ICSF provides callable services that support CCA key management for AES keys.

Key Generate Callable Service (CSNBKGN and CSNEKGN)

The key generate callable service generates AES data keys. It generates a single operational key. Unlike the key generator utility program, the key generate service does not store the keys in the CKDS where they can be saved and maintained. The key generate callable service returns the key to the application program that called it. The application program can then use a dynamic CKDS update service to store the key in the CKDS.

Key Generate2 Callable Service (CSNBKGN2 and CSNEKGN2)

The service generates AES keys. It generates one operational key or an operational key pair. The key generate callable service returns the key to the application program that called it. The application program can then use a dynamic CKDS update service to store the key in the CKDS.

Key Part Import2 Callable Service (CSNBKPI2 and CSNEKPI2)

This service combines clear key parts of any AES key type and returns the combined key value either in an internal token or as an update to the CKDS.

Key Test2 Callable Service (CSNBKYT2 and CSNEKYT2)

This service generates or verifies a secure cryptographic verification pattern for AES keys. A parameter indicates the action you want to perform.

Key Token Build Callable Service (CSNBKTB and CSNEKTB)

The key token build callable service is a utility you can use to create clear AES key tokens, secure AES key tokens and skeleton secure AES key tokens for use with other callable services. You can also use this service to build CCA key tokens for all key types ICSF supports. You can also use this service to build CCA key tokens for all key types ICSF supports.

Multiple Clear Key Import Callable Service (CSNBCKM and CSNECKM)

This service imports a a 128-, 192- or 256-bit clear DATA key that is used to encipher or decipher data. It accepts a clear key and enciphers the key under the host master key, returning an encrypted DATA key in operational form in an internal key token.

Multiple Secure Key Import Callable Service (CSNBSKM and CSNESKM)

This service enciphers 128-, 192- or 256-bit clear DATA key under the host master key. This service can be used only when ICSF is in special secure mode.

Restrict Key Attribute Callable Service (CSNBRKA and CSNERKA)

This service modifies an AES operational key so that it cannot be exported.

Secure Key Import2 Callable Service (CSNBSKI2 and CSNESKI2)

This service enciphers a variable length clear AES key under the host master key. This service can be used only when ICSF is in special secure mode.

Symmetric Key Export Callable Service (CSNDSYX and CSNFSYX)

Use the symmetric key export callable service to transfer an application-supplied AES DATA key from encryption under a master key to encryption under an application-supplied RSA public key or AES EXPORTER key. The application-supplied key must be an ICSF AES internal key token or the label of such a token in the CKDS. The Symmetric Key Import or Symmetric Key Import2 callable services can import the key encrypted under the RSA public key or AES EXPORTER at the receiving node.

Symmetric Key Generate Callable Service (CSNDSYG and CSNFSYG)

This service generates a symmetric DATA key and returns it encrypted under the host AES master key and encrypted under an RSA public key token. (There are two types of PKA public key tokens: RSA and DSS. This callable service can use only the RSA type.)

The AES-encrypted key can only be an internal token encrypted under a host AES master key. You can use the symmetric key import callable service to import the PKA-encrypted form.

Symmetric Key Import Callable Service (CSNDSYI and CSNFSYI)

This service imports a symmetric (AES) DATA key enciphered under an RSA public key. (There are two types of PKA private key tokens: RSA and DSS. This callable service can use only the RSA type.) This service returns the key in operational form, enciphered under the AES master key.

Symmetric Key Import2 Callable Service (CSNDSYI2 and CSNFSYI2)

This service imports an AES key enciphered under an RSA public key. (There are two types of PKA private key tokens: RSA and DSS. This callable service can use only the RSA type.) This service returns the key in operational form, enciphered under the AES master key.