z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS.

Systems with the Cryptographic Coprocessor Feature: To generate double-length MAC and MACVER keys in the importable form, the ANSI system keys must be installed in the CKDS.

This service will mark DATA, IMPORTER and EXPORTER key tokens with the system encryption algorithm.

  • This service marks the imported DATA key token according to the system's default encryption algorithm, unless token copying overrides this.
  • KEKs are marked SYS-ENC unless token copying overrides this.
  • To override the default mark, supply a valid internal token of the same key type in the key_identifier field. The service will copy the marks of the supplied token to the imported token.

Systems with the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor: If key_form is IM and the importer_key_identifier is NOCV KEK, the NOCV IMPORTER access control point must be enabled.

The following table shows the access control points in the ICSF role that control the function of this service.

Table 90. Required access control points for Secure Key Import
Key FormAccess control point
OPSecure Key Import - DES, OP
IMSecure Key Import - DES, IM

To use a NOCV key-encrypting key with the secure key import service, the NOCV KEK usage for import-related functions access control point must be enabled in addition to one or both of the access control points listed.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 91. Secure key import required hardware
ServerRequired cryptographic hardwareRestrictions
IBM eServer zSeries 900Cryptographic Coprocessor Feature

Marking of data encryption algorithm bits and token copying are performed only if the service is processed on the Cryptographic Coprocessor Feature.

PCI Cryptographic Coprocessor

ICSF routes the request to a PCI Cryptographic Coprocessor if:

  • The control vector of a supplied internal token cannot be processed on the Cryptographic Coprocessor Feature, or if the key type is not valid for the Cryptographic Coprocessor Feature.
IBM eServer zSeries 990

IBM eServer zSeries 890

PCI X Cryptographic Coprocessor

Crypto Express2 Coprocessor

Key_type DATAXLAT is not supported.
IBM System z9 EC

IBM System z9 BC

Crypto Express2 CoprocessorKey_type DATAXLAT is not supported.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014