z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: Input/OutputType: Integer

The length of the data that is passed to the installation exit. The length can be from X'00000000' to X'7FFFFFFF' (2 gigabytes). The data is identified in the exit_data parameter.

exit_data
Direction: Input/OutputType: String
The data that is passed to the installation exit.
input_PIN_encrypting_key_identifier
Direction: Input/OutputType: String

The input PIN-encrypting key (IPINENC) for the PIN_block_in parameter specified as a 64-byte internal key token or a key label. If keyword UKPTIPIN, UKPTBOTH, DUKPT-IP or DUKPT-BH is specified in the rule_array, then the input_PIN_encrypting_key_identifier must specify a key token or key label of a KEYGENKY with the UKPT usage bit enabled.

output_PIN_encrypting_key_identifier
Direction: Input/OutputType: String

The output PIN-encrypting key (OPINENC) for the PIN_block_out parameter specified as a 64-byte internal key token or a key label. If keyword UKPTOPIN, UKPTBOTH, DUKPT-OP or DUKPT-BH is specified in the rule_array, then the output_PIN_encrypting_key_identifier must specify a key token or key label of a KEYGENKY with the UKPT usage bit enabled.

input_PIN_profile
Direction: InputType: Character string

The three 8-byte character elements that contain information necessary to either create a formatted PIN block or extract a PIN from a formatted PIN block. A particular PIN profile can be either an input PIN profile or an output PIN profile depending on whether the PIN block is being enciphered or deciphered by the callable service. See The PIN Profile for additional information.

If you choose the TRANSLAT processing rule (this is not enforced on the PCIXCC, CEX2C, or CEX3C) in the rule_array parameter, the input_PIN_profile and the output_PIN_profile must specify the same PIN block format. If you choose the REFORMAT processing rule in the rule_array parameter, the input PIN profile and output PIN profile can have different PIN block formats. If you specify UKPTIPIN/DUKPT-IP or UKPTBOTH/DUKPT-BH in the rule_array parameter, then the input_PIN_profile is extended to a 48-byte field and must contain the current key serial number. See The PIN Profile for additional information.

The pad digit is needed to extract the PIN from a 3624 or 3621 PIN block in the Encrypted PIN translate callable service with a process rule (rule_array parameter) of REFORMAT. If the process rule is TRANSLAT, the pad digit is ignored.

PAN_data_in
Direction: InputType: Character string

The personal account number (PAN) if the process rule (rule_array parameter) is REFORMAT and the input PIN format is ISO-0 or VISA-4 only. Otherwise, this parameter is ignored. Specify 12 digits of account data in character format.

For ISO-0, use the rightmost 12 digits of the PAN, excluding the check digit.

For VISA-4, use the leftmost 12 digits of the PAN, excluding the check digit.

PIN_block_in
Direction: InputType: String

The 8-byte enciphered PIN block that contains the PIN to be translated.

rule_array_count
Direction: InputType: Integer

The number of process rules specified in the rule_array parameter. The value may be 1, 2 or 3.

rule_array
Direction: InputType: Character string

The process rule for the callable service.

Table 192. Keywords for Encrypted PIN Translate
KeywordMeaning
Processing Rules (required)
REFORMATChanges the PIN format, the contents of the PIN block, and the PIN-encrypting key.
TRANSLATChanges the PIN-encrypting key only. It does not change the PIN format and the contents of the PIN block.
PIN Block Format and PIN Extraction Method (optional)See PIN Block Format and PIN Extraction Method Keywords for additional information and a list of PIN block formats and PIN extraction method keywords.
Note:
If a PIN extraction method is not specified, the first one listed in Table 164 for the PIN block format will be the default.
DUKPT Keywords - Single length key derivation (optional)
UKPTIPINThe input_PIN_encrypting_key_identifier is derived as a single length key. The input_PIN_encrypting_key_identifier must be a KEYGENKY key with the UKPT usage bit enabled. The input_PIN_profile must be 48 bytes and contain the key serial number.
UKPTOPINThe output_PIN_encrypting_key_identifier is derived as a single length key. The output_PIN_encrypting_key_identifier must be a KEYGENKY key with the UKPT usage bit enabled. The output_PIN_profile must be 48 bytes and contain the key serial number.
UKPTBOTHBoth the input_PIN_encrypting_key_identifier and the output_PIN_encrypting_key_identifier are derived as a single length key. Both the input_PIN_encrypting_key_identifier and the output_PIN_encrypting_key_identifier must be KEYGENKY keys with the UKPT usage bit enabled. Both the input_PIN_profile and the output_PIN_profile must be 48 bytes and contain the respective key serial number.
DUKPT Keywords - double length key derivation (optional) - requires May 2004 or later version of Licensed Internal Code (LIC)
DUKPT-IPThe input_PIN_encrypting_key_identifier is derived as a double length key. The input_PIN_encrypting_key_identifier must be a KEYGENKY key with the UKPT usage bit enabled. The input_PIN_profile must be 48 bytes and contain the key serial number.
DUKPT-OPThe output_PIN_encrypting_key_identifier is derived as a double length key. The output_PIN_encrypting_key_identifier must be a KEYGENKY key with the UKPT usage bit enabled. The output_PIN_profile must be 48 bytes and contain the key serial number.
DUKPT-BHBoth the input_PIN_encrypting_key_identifier and the output_PIN_encrypting_key_identifier are derived as a double length key. Both the input_PIN_encrypting_key_identifier and the output_PIN_encrypting_key_identifier must be KEYGENKY keys with the UKPT usage bit enabled. Both the input_PIN_profile and the output_PIN_profile must be 48 bytes and contain the respective key serial number.
output_PIN_profile
Direction: InputType: Character string

The three 8-byte character elements that contain information necessary to either create a formatted PIN block or extract a PIN from a formatted PIN block. A particular PIN profile can be either an input PIN profile or an output PIN profile, depending on whether the PIN block is being enciphered or deciphered by the callable service.

  • If you choose the TRANSLAT processing rule in the rule_array parameter, the input_PIN_profile and the output_PIN_profile must specify the same PIN block format, except on a PCIXCC, CEX2C, or CEX3C.
  • If you choose the REFORMAT processing rule in the rule_array parameter, the input PIN profile and output PIN profile can have different PIN block formats.
  • If you specify UKPTOPIN or UKPTBOTH in the rule_array parameter, then the output_PIN_profile is extended to a 48-byte field and must contain the current key serial number. See The PIN Profile for additional information.
  • If you specify DUKPT-OP or DUKPT-BH in the rule_array parameter, then the output_PIN_profile is extended to a 48-byte field and must contain the current key serial number. See The PIN Profile for additional information.
PAN_data_out
Direction: InputType: Character string

The personal account number (PAN) if the process rule (rule_array parameter) is REFORMAT and the output PIN format is ISO-0 or VISA-4 only. Otherwise, this parameter is ignored. Specify 12 digits of account data in character format.

For ISO-0, use the rightmost 12 digits of the PAN, excluding the check digit.

For VISA-4, use the leftmost 12 digits of the PAN, excluding the check digit.

sequence_number
Direction: InputType: Integer

The sequence number if the process rule (rule_array parameter) is REFORMAT and the output PIN block format is 3621 or 4704-EPP only. Specify the integer value 99999. Otherwise, this parameter is ignored.

PIN_block_out
Direction: OutputType: String

The 8-byte output PIN block that is reenciphered.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014