SAF may be invoked to verify the caller is authorized to use this
callable service, the key label, or internal secure key tokens that
are stored in the CKDS or PKDS.
If the service is executed on the Cryptographic Coprocessor Feature,
the generated internal DATA key token is marked according to the
default system encryption algorithm unless token copying overrides
this. Token copying is accomplished by supplying a valid DATA token
with the desired algorithm marks in the target_key_identifier field.
The hardware configuration sets the limit on the modulus size of
keys for key management; thus, this service will fail if the RSA key
modulus bit length exceeds this limit. The service will fail with
return code 12 and reason code 11020.
Specification of PKA92 with an input NOCV key-encrypting key token
is not supported.
During initialization of a PCICC, PCIXCC, CEX2C, or CEX3C,
an Environment Identification, or EID, of zero will be set in the
coprocessor. This will be interpreted by the PKA Symmetric Key Import
service to mean that environment identification checking is to be
bypassed. Thus it is possible on a OS/390 system for a key-encrypting
key RSA-enciphered at a node (EID) to be imported at the same node.
The following table shows the access control points
in the ICSF role that control the function of this service.
Table 105. Required access control points for Symmetric Key ImportKey algorithm | Key formatting rule | Access control point |
---|
DES | PKCS-1.2 | Symmetric Key Import - DES, PKCS-1.2 | DES | PKA92 KEK | Symmetric Key Import - DES, PKA92 KEK | DES | ZERO-PAD | Symmetric Key Import - DES, ZERO-PAD | AES | PKCSOAEP, PKCS-1.2 | Symmetric Key Import - AES, PKCSOAEP, PKCS-1.2 | AES | ZERO-PAD | Symmetric Key Import - AES, ZERO-PAD | When the WRAP-ECB or WRAP-ENH keywords are specified
and the default key-wrapping method setting does not match the keyword,
the Symmetric Key Import - Allow wrapping override
keywords access control point must be enabled.
This table lists the required cryptographic hardware for each server
type and describes restrictions for this callable service.
Table 106. Symmetric key import required hardwareServer | Required
cryptographic hardware | Restrictions |
---|
IBM zSeries 900 | Cryptographic Coprocessor Feature | Request
routed to the CCF when -
- The RSA_private_key_identifier is a modulus-exponent
form private key with a private section ID of X'02'
- The key modulus bit length is less than 512
RSA keys with moduli greater than 1024-bit length
are not supported.
Encrypted AES keys are not supported.
DES, ENH-ONLY, USECONFG, WRAP-ENH and WRAP-ECB keywords
not supported. | PCI Cryptographic Coprocessor | Request routed to PCICC when
- The RSA_private_key_identifier is a modulus-exponent
form private key with a private section ID of X'06'
- The RSA_private_key_identifier is a CRT form
private key with a private section ID of X'08'
- The RSA_private_key_identifier is a retained
key
- PKA92 recovery method specified
- PKCSOAEP recovery method (which uses the SHA-1
hash method) specified
RSA keys with moduli greater than 2048-bit length are not
supported.
Encrypted AES keys are not supported.
DES,
ENH-ONLY, USECONFG, WRAP-ENH, WRAP-ECB, and SHA-256 keywords not supported.
PKCSOAEP with the SHA-256 hash method is not
supported. | IBM zSeries 990
IBM zSeries 890 | PCI X Cryptographic Coprocessor
Crypto Express2 Coprocessor | The
imported internal DATA key will not have any system encryption markings.
Old RSA private keys encrypted under the CCF KMMK is not usable if
the KMMK is not the same as the PCIXCC/CEX2C ASYM-MK.
RSA
keys with moduli greater than 2048-bit length are not supported.
Encrypted
AES keys are not supported.
ENH-ONLY, USECONFG, WRAP-ENH,
WRAP-ECB, and SHA-256 keywords not supported.
PKCSOAEP
with the SHA-256 hash method is not supported. | IBM
System z9 EC
IBM System z9 BC | Crypto
Express2 Coprocessor | The
imported internal DATA key will not have any system encryption markings.
Old RSA private keys encrypted under the CCF KMMK is not usable if
the KMMK is not the same as the CEX2C ASYM-MK.
RSA key support with
moduli within the range 2048-bit to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC).
Encrypted
AES keys are not supported.
ENH-ONLY, USECONFG, WRAP-ENH,
WRAP-ECB, and SHA-256 keywords not supported.
PKCSOAEP
with the SHA-256 hash method is not supported. |
|