Not all CCA platforms may support multiple PCICC, PCIXCC, CEX2C, or CEX3C cards. In the case where only one card is supported, the key_labels field will contain one or more 64-byte entries that each contain a key label of a key retained within the PCICC, PCIXCC, CEX2C, or CEX3C. There will be no 64-byte entry or entries containing a PCICC, PCIXCC, CEX2C, or CEX3C card serial number.

ICSF calls RACF to check authorization to use the Retained Key List service.

ICSF caller must be authorized to the key_label_mask name including the *.

Retained private keys are domain-specific. ICSF lists only those keys that were created by the LPAR domain that issues the Retained Key List request.

The Retained Key List access control point controls the function of this service.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 244. Retained key list required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	PCI Cryptographic Coprocessor
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor