SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

This is the message layout used to encode the key material exported with the new PKOAEP2 formatting method.

Hash field

The associated data for the HMAC variable length token is hashed using SHA-256. Specifically referring to vartoken.h, this is the "VarAssocData_t AD" section of the VarKeyTkn_t structure, for the full length indicated in the 'SectLn' field of the VarAssocData_t.

Key Bit Length

A 2 Byte key bit length field.

Key Material

The key material is padded to the nearest byte with '0' bits.

This table lists the access control points in the ICSF role that control the function for this service.

When the Symmetric Key Import2 - disallow weak import access control point is enabled, a key token wrapped with a weaker key will not be imported. When the Variable-length Symmetric Token - warn when weak wrap access control point is enabled, the reason code will indicate when the wrapping key is weaker than the key being imported.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 110. Symmetric key import2 required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900		This service is not supported.
IBM zSeries 990 IBM zSeries 890		This service is not supported.
IBM System z9 EC IBM System z9 BC		This service is not supported.