Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Usage Notes z/OS Cryptographic Services ICSF Application Programmer's Guide SA22-7522-16 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS. System Encryption Algorithm Marks (CCF systems only)This applies to requests processed on a system with CCFs and only if the request is processed by the CCF. Processing on a PCICC does not cause tokens to be marked. Internal DATA, IMPORTER and EXPORTER tokens are marked with the system encryption algorithm. No external tokens generated by this service are marked. When the key form is OP, the token is marked with the system default algorithm. This marking can be overridden by specifing a valid token in the generated_key_identifer_1 parameter with the marking required. When the key form is OPEX or OPIM, the operational token is marked with the markings of the key-encrypting key (KEK_key_identifier_2). This marking can be overridden by specifing a valid token in the generated_key_identifer_1 parameter with the marking required. It is possible to generate an operational DES-marked DATA key on a CDMF-only system or a CDMF-marked DATA key on a DES-only system. However, the Encipher and Decipher callable services fail when you use these keys on the systems where they were generated unless overridden by keyword. The following table shows the access control points in the ICSF role that control the function of this service.
To use a NOCV IMPORTER key-encrypting key with the key generate service, the NOCV KEK usage for import-related functions access control point must be enabled in addition to one or both of the access control points listed. To use a NOCV EXPORTER key-encrypting key with the key generate service, the NOCV KEK usage for export-related functions access control point must be enabled in addition to one or both of the access control points listed. Key type and key form combinationsTable 33 shows the valid key type and key form combinations for a single DES or AES key. Key types marked with an "*" must be requested through the specification of a proper control vector in a key token and through the use of the TOKEN keyword. Note:
Not
all keytypes are valid on all hardware. See Table 3.
Table 34 shows the valid key type and key form combinations for a DES key pair. Key types marked with an "*" must be requested through the specification of a proper control vector in a key token and through the use of the TOKEN keyword.
If you are running with the Cryptographic Coprocessor Feature and the key_form is IMEX, the key_length is SINGLE, and key_type_1 is IPINENC, OPINENC, PINGEN, IMPORTER, or EXPORTER, you must specify the KEK_key_identifier_1 parameter as NOCV IMPORTER If you are running with the Cryptographic Coprocessor Feature and need to use NOCV key-encrypting keys, NOCV-enablement keys must be installed in the CKDS. If you running with the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor and need to use NOCV key-encrypting keys, you need to enable NOCV IMPORTER and NOCV EXPORTER access control points If you are running with the Cryptographic Coprocessor Feature and need to generate DATAM and DATAMV keys in the importable form, the ANSI system keys must be installed in the CKDS. Table 35 lists the required cryptographic hardware for each server type and describes restrictions for this callable service.
|
Copyright IBM Corporation 1990, 2014
|