z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Callable Services for PKA Key Management

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

ICSF provides these services for PKA key management.

PKA Key Generate Callable Service (CSNDPKG and CSNFPKG)

This service generates a PKA internal token for use with the DSS algorithm in digital signature services. You can then use the PKA public key extract callable service to extract a DSS public key token from the internal key token. This service also supports the generation of RSA keys (on the PCICC, PCIXCC, CEX2C, or CEX3C), and ECC keys (on the CEX3C).

Input to the PKA key generate callable service is either a skeleton key token created by the PKA key token build callable service or a valid key token. Upon examination of the input skeleton key token, the PKA key generate service routes the key generation request as follows:

  • If the skeleton is for a DSS key token, ICSF routes the request to a Cryptographic Coprocessor Feature.
  • If the skeleton is for an RSA key, ICSF routes the request to any available PCICC, PCIXCC, CEX2C, or CEX3C.
  • If the skeleton is for a retained RSA key, ICSF routes the request to a PCICC, PCIXCC, CEX2C, or CEX3C where the key is generated and retained for additional security.
  • If the skeleton is for an ECC key, ICSF routes the request to any available CEX3C.

PKA Key Import Callable Service (CSNDPKI and CSNFPKI)

This service imports a PKA private key, which may be RSA or DSS.

The key token to import can be in the clear or encrypted. The PKA key token build utility creates a clear PKA key token. The PKA key generate callable service generates either a clear or an encrypted PKA key token.

PKA Key Token Build Callable Service (CSNDPKB and CSNFPKB)

The PKA key token build callable service is a utility you can use to create an external PKA key token containing an unenciphered private RSA or DSS key. You can supply this token as input to the PKA key import callable service to obtain an operational internal token containing an enciphered private key. You can also use this service to input a clear unenciphered public ECC, RSA, or DSS key and return the public key in a token format that other PKA services can use directly.

Use this service to build skeleton key tokens for input to the PKA key generate callable service for creation of RSA keys (on the PCICC, PCIXCC, CEX2C, or CEX3C), or ECC keys (on the CEX3C).

PKA Key Token Change Callable Service (CSNDKTC and CSNFKTC)

This service changes PKA key tokens (RSA, DSS, and ECC) or trusted block key tokens, from encipherment under the cryptographic coprocessor’s old RSA master key or ECC master key to encipherment under the current cryptographic coprocessor’s RSA master key or ECC master key. This callable service only changes private internal tokens. An active PCICC, PCIXCC, CEX2C, or CEX3C is required.

PKA Key Translate (CSNDPKT and CSNFPKT)

This service translates a CCA RSA key token to an external smart card key token. An active CEX2C or CEX3C is required.

PKA Public Key Extract Callable Service (CSNDPKX and CSNFPKX)

This service extracts a PKA public key token from a PKA internal (operational) or external (importable) private key token. It performs no cryptographic verification of the PKA private key token.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014