Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide

Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

System Encryption Algorithm Marks (CCF systems only)

This applies to requests processed on a system with CCFs and only if the request is processed by the CCF. Processing on a PCICC does not cause tokens to be marked.

Internal DATA, IMPORTER and EXPORTER tokens are marked with the system encryption algorithm. No external tokens generated by this service are marked.

When the key form is OP, the token is marked with the system default algorithm. This marking can be overridden by specifing a valid token in the generated_key_identifer_1 parameter with the marking required.

When the key form is OPEX or OPIM, the operational token is marked with the markings of the key-encrypting key (KEK_key_identifier_2). This marking can be overridden by specifing a valid token in the generated_key_identifer_1 parameter with the marking required.

It is possible to generate an operational DES-marked DATA key on a CDMF-only system or a CDMF-marked DATA key on a DES-only system. However, the Encipher and Decipher callable services fail when you use these keys on the systems where they were generated unless overridden by keyword.

The following table shows the access control points in the ICSF role that control the function of this service.

Table 32. Required access control points for Key Generate
Usage	Access Control Point
The key-form and key-type combinations shown with an 'X' in the Key_Form OP column in Table 33.	Key Generate - OP
The key-form and key-type combinations shown with an 'X' in the Key_Form IM column in Table 33.	Key Generate - Key set
The key-form and key-type combinations shown with an 'X 'in the Key_Form EX column in Table 33.	Key Generate - Key set
The key-form and key-type combinations shown with an 'X' in Table 34	Key Generate - Key set
The key-form and key-type combinations shown with an 'E' in Table 34	Key Generate - Key set extended
The SINGLE-R key-length keyword is specified	Key Generate - SINGLE-R

To use a NOCV IMPORTER key-encrypting key with the key generate service, the NOCV KEK usage for import-related functions access control point must be enabled in addition to one or both of the access control points listed.

To use a NOCV EXPORTER key-encrypting key with the key generate service, the NOCV KEK usage for export-related functions access control point must be enabled in addition to one or both of the access control points listed.

Key type and key form combinations

Table 33 shows the valid key type and key form combinations for a single DES or AES key. Key types marked with an "*" must be requested through the specification of a proper control vector in a key token and through the use of the TOKEN keyword.

Note:

Not all keytypes are valid on all hardware. See Table 3.

Table 33. Key Generate Valid Key Types and Key Forms for a Single Key
Key Type 1	Key Type 2	OP	IM	EX
AESDATA	Not applicable	X
AESTOKEN	Not applicable	X
DATA	Not applicable	X	X	X
DATAC*	Not applicable	X	X	X
DATAM	Not applicable	X	X	X
MAC	Not applicable	X	X	X
PINGEN	Not applicable	X	X	X

Table 34 shows the valid key type and key form combinations for a DES key pair. Key types marked with an "*" must be requested through the specification of a proper control vector in a key token and through the use of the TOKEN keyword.

Table 34. Key Generate Valid Key Types and Key Forms for a Key Pair
Key Type 1	Key Type 2	OPEX	EXEX	OPIM, OPOP, IMIM	IMEX
CIPHER	CIPHER	X	X	X	X
CIPHER	DECIPHER	X	X	X	X
CIPHER	ENCIPHER	X	X	X	X
CVARDEC*	CVARENC*	E			E
CVARDEC*	CVARPINE*	E			E
CVARENC*	CVARDEC*	E			E
CVARENC*	CVARXCVL*	E			E
CVARENC*	CVARXCVR*	E			E
CVARXCVL*	CVARENC*	E			E
CVARXCVR*	CVARENC*	E			E
CVARPINE*	CVARDEC*	E			E
DATA	DATA	X	X	X	X
DATA	DATAXLAT	X	X		X
DATAC*	DATAC*	X	X	X	X
DATAM	DATAM	X	X	X	X
DATAM	DATAMV	X	X	X	X
DATAXLAT	DATAXLAT	X	X		X
DECIPHER	CIPHER	X	X	X	X
DECIPHER	ENCIPHER	X	X	X	X
ENCIPHER	CIPHER	X	X	X	X
ENCIPHER	DECIPHER	X	X	X	X
EXPORTER	IKEYXLAT	X	X		X
EXPORTER	IMPORTER	X	X		X
IKEYXLAT	EXPORTER	X	X		X
IKEYXLAT	OKEYXLAT	X	X		X
IMPORTER	EXPORTER	X	X		X
IMPORTER	OKEYXLAT	X	X		X
IPINENC	OPINENC	X	X	E	X
MAC	MAC	X	X	X	X
MAC	MACVER	X	X	X	X
OKEYXLAT	IKEYXLAT	X	X		X
OKEYXLAT	IMPORTER	X	X		X
OPINENC	IPINENC	X	X	E	X
OPINENC	OPINENC			X
PINVER	PINGEN	X	X		X
PINGEN	PINVER	X	X		X

If you are running with the Cryptographic Coprocessor Feature and the key_form is IMEX, the key_length is SINGLE, and key_type_1 is IPINENC, OPINENC, PINGEN, IMPORTER, or EXPORTER, you must specify the KEK_key_identifier_1 parameter as NOCV IMPORTER

If you are running with the Cryptographic Coprocessor Feature and need to use NOCV key-encrypting keys, NOCV-enablement keys must be installed in the CKDS. If you running with the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor and need to use NOCV key-encrypting keys, you need to enable NOCV IMPORTER and NOCV EXPORTER access control points

If you are running with the Cryptographic Coprocessor Feature and need to generate DATAM and DATAMV keys in the importable form, the ANSI system keys must be installed in the CKDS.

Table 35 lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 35. Key generate required hardware
Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	OPIM is valid on the Cryptographic Coprocessor Feature for key forms DATA/DATA, DATAM/DATAM and MAC/MAC. All other OPIM key forms are routed to the PCI Cryptographic Coprocessor. In `key_form` and `generated_key_identifier_1`, marking of data encryption algorithm bits and token copying are only performed if this service is proccessed on a Cryptographic Coprocessor Feature. In `KEK_key_identifier_2` propagation of token markings is only relevant when this service is processed on the Cryptographic Coprocessor Feature. In `generated_key_identifier_1`, propagation of the NOCV bit is performed only if the service is processed on the Cryptographic Coprocessor Feature. AKEKs are processed on CCFs DATAC is not supported. Secure AES keys are not supported.
IBM zSeries 900	PCI Cryptographic Coprocessor	ICSF routes the request to a PCI Cryptographic Coprocessor if: OPIM key forms are not DATA/DATA, DATAM/DATAM or MAC/MAC. The key type specified in `key_type_1` or `key_type_2` is not valid for the Cryptographic Coprocessor Feature or if the control vector in a supplied token cannot be processed on the Cryptographic Coprocessor Feature. A key length of SINGLE-R is specified, or if a key form of OPIM, OPOP or IMIM is specified. Tokens are not marked with the system encryption algorithm. The NOCV flag is not propagated to key-encrypting keys. Secure AES keys are not supported.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	`Key_type` DATAXLAT is not supported. AKEK key type is not supported. Secure AES keys are not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor	`Key_type` DATAXLAT is not supported. AKEK key type is not supported. Secure AES key support requires the Nov. 2008 or later licensed internal code (LIC).

Notices | Terms of use | Support | Contact z/OS | zFavorites