A key identifier for a PKA key token is
a variable length (maximum allowed size is 3500 bytes) area
that contains one of these:
- Key label identifies keys that are in the
PKDS. Ask your ICSF administrator for the key labels that you can
use.
- Key token can be either an internal key
token, an external key token, or a null key token. Key tokens are
generated by an application (for example, using the PKA key generate
callable service), or received from another system that can produce
external key tokens.
An internal key token can
be used only on ICSF,
because a PKA master key encrypts the key value. Internal key tokens
contain keys in operational form only.
An external
key token can be exchanged with other systems because a transport key that is shared with
the other system encrypts the key value. External key tokens contain
keys in either exportable or importable form.
A null
key token consists of 8 bytes of binary zeros. The PKDS
Key Record Create service can be used to write a null token to
the PKDS. This PKDS record can subsequently be identified as the target
token for the PKA key import or PKA key generate service.
The term key identifier is used when a
parameter could be one of the previously discussed items and to indicate
that different inputs are possible. For example, you may want to specify
a specific parameter as either an internal key token or a key label.
The key label is, in effect, an indirect reference to a stored internal
key token.
|