The Key Translate2 callable service translates the input_key_token parameter in one of several ways:

• Changes an external DES or variable-length symmetric key token from encipherment under one key-encrypting key to another
• Changes the wrapping method of an external DES key token
• Converts an operational AES DATA token (version X'04') to an operational AES CIPHER token (version X'05') or converts an operational AES CIPHER token (version X'05') to an operational AES DATA token (version X'04')

To reencipher a key token, specify the TRANSLAT rule array keyword (the default), the external key token, and the input and output key-encrypting keys. If the input_key_token is a DES key token, you can also specify which key wrapping method to use. If no wrapping method is specified, the system default wrapping method will be used.

To change the wrapping method of an external DES key token, specify the REFORMAT rule array keyword, the Key Wrapping Method to use, the external key token and the input key-encrypting key. If no wrapping method is specified, the system default wrapping method will be used. Note that the output_KEK_identifier will be ignored.

To convert an operational AES DATA token (version X'04') to an operational AES CIPHER token (version X'05') or vice versa, specify the REFORMAT rule array keyword, the operational key token as input_key_token, and either a NULL token or skeleton token as output_key_token. Note that both the input_KEK_identifier and the output_KEK_identifier will be ignored as the corresponding lengths must be zero.