Unless otherwise noted, all String parameters that are either written to, or read from, a TR-31 key block will be in EBCDIC format. Input parameters are converted to ASCII before being written to the TR-31 key block and output parameters are converted to EBCDIC before being returned (see Appendix G. EBCDIC and ASCII Default Conversion Tables). TR-31 key blocks themselves are always in printable ASCII format as required by the ANSI TR-31 specification.

If the TR-31 key block is marked as a key component, the resulting CCA key will have the Key Part bit (bit 44) in the control vector set to 1.

The exportability attributes of the imported CCA token are set based on attributes in the TR-31 key block as described in the following table.

If necessary, use the Prohibit Export, Prohibit Exported Extended, or Restrict Key Attribute callable service to alter the export attributes of the CCA token after import.

If the TR-31 key block contains an optional block with a CCA CV of ‘00007D00030000000000000000000000' for a single length key or ‘00007D0003410000000000000000000000007D00032100000000000000000000' for a double length key, the resulting CCA token will be a zero CV DATA token.

The TR-31 key block can contain a CCA control vector in an optional data field in the header. If the CV is present, the service will check that CV for compatibility with the TR-31 key attributes to ensure the CV is valid for the key and if there are no problems it will use that CV in the CCA key token that is output by the service. If a CV is received, the import operation is not subject to any ACP controlling the importation of specific key types. The CV may be present in the TR-31 key block in two different ways, depending on options used when creating that block.

• If the TR-31 Export callable service was called with option INCL-CV, the control vector is included in the TR-31 key block and the TR-31 key usage and mode of use fields contain attributes from the set defined in the TR-31 standard. The TR-31 Import callable service checks that those TR-31 attributes are compatible with the CV included in the block. It also verifies that no rule array keywords conflict with the CV contained in the TR-31 block.
• If the TR-31 Export callable service was called with option ATTR-CV, the control vector is included in the TR-31 key block and the TR-31 key usage and mode of use fields contain proprietary values (ASCII “10" and “1", respectively) to indicate that the usage and mode information is contained in the included control vector. In this case, the TR-31 Import service uses the included CV as the control vector for the CCA key token it produces. It also verifies that the CV does not conflict with rule array keywords passed

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS.

The access control points in the ICSF role that control the general function of this service are:

• TR31 Import - Permit version A TR-31 key blocks
• TR31 Import - Permit version B TR-31 key blocks
• TR31 Import - Permit version C TR-31 key blocks
• TR31 Import - Permit override of default wrapping method

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 119. TR-31 export required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900		This service is not supported.
IBM zSeries 990 IBM zSeries 890		This service is not supported.
IBM System z9 EC IBM System z9 BC		This service is not supported.
IBM System z10 EC IBM System z10 BC		This service is not supported.
z196	Crypto Express3 Coprocessor	TR-31 key support requires the Sept. 2011 or later LIC.