ICSF calls the Security Server (RACF) to check authorization to use the Retained Key Delete service and the label of the key specified in key_label.

Retained private keys are domain-specific. Only the LPAR domain that created a Retained private key can delete the key via the Retained Key Delete service.

When a Retained key is deleted using the Retained Key Delete service, ICSF records this event in a type 82 SMF record with a subtype of 15.

If the Retained key does not exist in the PCICC, PCIXCC, CEX2C, or CEX3C and the PKDS record exists and the domain that created the retained key matches the domain of the requestor, ICSF deletes the PKDS record. This situation may occur if the PCICC, PCIXCC, CEX2C, or CEX3C has been zeroized through TKE or the service processor.

If a PKDS record containing the retained key exists but the PCICC, PCIXCC, CEX2C, or CEX3C holding the retained key is not online, ICSF deletes the PKDS record if the FORCE keyword is specified. The serial number specified in the rule array must be the serial number of the coprocessor where the Retained key was created. The key token in the PKDS record contains this serial number, and the serial number is used to verify that the PKDS record can be deleted.

If the retained key exists on the specified PCICC, PCIXCC, CEX2C, or CEX3C but there is no corresponding PKDS record, ICSF deletes the retained key from the PCICC, PCIXCC, CEX2C, or CEX3C if the FORCE keyword is specified.

The Retained Key Delete access control point controls the function of this service.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 243. Retained key delete required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	PCI Cryptographic Coprocessor
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor