z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

  • SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.
  • For RSA DSI PKCS #1 formatting, the key value length must be at least 11 bytes less than the modulus length of the RSA key.
  • The hardware configuration sets the limit on the modulus size of keys for key management; thus, this service will fail if the RSA key modulus bit length exceeds this limit.
  • The key value to be encrypted must be smaller than the modulus in the PKA_key_identifier.

The PKA Encrypt access control point controls the function of this service.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 77. PKA encrypt required hardware
ServerRequired cryptographic hardwareRestrictions
IBM eServer zSeries 900Cryptographic Coprocessor Feature

The MRP keyword is not supported.

RSA keys with moduli greater than 1024-bit length are not supported.

PCI Cryptographic CoprocessorIf the modulus bit length of the key specified in the PKA_key_identifier parameter is greater than 1024, the request is routed to the PCICC.

The MRP keyword is not supported.

RSA keys with moduli greater than 2048-bit length are not supported.

IBM eServer zSeries 990

IBM eServer zSeries 890

PCI X Cryptographic Coprocessor

Crypto Express2 Coprocessor

Routed to a PCICA if one is available (ZERO-PAD and MRP only).

RSA keys with moduli greater than 2048-bit length are not supported.

PCI Cryptographic AcceleratorPKCS-1.2 keyword not supported.

RSA keys with moduli greater than 2048-bit length are not supported.

IBM System z9 EC

IBM System z9 BC

Crypto Express2 CoprocessorRouted to a CEX2A if one is available (ZERO-PAD and MRP only).

RSA key support with moduli within the range 2048-bit to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC).

Crypto Express2 Accelerator

PKCS-1.2 keyword not supported.

RSA keys with moduli greater than 2048-bit length are not supported.

z196Crypto Express3 CoprocessorRouted to a CEX2A or CEX3A if one is available (ZERO-PAD and MRP only).

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014