z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: IgnoredType: Integer

This field is ignored. It is recommended to specify 0 for this parameter.

exit_data
Direction: IgnoredType: String

This field is ignored.

rule_array_count
Direction: InputType: Integer

The number of keywords you are supplying in rule_array. Value must be 1 or 2

rule_array
Direction: InputType: String

Keywords that provide control information to callable services. The keywords are left-justified in an 8-byte field and padded on the right with blanks. The keywords must be in contiguous storage. Specify one or two of the values in Table 264.

Table 264. Keywords for ICSF Query Service
KeywordMeaning
Coprocessor (optional) - parameter is ignored for ICSFSTAT.
COPROCxxSpecifies the specific coprocessor to execute the request. xx may be 00 through 63 inclusive. This may be the processor number of any coprocessor. The processor number of any accelerator is not supported.
ANYProcess request on any ACTIVE cryptographic coprocessor. This is the default.
nnnnnnnnSpecifies the 8-byte serial number of the coprocessor to execute the request.
Information to return (required)
ICSFSTATGet ICSF related status information.
ICSFST2Get coprocessor-related basic status information.
NUM-DECTGet the number of bytes of storage required for the output of a STATDECT request.
STATAESGet status information on AES enablement and the AES master key registers.
STATCCAGet CCA-related status information.
STATCCAEGet CCA-related extended status information.
STATCARDGet coprocessor-related basic status information.
STATDECTGet the PIN decimalization tables loaded. The format of the data is shown under the returned_data parameter. The length of the data is 20 bytes per decimalization table. The NUM-DECT option will return the storage required for this option. The maximum length of the data is 2000 bytes.
STATDIAGGet coprocessor-related basic status information.
STATAPKAGet status information on ECC enablement and the ECC master key registers.
STATEIDGet coprocessor-related basic status information.
STATEXPTGet coprocessor-related basic status information.
WRAPMTHDGet coprocessor-related default configuration setting for the wrapping method.
returned_data_length
Direction: Input/OutputType: Integer

The length of the returned_data parameter. Currently, the value must be at least eight times the number of elements returned for the rule_array keyword specified. Allow additional space for future enhancements. On output, this field will contain the actual length of the data returned.

returned_data
Direction: OutputType: String/Integer

This field will contain the output from the service. The format of the output depends on the rule_array keyword. The format of the data is defined in the tables below, which describe the output for each keyword.

When the format is 8-byte elements that contain numbers, those numbers are represented by numeric characters which are left-justified and padded on the right with space characters. For example, a returned_data element which contains the number two will contain the character string '2       '.

For option NUM-DECT, the output is a 4-byte integer.

For ICSFSTAT, the coprocessor keyword is ignored. The output returned_data for the ICSFSTAT keyword is defined in Table 265.

Table 265. Output for option ICSFSTAT
Element NumberNameDescription
1FMID8-byte ICSF FMID
2ICSF Status Field 1Status of ICSF
Number
Meaning
0
ICSF started
1
ICSF initialized (CCVINIT is on)
2
SYM-MK (DES master key) valid (CCVTMK is on)
3
PKA callable services enabled (see Usage Notes)
3ICSF Status Field 2Status of ICSF
Number
Meaning
0
64-bit callers not supported
1
64-bit callers supported
2
64-bit callers supported, and a TKDS has been specified for the storage of persistent PKCS #11 objects.
4CPACFCPACF availability
Number
Meaning
0
CPACF not available
1
SHA-1 available only
2
DES/TDES enabled
3
SHA-224 and SHA-256 are available
4
SHA-224 and SHA-256, DES and TDES are available
7
Encrypted CPACF functions available.
8
OFB, CFB, and GCM CPACF functions are available.
5AESAES availability for clear keys
Number
Meaning
0
AES not available
1
AES software only
2
AES-128
3
AES-192 and AES-256
6DSADSA algorithm availability
Number
Meaning
0
DSA not available
1
DSA 1024 key size
2
DSA 2048 key size
7RSA SignatureRSA Signature key length
Number
Meaning
0
RSA not available
1
RSA 1024 key size
2
RSA 2048 key size
3
RSA 4096 key size
8RSA Key ManagementRSA Key Management key length
Number
Meaning
0
RSA not available
1
RSA 1024 key size
2
RSA 2048 key size
3
RSA 4096 key size
9RSA Key GenerateRSA Key Generate
Number
Meaning
0
Service not available
1
Service available - 2048 bit modulus
2
Service available - 4096 bit modulus
10AcceleratorsAvailability of clear RSA key accelerators (PCICAs)
Number
Meaning
0
Not available
1
At least one available for application use.
11Accelerator Key Size

Clear key size supported by Accelerators. There must be at least one Accelerator available for use for this field to contain valid information.

Number
Meaning
0
RSA-ME key size of 2048, CRT key size of 2048.
1
RSA-ME key size of 4096, CRT key size of 4096.
12Future UseCurrently blanks

For ICSFST2 the coprocessor rule array keyword is ignored. The output returned_data for the ICSFST2 keyword is defined in Table 266.

Table 266. Output for option ICSFST2
Element NumberNameDescription
1VersionVersion of the ICSFST2 returned_data. Initial value is 1. It covers elements 1 through 12.
2FMID8–byte ICSF FMID.
3ICSF Status Field 1Status of ICSF
Number
Meaning
0
PKA callable services disabled
1
PKA callable services enabled (see Usage Notes)
4ICSF Status Field 2Status of ICSF
Number
Meaning
0
PKCS #11 is not available
1
PKCS #11 is available
5ICSF Status Field 3Status of ICSF
Number
Meaning
0
ICSF started
1
ICSF initialized
2
AES master key valid
6ICSF Status Field 4Status of ICSF
Number
Meaning
0
Secure key AES not available
1
Secure key AES is available
7ICSF Status Field 5An 8-character numeric character string summarizing the current Key Store Policy.

The first character in this string indicates if Key Token Authorization Checking controls have been enabled for the CKDS in either warning or fail mode, and, if so, if the Default Key Label Checking control has also been enabled. The numbers that can appear in the first character of this string are:

Number
Meaning
0
Key Token Authorization Checking is not enabled for the CKDS.
1
Key Token Authorization Checking for CKDS is enabled in FAIL mode. Key Store Policy is active for CKDS. Default Key Label Checking is not enabled.
2
Key Token Authorization Checking for CKDS is enabled in WARN mode. Key Store Policy is active for CKDS. Default Key Label Checking is not enabled.
3
Key Token Authorization Checking for CKDS is enabled in FAIL mode. Key Store Policy is active for CKDS. Default Key Label Checking is also enabled.
4
Key Token Authorization Checking for CKDS is enabled in WARN mode. Key Store Policy is active for CKDS. Default Key Label Checking is also enabled.

The second character in this string indicates if Duplicate Key Token Checking controls have been enabled for the CKDS. The numbers that can appear in the second character of this string are:

Number
Meaning
0
Duplicate Key Token Checking is not enabled for the CKDS.
1
Duplicate Key Token Checking is enabled for the CKDS. Key Store Policy is active for CKDS.

The third character in this string indicates if Key Token Authorization Checking controls have been enabled for the PKDS in either warning or fail mode, and, if so, if the Default Key Label Checking control has also been enabled. The numbers that can appear in the third character of this string are:

Number
Meaning
0
Key Token Authorization Checking is not enabled for the PKDS.
1
Key Token Authorization Checking for PKDS is enabled in FAIL mode. Key Store Policy is active for PKDS. Default Key Label Checking is not enabled.
2
Key Token Authorization Checking for PKDS is enabled in WARN mode. Key Store Policy is active for PKDS. Default Key Label Checking is not enabled.
3
Key Token Authorization Checking for PKDS is enabled in FAIL mode. Key Store Policy is active for PKDS. Default Key Label Checking is also enabled.
4
Key Token Authorization Checking for PKDS is enabled in WARN mode. Key Store Policy is active for PKDS. Default Key Label Checking is also enabled.

The fourth character in this string indicates if Duplicate Key Token Checking controls have been enabled for the PKDS. The numbers that can appear in the fourth character of this string are:

Number
Meaning
0
Duplicate Key Token Checking is not enabled for the PKDS.
1
Duplicate Key Token Checking is enabled for the PKDS. Key Store Policy is active for PKDS.

The fifth character in this string indicates if Granular Key Label Access controls have been enabled in WARN or FAIL mode. The numbers that can appear in the fifth character of this string are:

Number
Meaning
0
Granular Key Label Access controls are not enabled.
1
Granular Key Label Access control is enabled in FAIL mode
2
Granular Key Label Access control is enabled in WARN mode

The sixth character in this string indicates if Symmetric Key Label Export controls have been enabled for AES and/or DES keys. The numbers that can appear in the sixth character of this string are:

Number
Meaning
0
Symmetric Key Label Export controls are not enabled.
1
Symmetric Key Label Export control is enabled for DES keys only.
2
Symmetric Key Label Export control is enabled for AES keys only.
3
Symmetric Key Label Export controls are enabled for both DES and AES keys.

The seventh character in this string indicates if PKA Key Management Extensions have been enabled in either WARN or FAIL mode, and, if so, whether a SAF key ring or a PKCS #11 token is identified as the trusted certificate repository. (The trusted certificate repository is identified using the APPLDATA field of the CSF.PKAEXTNS.ENABLE profile. If no value is specified in the APPLDATA field, a PKCS #11 token is assumed.) The numbers that can appear in the seventh character of this string are:

Number
Meaning
0
Symmetric Key Label Export controls are not enabled.
1
PKA Key Management Extensions control is enabled in FAIL mode. The trusted certificate repository is a SAF key ring.
2
PKA Key Management Extension control is enabled in FAIL mode. The trusted certificate repository is a PKCS #11 token.
3
PKA Key Management Extensions control is enabled in WARN mode. The trusted certificate repository is a SAF key ring.
4
PKA Key Management Extension control is enabled in WARN mode. The trusted certificate repository is a PKCS #11 token.
8ICSF Status Field 6Status of ICSF
Number
Meaning
0
ICSF started
1
ICSF initialized
2
ECC master key valid, internal keys supported
3
ECC master key valid, external keys also supported
9ICSF Status Field 7Status of ICSF
Number
Meaning
0
ICSF started
1
ICSF initialized
2
RSA master key valid
10ICSF Status Field 8Status of ICSF
Number
Meaning
0
ICSF started
1
ICSF initialized
2
DES master key valid
11ICSF Status Field 9Status of ICSF
Number
Meaning
0
PKA callable services disabled.
1
PKA callable services enabled.

See Usage Notes for additional information.

12Future useCurrently blanks
Table 267. Output for option NUM-DECT
Element NumberDescription
1The number of bytes required for the output of a STATDECT request. This is the number of decimalization tables loaded times 20 bytes. This is a four-byte binary number.
Table 268. Output for option STATAES
Element NumberNameDescription
1AES NMK StatusState of the AES new master key register:
Number
Meaning
1
Register is clear
2
Register contains a partially complete key
3
Register contains a complete key
2AES CMK StatusState of the AES current master key register:
Number
Meaning
1
Register is clear
2
Register contains a key
3AES OMK StatusState of the AES old master key register:
Number
Meaning
1
Register is clear
2
Register contains a key
4AES key length enablementThe maximum AES key length that is enabled by the function control vector. The value is 0 (if no AES key length is enabled in the FCV), 128, 192, or 256.
Table 269. Output for option STATCCA
Element NumberNameDescription
1NMK StatusState of the DES New Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a partially complete key
3
Register contains a complete key
2CMK StatusState of the DES Current Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a key
3OMK StatusState of the DES Old Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a key
4CCA Application VersionA character string that identifies the version of the CCA application program that is running in the coprocessor.
5CCA Application Build DateA character string containing the build date for the CCA application program that is running in the coprocessor.
6User RoleA character string containing the Role identifier which defines the host application user's current authority.
Table 270. Output for option STATCCAE
Element NumberNameDescription
1Symmetric NMK StatusState of the DES Symmetric New Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a partially complete key
3
Register contains a complete key
2Symmetric CMK StatusState of the DES Symmetric Current Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a key
3Symmetric OMK StatusState of the DES Symmetric Old Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a key
4CCA Application VersionA character string that identifies the version of the CCA application program that is running in the coprocessor.
5CCA Application Build DateA character string containing the build date for the CCA application program that is running in the coprocessor.
6User RoleA character string containing the Role identifier which defines the host application user's current authority.
7Asymmetric NMK StatusState of the RSA Asymmetric New Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a partially complete key
3
Register contains a complete key
8Asymmetric CMK StatusState of the RSA Asymmetric Current Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a key
9Asymmetric OMK StatusState of the RSA Asymmetric Old Master Key Register:
Number
Meaning
1
Register is clear
2
Register contains a key
Table 271. Output for option STATCARD
Element NumberNameDescription
1Number of installed adaptersThe number of active cryptographic coprocessors installed in the machine. This only includes coprocessors that have CCA software loaded (including those with CCA UDX software).
2DES hardware levelA numeric character string containing an integer value identifying the version of DES hardware that is on the coprocessor.
3RSA hardware levelA numeric character string containing an integer value identifying the version of RSA hardware that is on the coprocessor.
4POST VersionA character string identifying the version of the coprocessor's Power-On Self Test (POST) firmware. The first four characters define the POST0 version and the last four characters define the POST1 version.
5Coprocessor Operating System NameA character string identifying the operating system firmware on the coprocessor. Padding characters are blanks.
6Coprocessor Operating System VersionA character string identifying the version of the operating system firmware on the coprocessor.
7Coprocessor Part NumberA character string containing the eight-character part number identifying the version of the coprocessor.
8Coprocessor EC LevelA character string containing the eight-character EC (engineering change) level for this version of the coprocessor.
9Miniboot VersionA character string identifying the version of the coprocessor's miniboot firmware. This firmware controls the loading of programs into the coprocessor.

The first four characters define the MiniBoot0 version and the last four characters define the MiniBoot1 version.

10CPU SpeedA numeric character string containing the operating speed of the microprocessor chip, in megahertz.
11Adapter ID (Also see element number 15)A unique identifier manufactured into the coprocessor. The coprocessor's Adapter ID is an eight-byte binary value.
12Flash Memory SizeA numeric character string containing the size of the flash EPROM memory on the coprocessor, in 64-kilobyte increments.
13DRAM Memory SizeA numeric character string containing the size of the dynamic RAM (DRAM) on the coprocessor, in kilobytes.
14Battery-Backed Memory SizeA numeric character string containing the size of the battery-backed RAM on the coprocessor, in kilobytes.
15Serial NumberA character string containing the unique serial number of the coprocessor. The serial number is factory installed and is also reported by the CLU utility in a coprocessor signed status message.

For STATDECT, the output is a table of up to 100 PIN decimalization tables as shown in the following table. The maximum size is 2000 bytes.

Table 272. Output for option STATDECT
OffsetFieldDescription
0NumberNumeric character indicating the table number
3StateCharacter indicating the state of the table
L
loaded
A
active
4Table16-byte decimalization table

Table 273. Output for option STATDIAG
Element NumberNameDescription
1Battery StateA numeric character string containing a value which indicates whether the battery on the coprocessor needs to be replaced:
Number
Meaning
1
Battery is good
2
Battery should be replaced
2Intrusion Latch StateA numeric character string containing a value which indicates whether the intrusion latch on the coprocessor is set or cleared:
Number
Meaning
1
Latch is cleared
2
Latch is set
3Error Log StatusA numeric character string containing a value which indicates whether there is data in the coprocessor CCA error log.
Number
Meaning
1
Error log is empty
2
Error log contains data but is not yet full
3
Error log is full
4Mesh IntrusionA numeric character string containing a value to indicate whether the coprocessor has detected tampering with the protective mesh that surrounds the secure module — indicating a probable attempt to physically penetrate the module.
Number
Meaning
1
No intrusion detected
2
Intrusion attempt detected.
5Low Voltage DetectedA numeric character string containing a value to indicate whether a power supply voltage was under the minimum acceptable level. This may indicate an attempt to attack the security module.
Number
Meaning
1
Only acceptable voltages have been detected
2
A voltage has been detected under the low-voltage tamper threshold
6High Voltage DetectedA numeric character string containing a value to indicate whether a power supply voltage was higher than the maximum acceptable level. This may indicate an attempt to attack the security module.
Number
Meaning
1
Only acceptable voltages have been detected
2
A voltage has been detected that is higher than the high-voltage tamper threshold
7Temperature Range ExceededA numeric character string containing a value to indicate whether the temperature in the secure module was outside of the acceptable limits. This may indicate an attempt to obtain information from the module:
Number
Meaning
1
Temperature is acceptable
2
Detected temperature is outside an acceptable limit
8Radiation DetectedA numeric character string containing a value to indicate whether radiation was detected inside the secure module. This may indicate an attempt to obtain information from the module:
Number
Meaning
1
No radiation has been detected
2
Radiation has been detected
9, 11, 13, 15, 17Last Five Commands RunThese five rule-array elements contain the last five commands that were executed by the coprocessor CCA application. They are in chronological order, with the most recent command in element 9. Each element contains the security API command code in the first four characters and the subcommand code in the last four characters.
10, 12, 14,16, 18Last Five Return CodesThese five rule-array elements contain the SAPI return codes and reason codes corresponding to the five commands in rule-array elements 9, 11, 13, 15, and 17. l Each element contains the return code in the first four characters and the reason code in the last four characters.
Table 274. Output for option STATEID
Element NumberNameDescription
1EIDDuring initialization, a value of zero is set in the coprocessor.
Table 275. Output for option STATEXPT
Element NumberNameDescription
1Base CCA Services AvailabilityA numeric character string containing a value to indicate whether base CCA services are available.
Number
Meaning
0
Base CCA services are not available
1
Base CCA services are available
2CDMF AvailabilityA numeric character string containing a value to indicate whether CDMF is available.
Number
Meaning
0
CDMF encryption is not available
1
CDMF encryption is available
356-bit DES AvailabilityA numeric character string containing a value to indicate whether 56-bit DES encryption is available.
Number
Meaning
0
56-bit DES encryption is not available
1
56-bit DES encryption is available
4Triple-DES AvailabilityA numeric character string containing a value to indicate whether triple-DES encryption is available.
Number
Meaning
0
Triple-DES encryption is not available
1
Triple-DES encryption is available
5SET Services AvailabilityA numeric character string containing a value to indicate whether SET (Secure Electronic Transaction) services are available.
Number
Meaning
0
SET Services are not available
1
SET Services are available
6Maximum Modulus for Symmetric Key EncryptionA numeric character string containing the maximum modulus size that is enabled for the encryption of symmetric keys. This defines the longest public-key modulus that can be used for key management of symmetric-algorithm keys.
Number
Meaning
0
DSA not available
1024
DSA 1024 key size
2048
DSA 2048 key size
4096
RSA 4096 key size
Table 276. Output for option STATAPKA
Element NumberNameDescription
1ECC NMK statusThe state of the ECC new master key register:
Number
Meaning
1
Register is clear.
2
Register contains a partially complete key.
3
Register contains a complete key.
2ECC CMK statusThe state of the ECC current master key register:
Number
Meaning
1
Register is clear.
2
Register contains a key.
3ECC OMK statusThe state of the ECC old master key register:
Number
Meaning
1
Register is clear.
2
Register contains a key.
4ECC key length enablementThe maximum ECC curve size that is enabled by the function control vector. The value will be 0 (if no ECC keys are enabled in the FCV) and 521 for the maximum size.
Table 277. Output for option WRAPMTHD
Element NumberNameDescription
1Internal tokensDefault wrapping method for internal tokens.
Number
Meaning
0
Keys will be wrapped with the original method
1
Keys will be wrapped with the enhanced X9.24 method
2External tokensDefault wrapping method for external tokens.
Number
Meaning
0
Keys will be wrapped with the original method
1
Keys will be wrapped with the enhanced X9.24 method
reserved_data_length
Direction: InputType: Integer

The length of the reserved_data parameter. Currently, the value must be 0.

reserved_data
Direction: InputType: String

This field is currently not used.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014