|
The key forms are defined as follows:
- Operational (OP)
- The key value is enciphered under a master key. The result is
placed into an internal key token. The key is then operational at
the local system.
- Importable (IM)
- The key value is enciphered under an importer key-encrypting
key. The result is placed into an external key token. The corresponding key_encrypting_key_identifier_x parameter
must contain an AES IMPORTER key token or label.
- Exportable (EX)
- The key value is enciphered under an exporter key-encrypting
key. The result is placed into an external key token. The corresponding key_encrypting_key_identifier_x parameter
must contain an AES EXPORTER key token or label.
These tables list the valid key type and key form combinations.
If an AES KEK is used, the strength of the KEK expected
by Key Generate2 depends on the attributes of the key being generated.
The resulting return code and reason code when using a KEK that is
weaker depends on the “Variable-length Symmetric Token - disallow
weak wrap" and “Variable-length Symmetric Token - warn when
weak wrap" access control points:
- If the “disallow" access control point is disabled (the
default), the key strength requirement will not be enforced. Using
a weaker key will result in return code 0 with a non-zero reason code
if the “warn" access control point is enabled. Otherwise,
a reason code of zero will be returned.
- If the “disallow" access control point is enabled (using
TKE), the key strength requirement will be enforced, and attempting
to use a weaker key will result in return code 8.
For AES keys, the AES KEK must be at least as strong
as the key being generated to be considered sufficient strength.
For HMAC keys, the AES KEK must be sufficient strength
as described in the following table.
The following table shows the access control points in the ICSF
role that control the function of this service.
Table 42. Required access control points for Key Generate2| Access Control Point | Function control |
|---|
| Key Generate2 - OP | Key Form OP, EX, IM | | Key Generate2 - Key set | Key Form OPOP, OPIM, IMIM, OPEX, EXEX, IMEX | | Variable-length Symmetric Token - disallow
weak wrap | Prohibit wrapping a key with a weaker key | | Variable-length Symmetric Token - warn when
weak wrap | Issue a non-zero reason code when using a weak
wrapping key | Note that both the “Variable-length Symmetric Token
- disallow weak wrap" and “Variable-length Symmetric Token
- warn when weak wrap" access control points are disabled in
the default role.
This table lists the required cryptographic hardware for each server
type and describes restrictions for this callable service.
Table 43. Key Generate2 required hardware| Server | Required
cryptographic hardware | Restrictions |
|---|
|
IBM  zSeries 900 | | This
service is not supported. | | IBM zSeries 990
IBM zSeries 890 | | This
service is not supported. | | IBM
System z9 EC
IBM System z9 BC | | This
service is not supported. | | IBM System z10 EC
IBM System z10 BC | Crypto
Express2 Coprocessor | This
service is not supported. | | Crypto Express3 Coprocessor | This service is not supported. | | z196 | Crypto Express3 Coprocessor |
AES key support require the Sep.
2011 or later licensed internal code (LIC).
HMAC
key support requires the Nov. 2010 or later licensed internal code
(LIC). |
|
z/OS Cryptographic Services ICSF Application Programmer's Guide
Copyright IBM Corporation 1990, 2014