the output_KEK_identifier is
a label, the value must be 64.
If the REFORMAT keyword
is specified, this value must be zero.
- output_KEK_identifier
-
Direction: Input/Output | Type: String |
A variable length string variable containing the internal
key token or the key label of an internal key token record in the
CKDS. The internal key token contains the key-encrypting key used
to encipher the key.
If output_KEK_length is
zero, this parameter is ignored.
If the output_key_token is
an external DES key, the output_KEK_identifier must be an
internal DES token that contains a control vector that specifies an
EXPORTER or OKEYXLAT key type. The control vector for an EXPORTER
key must have the XLATE bit set to 1.
If the input_key_token is
an external variable-length key token, the output_KEK_identifier must
be an internal variable-length key token containing an EXPORTER key-encrypting
key. The EXPORTER key must have the TRANSLAT bit on in key-usage
field 1 of the token.
If an internal token was supplied
and was encrypted under the old master key, the token will be returned
encrypted under the current master key.
- output_key_length
-
Direction: Input/Output | Type: Integer |
On input, the length of the output area provided for the output_key_token.
This must be between 64 and 900 bytes and provide sufficient
space for the output key. On output, the parameter is updated
with the length of the token copied to the output_key_token.
- output_key_token
-
Direction: Input/Output | Type: String |
If the REFORMAT keyword is specified and the input_key_token is
an AES DATA key (version X‘04'), output_key_token must
contain an AES CIPHER key (version X‘05') on input. This
token must have the following characteristics:
- Algorithm is AES
- Key type CIPHER
- Key-usage field 2 either allows the key to be used for Cipher
Block Chaining (CBC) mode or allows the key to be used for Electronic
Code Book (ECB) mode
Otherwise, this field is ignored on input.
On output,
a variable length string variable containing the key token that was
translated or reformatted.
If the REFORMAT keyword is specified
and the input_key_token is an AES DATA key (version X‘04'),
on output, output_key_token will be updated with the following
characteristics:
- Key-usage field 1 allows the key to be used for encryption and
decryption
- Key-management field 1 allows export using symmetric, unauthenticated
asymmetric, and authenticated asymmetric transport keys, and allows
export using DES, AES, and RSA transport keys
- Key-management field 2 indicates that the key is complete