z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Key Token

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

A key token is a variable length (maximum allowed size is 3500 bytes) field composed of key value and control information. PKA keys can be either public or private RSA, DSS, or ECC keys. Each key token can be either an internal key token (the first byte of the key identifier is X'1F'), an external key token (the first byte of the key identifier is X'1E'), or a null private key token (the first byte of the key identifier is X'00'). For the format of each token type, refer to Appendix B. Key Token Formats.

An internal key token is a token that can be used only on the ICSF system that created it (or another ICSF system with the same PKA master key). It contains a key that is encrypted under the PKA master key.

An application obtains an internal key token by using one of the callable services such as those listed. The callable services are described in detail in Managing PKA Cryptographic Keys.

  • PKA key generate
  • PKA key import

The PKA Key Token Change callable service can reencipher private internal tokens from encryption under the old ASYM-MK to encryption under the current ASYM-MK. PKDS Reencipher/Activate options are available to reencipher RSA, DSS and ECC internal tokens in the PKDS when the SMK/ASYM-MK keys are changed.

PKA master keys may not be changed dynamically.

For debugging information, see Appendix B. Key Token Formats for the format of an internal key token.

If the first byte of the key identifier is X'1E', the key identifier is interpreted as an external key token. An external PKA key token contains key (possibly encrypted) and control information. By using the external key token, you can exchange keys between systems.

An application obtains the external key token by using one of the callable services such as those listed. They are described in detail in Managing PKA Cryptographic Keys.

  • PKA public key extract
  • PKA key token build
  • PKA key generate

For debugging information, see Appendix B. Key Token Formats for the format of an external key token.

If the first byte of the key identifier is X'00', the key identifier is interpreted as a null key token.

For debugging information, see Appendix B. Key Token Formats for the format of a null key token.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014