SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

If the service is executed on the Cryptographic Coprocessor Feature, the generated internal DATA key token is marked according to the default system encryption algorithm unless token copying overrides this. Token copying is accomplished by supplying a valid DATA token with the desired algorithm marks in the target_key_identifier field.

The hardware configuration sets the limit on the modulus size of keys for key management; thus, this service will fail if the RSA key modulus bit length exceeds this limit. The service will fail with return code 12 and reason code 11020.

Specification of PKA92 with an input NOCV key-encrypting key token is not supported.

During initialization of a PCICC, PCIXCC, CEX2C, or CEX3C, an Environment Identification, or EID, of zero will be set in the coprocessor. This will be interpreted by the PKA Symmetric Key Import service to mean that environment identification checking is to be bypassed. Thus it is possible on a OS/390 system for a key-encrypting key RSA-enciphered at a node (EID) to be imported at the same node.

The following table shows the access control points in the ICSF role that control the function of this service.

When the WRAP-ECB or WRAP-ENH keywords are specified and the default key-wrapping method setting does not match the keyword, the Symmetric Key Import - Allow wrapping override keywords access control point must be enabled.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 106. Symmetric key import required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	Request routed to the CCF when - The RSA_private_key_identifier is a modulus-exponent form private key with a private section ID of X'02' The key modulus bit length is less than 512 RSA keys with moduli greater than 1024-bit length are not supported. Encrypted AES keys are not supported. DES, ENH-ONLY, USECONFG, WRAP-ENH and WRAP-ECB keywords not supported.
	PCI Cryptographic Coprocessor	Request routed to PCICC when The RSA_private_key_identifier is a modulus-exponent form private key with a private section ID of X'06' The RSA_private_key_identifier is a CRT form private key with a private section ID of X'08' The RSA_private_key_identifier is a retained key PKA92 recovery method specified PKCSOAEP recovery method (which uses the SHA-1 hash method) specified RSA keys with moduli greater than 2048-bit length are not supported. Encrypted AES keys are not supported. DES, ENH-ONLY, USECONFG, WRAP-ENH, WRAP-ECB, and SHA-256 keywords not supported. PKCSOAEP with the SHA-256 hash method is not supported.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	The imported internal DATA key will not have any system encryption markings. Old RSA private keys encrypted under the CCF KMMK is not usable if the KMMK is not the same as the PCIXCC/CEX2C ASYM-MK. RSA keys with moduli greater than 2048-bit length are not supported. Encrypted AES keys are not supported. ENH-ONLY, USECONFG, WRAP-ENH, WRAP-ECB, and SHA-256 keywords not supported. PKCSOAEP with the SHA-256 hash method is not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor	The imported internal DATA key will not have any system encryption markings. Old RSA private keys encrypted under the CCF KMMK is not usable if the KMMK is not the same as the CEX2C ASYM-MK. RSA key support with moduli within the range 2048-bit to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC). Encrypted AES keys are not supported. ENH-ONLY, USECONFG, WRAP-ENH, WRAP-ECB, and SHA-256 keywords not supported. PKCSOAEP with the SHA-256 hash method is not supported.