Reason codes for return code 8 (8)

Table 1 lists reason codes returned from callable services that give return code 8.

Most of these reason codes indicate that the call to the service was unsuccessful. No cryptographic processing took place. Therefore, no output parameters were filled. Exceptions to this are noted in the descriptions.

Table 1. Reason codes for return code 8 (8)
Reason Code Hex (Decimal)	Description
00C (12)	A key identifier was passed to a service or token. It is checked in detail to ensure that it is a valid token, and that the fields within it are valid values. There is a token validation value (TVV) in the token, which is a non-cryptographic value. This value was again computed from the rest of the token, and compared to the stored TVV. If these two values are not the same, this reason code is returned. User action: The contents of the token have been altered because it was created by ICSF or TSS. Review your program to see how this could have been caused.
016 (22)	The ID number in the request field is not valid. The PAN data or transaction information is incorrect.
017 (23)	Offset length not correct for data to be inserted.
018 (24)	A key identifier was passed to a service. The master key verification pattern in the token shows that the key was created with a master key that is neither the current master key nor the old master key. Therefore, it cannot be reenciphered to the current master key. User action: Re-import the key from its importable form (if you have it in this form), or repeat the process you used to create the operational key form. If you cannot do one of these, you cannot repeat any previous cryptographic process that you performed with this token. REASONCODES: ICSF 2714 (10004)
019 (025)	A length parameter has an incorrect value. The value in the length parameter could have been zero (when a positive value was required) or a negative value. If the supplied value was positive, it could have been larger than your installation's defined maximum, or for MDC generation with no padding, it could have been less than 16 or not an even multiple of 8. User action: Check the length you specified. If necessary, check your installation's maximum length with your ICSF administrator. Correct the error.
01D (29)	A key identifier was passed to a service or token. It is checked in detail to ensure that it is a valid token, and that the fields within it are valid values. There is a token validation value (TVV) in the token, which is a non-cryptographic value. This value was again computed from the rest of the token, and compared to the stored TVV. If these two values are not the same, this reason code is returned. User action: The contents of the token have been altered because it was created by ICSF or TSS. Review your program to see how this could have been caused. REASONCODES: ICSF 2710 (10000)
01E (30)	A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or PKDS. A key record with that label (and the specific type if required by the ICSF callable service) could not be found. For a retained key label, this error code is also returned if the key is not found in the CCA coprocessor specified in the PKDS record. User action: Check with your administrator if you believe that this key should be in the in-storage CKDS or the PKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label. REASONCODES: ICSF 271C (10012)
01F (31)	The control vector did not specify a DATA key. The key may be a CIPHER key which does not have the XPRTCPAC bit set in the control vector. REASONCODES: ICSF 272C (10028)
020 (32)	You called the CKDS key record create callable service, but the key_label parameter syntax was incorrect. User action: Correct key_label syntax. REASONCODES: ICSF 3EA0 (16032)
021 (33)	The rule_array parameter contents or a parameter value is not correct. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value. REASONCODES: ICSF 7E0 (2016)
022 (34)	A rule_array keyword combination is not valid or a keyword is specified that conflicts with another parameter. REASONCODES: ICSF 7E0 (2016)
023 (35)	The rule_array_count parameter contains a number that is not valid. User action: Refer to the rule_array_count parameter described in this publication under the appropriate callable service for the correct value. REASONCODES: ICSF 7DC (2012)
027 (39)	A control vector violation occurred. REASONCODES: This reason code also corresponds to these ICSF reason codes: 272C (10028), 2730 (10032), 2734 (10036), 2744 (10052), 2768 (10088), 278C (10124), 3E90 (16016), 2724 (10020).
028 (40)	The service code does not contain numerical data. REASONCODES: ICSF BE0 (3040)
029 (41)	The key_form parameter is neither IM nor OP. Most constants, these included, can be supplied in lowercase or uppercase. Note that this parameter is 4 bytes long, so the value IM or OP is not valid. They must be padded on the right with blanks. User action: Review the value provided and change it to IM or OP, as required.
02A (42)	The expiration date is not numeric (X'F0' through X'F9'). The parameter must be character representations of numerics or hexadecimal data. User action: Review the numeric parameters or fields required in the service that you called and change to the format and values required. REASONCODES: ICSF BE0 (3040)
02B (43)	The value specified for the key_length parameter of the key generate callable service is not valid. User action: Review the value provided and change it as appropriate. REASONCODES: See also the ICSF reason code 80C (2060) or 2710 (10000) for additional information.
02C (44)	The CKDS key record create callable service requires that the key created not already exist in the CKDS. A key of the same label was found. User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer.
02D (45)	An input character is not in the code table. User action: Correct the code table or the source text.
02F (47)	A source key token is unusable because it contains data that is not valid or undefined. REASONCODES: This reason code also corresponds to these ICSF reason codes: 83C (2108), 2754 (10068), 2758 (10072), 275C (10076), 2AFC (11004), 2B04 (11012), 2B08 (11016), 2B10 (11024). See those reason codes for additional information.
030 (48)	One or more keys has a master key verification pattern that is not valid. This reason code also corresponds to these ICSF reason codes: 2714 (10004) and 2B0C (11020). See those reason codes for additional information.
031 (49)	Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable. User action: Use a token containing the required version number. REASONCODES: ICSF 2738 (10040)
033 (51)	The encipher and decipher callable services sometime require text (plaintext or ciphertext) to have a length that is an exact multiple of 8 bytes. Padding schemes always create ciphertext with a length that is an exact multiple of 8. If you want to decipher ciphertext that was produced by a padding scheme, and the text length is not an exact multiple of 8, then an error has occurred. The CBC mode of enciphering requires a text length that is an exact multiple of 8. The value that the text_length parameter specifies is not a multiple of the cryptographic algorithm block length. User action: Review the requirements of the service you are using. Either adjust the text you are processing or use another process rule.
038 (56)	The master key verification pattern in the OCV is not valid.
03D (61)	The keyword supplied with the key_type parameter is not valid. REASONCODES: This reason code also corresponds to these ICSF reason codes: 2720 (10016), 2740 (10048), 274C (10060). See those reason codes for additional information.
03E (62)	The source key was not found. REASONCODES: ICSF 271C (10012)
03F (63)	This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form. User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence. REASONCODES: ICSF 7F8 (2040)
040 (64)	The supplied key is not permitted to perform the requested operation. Probable causes are: The private key can be used only for digital signature. Key management services are disallowed. This service requires an RSA private key that is translatable. The specified key may not be used in the PKA Key Translate callable service. The private key restricts the signature formatting rule it can be used with and the rule array indicates a different formatting rule. User action: Supply a private key with the correct key usage for the service.
041 (65)	The RSA public or private key specified a modulus length that is incorrect for this service. User action: Re-invoke the service with an RSA key with the proper modulus length. REASONCODES: ICSF 2B18 (11032) and 2B58 (11096)
042 (66)	The recovered encryption block was not a valid PKCS-1.2 or zero-pad format. (The format is verified according to the recovery method specified in the rule-array.) If the recovery method specified was PKCS-1.2, refer to PKCS-1.2 for the possible error in parsing the encryption block. User action: Ensure that the parameters passed to CSNDSYI or CSNFSYI are correct. Possible causes for this error are incorrect values for the RSA private key or incorrect values in the RSA_enciphered_key parameter, which must be formatted according to PKCS-1.2 or zero-pad rules when created. REASONCODES: ICSF 2B20 (11040)
043 (67)	DES or RSA encryption failed.
044 (68)	DES or RSA decryption failed.
046 (70)	Identifier tag for optional block is invalid: conflicts with IBM reserved tag, is a duplicate to a tag already found, is bad in combination with a tag already found when parsing a section of optional blocks, or is otherwise invalid. User action: Check the TR-31 key block header for correctness.
048 (72)	The value specified for length parameter for a key token, key, or text field is not valid. User action: Correct the appropriate length field parameter. REASONCODES: This reason code also corresponds to these ICSF reason codes: 2AF8 (11000) and 2B14 (11028). See those reason codes for additional information.
05A (90)	Access is denied for this request. This is due to an access control point in the domain role either being disabled or an access control point being enabled that restricts the use of a parameter such as a rule array keyword. User action: Check the reference information for the callable service to determine which access control points are involved in the request. Contact the ICSF administrator to determine if the access control points are in the correct state. The access control points can be enabled/disabled using the TKE workstation.
064 (100)	A request was made to the Clear PIN generate or Encrypted PIN verify callable service, and the PIN_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive. User action: Correct the value in the PIN_length parameter to be within the valid range from 4 to 16. REASONCODES: ICSF BBC (3004)
065 (101)	A request was made to the Clear PIN generate callable service, and the PIN_check_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive. User action: Correct the value in the PIN_check_length parameter to be within the valid range from 4 to 16. REASONCODES: ICSF BC0 (3008)
066 (102)	The value of the decimalization table is not valid. REASONCODES: ICSF BE0 (3040)
067 (103)	The value of the validation data is not valid. REASONCODES: ICSF BE0 (3040)
068 (104)	The value of the customer-selected PIN is not valid or the PIN length does not match the value specified. REASONCODES: ICSF BE0 (3040)
069 (105)	The trans_sec_parm field in the data_array parameter is not valid. The key index may be incorrect. User action: Correct the value in the key index, held within the trans_sec_parm field, to hold a number from the valid range. REASONCODES: ICSF BC4 (3012)
06A (106)	A request was made to the Encrypted PIN Translate or the Encrypted PIN verify callable service, and the PIN block value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid. User action: Correct the PIN block value.
06B (107)	A request was made to the Encrypted PIN Translate callable service and the format control value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid. The only valid value is NONE. User action: Correct the format control value to NONE.
06C (108)	The value of the PAD data is not valid. REASONCODES: ICSF B08 (3016)
06D (109)	The extraction method keyword is not valid.
06E (110)	The value of the PAN data is not valid. REASONCODES: ICSF BE0 (3040)
06F (111)	A request was made to the Encrypted PIN Translate callable service. The sequence_number parameter was required, but was not the integer value 99999. User action: Specify the integer value 99999.
074 (116)	The supplied PIN value is incorrect. User action: Correct the PIN value. REASONCODES: ICSF BBC (3004)
079 (121)	The source_key_identifier or inbound_key_identifier you supplied is not a valid string. User action: In the PKA key generate service, an invalid exponent or modulus length was specified.
07A (122)	The outbound_KEK_count or inbound_KEK_count you supplied is not a valid ASCII hexadecimal string. User action: Check that you specified a valid ASCII hexadecimal string for the outbound_KEK_count or inbound_KEK_count parameter.
081 (129)	A Required Rule Array keyword was not specified. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.
09A (154)	This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form. User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence. REASONCODES: ICSF 7F8 (2040)
09B (155)	The value that the generated_key_identifier parameter specifies is not valid,or it is not consistent with the value that the key_form parameter specifies.
09C (156)	A keyword is not valid with the specified parameters. REASONCODES: ICSF 2790 (10128)
09D (157)	The rule_array parameter contents are incorrect. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value. REASONCODES: ICSF 7E0 (2016)
09F (159)	A parameter requires Rule Array keyword that is not specified. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value.
0A0 (160)	The key_type and the key_length are not consistent. User action: Review the key_type parameter provided and match it with the key_length parameter.
A2 (162)	A request was made to the Remote Key Export callable service, and the certificate_parms parameter contains incorrect values. One or more of the offsets and/or lengths for the modulus, public exponent, and/or digital signature would indicate overlap between two or all three of the fields within the certificate parameter. User Action: Correct the values in the certificate_parms parameter to indicate the actual offsets and lengths of the modulus, public exponent, and digital signature within the certificate parameter.
A4 (164)	Two parameters (perhaps the plaintext and ciphertext areas, or text_in and text_out areas) overlap each other. That is, some part of these two areas occupy the same address in memory. This condition cannot be processed. User action: Determine which two areas are responsible, and redefine their positions in memory.
0A5 (165)	The contents of a chaining vector passed to a callable service are not valid. If you called the MAC Generate callable service, or the MDC Generate callable service with a MIDDLE or LAST segmenting rule, the count field has a number that is not valid. If you called the MAC verification callable service, then this will have been a MIDDLE or LAST segmenting rule. User action: Check to ensure that the chaining vector is not modified by your program. The chaining vector returned by ICSF should only be used to process one message set, and not intermixed between alternating message sets. This means that if you receive and process two or more independent message streams, each should have its own chaining vector. Similarly, each message stream should have its own key identifier. If you use the same chaining vector and key identifier for alternating message streams, you will not get the correct processing performed. REASONCODES: ICSF 7F4 (2036)
0B4 (180)	A null key token was passed in the key identifier parameter. When the key type is TOKEN, a valid token is required. User action: Supply a valid token to the key identifier parameter.
0B5 (181)	This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form. User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence. This reason code also corresponds to these ICSF reason codes: 7F8 (2040), 2B24 (11044) and 3E98 (16024). See those reason codes for additional information.
0B7 (183)	A cross-check of the control vector the key type implies has shown that it does not correspond with the control vector present in the supplied internal key identifier. User action: Change either the key type or key identifier. REASONCODES: ICSF 273C (10044)
0B8 (184)	An input pointer is null.
0C7 (199)	The public exponent in the RSA public key is not valid. User action: If you created a skeleton token using the CSNDPKB service, correct the key value structure and rerun the CSNDPKB service. If you are using a key generated on another system, the key cannot be used with ICSF.
0CC (204)	A memory allocation failed.
14F (335)	The requested function is not implemented on the coprocessor.
154 (340)	One of the input control vectors has odd parity.
157 (343)	Either the data block or the buffer for the block is too small.
159 (345)	Insufficient storage space exists for the data in the data block buffer.
15A (346)	The requested command is not valid in the current state of the cryptographic hardware component.
176 (374)	Less data was supplied than expected or less data exists than was requested. REASONCODES: ICSF 7D4 (2004) and ICSF 7E0 (2016)
181 (385)	The cryptographic hardware component reported that the data passed as part of the command is not valid for that command.
197 (407)	A PIN block consistency check error occurred. REASONCODES: ICSF BC8 (3016)
1B9 (441)	One or more input parameters indicates the key to be processed should be partial, but the key is not partial according to the CV or other control bits of the key. User action: Check that the partial key option of any input parameters is consistent with the partial key setting of any key tokens being used.
1BA (442)	A DES key with the control vector form bits indicating unique key parts has replicated key parts. User action: This key cannot be used with ICSF. Contact your ICSF administrator.
25D (605)	The number of output bytes is greater than the number that is permitted.
2BF (703)	A new master key value was found to be one of the weak DES keys.
2C0 (704)	The new master key would have the same master key verification pattern as the current master key.
2C1 (705)	The same key-encrypting key was specified for both exporter keys.
2C2 (706)	While deciphering ciphertext that had been created using a padding technique, it was found that the last byte of the plaintext did not contain a valid count of pad characters. Note that some cryptographic processing has taken place, and the clear_text parameter may contain some or all of the deciphered text. User action: The text_length parameter was not reduced. Therefore, it contains the length of the base message, plus the length of the padding bytes and the count byte. Review how the message was padded prior to being enciphered. The count byte that is not valid was created prior to the message's encipherment. You may need to check whether the ciphertext was not created using a padding scheme. Otherwise, check with the creator of the ciphertext on the method used to create it. You could also look at the plaintext to review the padding scheme used, if any. REASONCODES: ICSF 7EC (2028)
2C3 (707)	The master key registers are not in the state required for the requested function. User action: Contact your ICSF administrator.
2CA (714)	A reserved parameter was not a null pointer or an expected value. REASONCODES: ICSF 844 (2116)
2CB (715)	A parameter was specified with a non-zero value. For example: Key Token Build The value of the master_key_version_number parameter must be zero when the KEY keyword is specified. Key Token Build The value of the pad_character parameter must be zero when building a MAC token. DK PIN Change The value of the script_initialization_vector parameter must be zero. Recover PIN from Offset The reserved_1 field must be zero. User action: Check that you specified the valid value for the parameter. REASONCODES: ICSF 834 (2100)
2CF (719)	The RSA-OAEP block did not verify when it decomposed. The block type is incorrect (must be X'03'). User action: Re-create the RSA-OAEP block. REASONCODES: ICSF 2B38 (11064)
2D0 (720)	The RSA-OAEP block did not verify when it decomposed. The random number I is not correct (must be non-zero with the high-order bit equal to zero). User action: Re-create the RSA-OAEP block. REASONCODES: ICSF 2B40 (11072)
2D1 (721)	The RSA-OAEP block did not verify when it decomposed. The verification code is not correct (must be all zeros). User action: Re-create the RSA-OAEP block. REASONCODES: ICSF 2BC3 (11068)
2F8 (760)	The RSA public or private key specified a modulus length that is incorrect for this service. User action: Re-invoke the service with an RSA key with the proper modulus length. REASONCODES: ICSF 2B48 (11080)
302 (770)	A reserved field in a parameter, probably a key identifier, has a value other than zero. User action: Key identifiers should not be changed by application programs for other uses. Review any processing you are performing on key identifiers and leave the reserved fields in them at zero. This reason code also corresponds to these ICSF reason codes: 7E8 (2024) and 2B00 (11008). See those reason codes for additional information. REASONCODES: ICSF 2B00 (11008)
309 (777)	The authentication data or its length is not valid. User action: Correct the authorization data parameters.
30F (783)	The command is not permitted by the function's control vector value. REASONCODES: ICSF Return code 12, reason code 2B0C (11020)
335 (0821)	The subject distinguished name (SDN) provided is either missing, malformed, or of invalid length. User action: Correct the SDN value and retry the function.
336 (0822)	The issuer distinguished name (IDN) provided is either missing, malformed, or of invalid length. User action: Correct the IDN value and retry the function.
337 (0823)	The serial number provided is either unexpected, missing, malformed, or of invalid length. User action: Correct the serial number value and retry the function.
339 (0825)	The extension data provided is either unexpected, missing, malformed, or of invalid length. User action: Correct the extension data and retry the function.
33A (0826)	The validity (notBefore/notAfter) expiration days value provided is either unexpected, missing, or out of range. User action: Correct the validity value and retry the function.
33B (0827)	The pathLenConstraint value provided is either unexpected, missing, or out of range. User action: Correct the pathLenConstraint value and retry the function.
33D (0829)	Error in GSK/SSL/ASN.1 processing. User action: Contact the IBM Support Center.
33E (0830)	ASN.1 DER encoding error detected in an input data. More data was expected, but none was found. User action: Correct the ASN.1 DER encoded input.
33F (8031)	ASN.1 DER encoding error detected in an input value. A length value is not valid. User action: Correct the ASN.1 DER encoded input.
341 (0833)	ASN.1 DER encoding error detected in an input value. An attribute value separator is missing. User action: Correct the ASN.1 DER encoded input.
342 (0834)	ASN.1 DER encoding error detected in an input value. An unknown attribute identifier was found. User action: Correct the ASN.1 DER encoded input.
343 (0835)	ASN.1 DER encoding error detected in an input value. An object identifier syntax error was found. User action: Correct the ASN.1 DER encoded input.
345 (0837)	ASN.1 DER encoding error detected in an input value. An validity interval is not valid. User action: Correct the ASN.1 DER encoded input.
346 (0838)	ASN.1 DER encoding error detected in an input value. User action: Correct the ASN.1 DER encoded input.Error in ASN.1 processing. X.500 name syntax error.
347 (0839)	ASN.1 DER encoding error detected in an input value. An unexpected data type was found. User action: Correct the ASN.1 DER encoded input.
349 (0841)	ASN.1 DER encoding error detected in an input value. A character string cannot be converted. User action: Correct the ASN.1 DER encoded input.
34A (0842)	ASN.1 DER encoding error detected in an input value. Indefinite-length encoding was encountered, but is not supported. User action: Correct the ASN.1 DER encoded input.
34B (0843)	ASN.1 DER encoding error detected in an input value. A data element must be constructed, but is not. User action: Correct the ASN.1 DER encoded input.
34D (0845)	ASN.1 DER encoding error detected in an input value. A data element must be an ASN.1 primitive, but it is not. User action: Correct the ASN.1 DER encoded input.
34E (0846)	ASN.1 DER encoding error detected in an input value. Indefinite-length encoding was found, but is not allowed. User action: Correct the ASN.1 DER encoded input.
34F (0847)	ASN.1 DER encoding error detected in an input value. A data encoding is not valid. User action: Correct the ASN.1 DER encoded input.
351 (0849)	ASN.1 DER encoding error detected in an input value. Data value overflow was encountered. User action: Correct the ASN.1 DER encoded input.
352 (0850)	ASN.1 DER encoding error detected in an input value. The unused bit count in a BIT STRING is not valid. User action: Correct the ASN.1 DER encoded input.
353 (0851)	ASN.1 DER encoding error detected in an input value. An unused bit count was encountered, but it is not valid for a segmented bit string. User action: Correct the ASN.1 DER encoded input.
356 (0854)	ASN.1 DER encoding error detected in an input value. Excess data was found at the end of the data element. User action: Correct the ASN.1 DER encoded input.
357 (0855)	ASN.1 DER encoding error detected in an input value. A parameter is not valid. User action: Correct the ASN.1 DER encoded input.
359 (0857)	ASN.1 DER encoding error detected in an input value. A data value is not present where it is expected. User action: Correct the ASN.1 DER encoded input.
35A (0858)	ASN.1 DER encoding error detected in an input value. A selection value is not within the valid range. User action: Correct the ASN.1 DER encoded input.
35B (0859)	ASN.1 DER encoding error detected in an input value. No selection was found where it was expected. User action: Correct the ASN.1 DER encoded input.
35D (861)	ASN.1 DER encoding error detected in an input value. Syntax is already set. User action: Correct the ASN.1 DER encoded input.
35E (862)	ASN.1 DER encoding error detected in an input value. The codeset is not allowed. User action: Correct the ASN.1 DER encoded input.
35F (863)	ASN.1 DER encoding error detected in an input value. The specified attribute value is not valid. User action: Correct the ASN.1 DER encoded input.
361 (865)	ASN.1 DER encoding error detected in an input value. An attribute value is missing. User action: Correct the ASN.1 DER encoded input.
362 (866)	ASN.1 DER encoding error detected in an input value. An object identifier element count is not valid. User action: Correct the ASN.1 DER encoded input.
363 (867)	ASN.1 DER encoding error detected in an input value. An incorrect value for the first object identifier element was found. User action: Correct the ASN.1 DER encoded input.
365 (869)	ASN.1 DER encoding error detected in an input value. An incorrect value for the second object identifier element was found. User action: Correct the ASN.1 DER encoded input.
366 (870)	ASN.1 DER encoding error detected in an input value. The specified version is not supported. User action: Correct the ASN.1 DER encoded input.
367 (871)	A duplicate extension was found in a certificate. User action: Correct the certificate.
369 (873)	The extension data provided conflicts with the rule array data provided. User action: Modify the DER encoded extensions or the rule array, or both.
36A (874)	The Elliptic Curve algorithm was used, but it is not supported. User action: Correct the algorithm.
36B (875)	A certificate signature was not found where it is expected. User action: Correct the certificate.
36E (878)	The cryptographic algorithm specified is not supported. User action: Correct the algorithm.
36F (879)	An error was found in the Base64 encoding of an input certificate. User action: Correct the certificate.
371 (881)	An unrecognized file or message encoding was found. User action: Correct the file or message.
372 (882)	A request cannot be processed because the coprocessor internal clock has not been set. User action: Use the TKE workstation to set the internal clock.
373 (883)	The key specified is not supported by encryption or the signature algorithm. User action: Correct the key.
375 (885)	The input certificate has an invalid or missing KeyUsage extension. User action: Correct the certificate.
376 (886)	An input certificate extension is not supported. User action: Correct the extension.
377 (887)	The input certificate does not have a valid signature. User action: Correct the certificate.
37B (891)	Error in certificate processing. Signature not supplied. User action: Correct the certificate or certificates. If using a self-signed certificate in the Digital Signature Verify (CSNDDSV/CSNFDSV) callable service, check the required hardware table for the service to ensure the correct hardware is available.
37D (893)	An extension has an incorrect critical indicator. User action: Correct the extension.
37E (894)	A required certificate extension was not supplied. User action: Supply the required extension.
37F (895)	During certificate processing, a certificate was found to be not valid for the host. User action: Correct the certificate.
381 (897)	A subject distinguished name (SDN) is not valid. User action: Correct the SDN.
382 (898)	Certificate extension data is not valid. User action: Correct the extension.
383 (899)	A certificate validation option is not valid. User action: Correct the validation option.
385 (901)	Name constraint restrictions have been violated in a certificate or certificate chain. User action: Correct the certificate or certificates.
387 (903)	A certificate chain is not trusted. User action: Correct the certificate or certificates.
389 (905)	The required certificate basic constraints extension was not found. User action: Supply the required extension.
38A (906)	During certificate processing, an internal error occurred. User action: Contact the IBM support center.
38B (907)	Error in certificate processing. Issuer certificate not found. User action: Review the supplied certificates and correct the problem.
38D (909)	The name format is not supported. User action: Specify a supported name format.
38E (910)	The end entity certificate for a certificate or certificate chain has not been loaded into the coprocessor adapter. User action: The root certificate must be loaded using the TKE workstation. Contact the system administrator.
38F (911)	Error in certificate processing. Certificate is expired. User action: Review the supplied certificates and correct the problem.
391 (913)	A certificate is not valid according to its validity period. User action: Correct the certificate.
392 (914)	A certificate issuer distinguished name (IDN) is not valid. User action: Correct the IDN.
393 (915)	Error in certificate processing. Certificate is revoked. User action: Review the supplied certificates and correct the problem.
395 (917)	A certificate numeric value is not valid. User action: Correct the numeric value.
396 (918)	A certificate variable argument security level is not valid. User action: Correct the security level.
397 (919)	A variable argument validate root was found that is not valid. User action: Correct the argument validate root.
399 (921)	A variable argument count is not valid. User action: Correct the argument count.
39A (922)	Extended key usage comparison checking failed. User action: Correct the key usage or usages.
39B (923)	An input certificate does not have an extended key usage extension. User action: Correct the certificate.
39D (925)	An extended key usage setting is not supported for this operation User action: Correct the key usage or usages.
39E (926)	An extended key usage was not supplied. User action: Correct the key usage or usages input.
39F (927)	An extended key usage input count is not valid. User action: Correct the key usage input count.
3A2 (930)	An incorrect key usage was found. User action: Correct the key usage.
3A5 (933)	Error in certificate processing. Acceptable policy intersection cannot be found. User action: Review the supplied certificates and correct the problem. Consider using the RFC-ANY keyword.
3AD (941)	A certificate presented to use as an end entity has a true value for cA in basic constraints certificate extension. User action: Correct the certificate.
3BF (959)	The coprocessor adapter contains certificates signed by the certificate. User action: Use an operational certificate that has not been used to sign other certificates.
3C5 (965)	Error in X.509 certificate processing. The enumeration value is not valid. User action: Review the supplied certificates and correct the problem.
3C6 (966)	The certificate revocation list provided is either missing, malformed, or the length is not valid. User action: Supply a valid certificate revocation list.
3C7 (967)	The TR-34 input token provided is either missing, malformed, or the length is not valid. User action: Provide a correct, well-formed TR-34 token as required by the service.
3C9 (969)	The freshness indicator provided is either missing, malformed, or the length is not valid. User action: Provide a correct and well-formed freshness indicator as required by the service.
3CA (970)	Error in X.509 certificate processing. The certificate revocation list is expired. User action: Obtain an up to date certificate revocation list for processing.
3CB (971)	Error in X.509 certificate processing. The revocation information is not yet valid. User action: Obtain an up to date certificate revocation list for processing.
3CD (973)	Error in X.509 certificate processing. The certificate revocation list cannot be found. User action: Obtain an up to date certificate revocation list for processing.
3CE (974)	The Signed Attributes data is either missing, malformed, or of invalid length.
3CF (975)	The Credential IDs provided in separate inputs do not match.
3D1 (977)	The clear KBH does not match encrypted KBH.
3D2 (978)	The random data in key token does not match reference value.
3D3 (979)	Error in certificate processing. The PKCS #7 CMS version is not supported.
3D5 (981)	Error in certificate processing. An unsupported PKCS #7 content type is encountered.
3D6 (982)	Error in certificate processing. The PKCS #7 content information does not contain any content data.
3D7 (983)	Error in certificate processing. The API is not supported.
3D9 (985)	Error in certificate processing. An unsupported version is encountered.
3DA (986)	Error in certificate processing. An X.509 cryptographic algorithm is not available.
3DB (987)	Error in certificate processing. A recipient certificate is not found while creating or processing an enveloped message.
3DD (989)	Error in certificate processing. The encryption key size is not supported.
3DE (990)	Error in certificate processing. A signer certificate is not found while creating or processing a signed message.
3DF (991)	Error in certificate processing. The specified digest algorithm and the key algorithm are incompatible.
3E1 (993)	Error in certificate processing. The set of authenticated attributes that are supplied within the attributes_signers parameter must not include the content-type authenticated attribute.
3E2 (994)	Error in certificate processing. The set of authenticated attributes that are supplied within the attributes_signers parameter must not include the message-digest authenticated attribute.
3E3 (995)	Error in certificate processing. DES and Triple DES encryption keys must have odd parity for each key byte.
401 (1025)	Registered public key or retained private key name already exists.
402 (1026)	Registered public key or retained private key name does not exist.
405 (1029)	There is an error in the Environment Identification data.
40B (1035)	The signature does not match the certificate signature during an RKX call. User Action: Check that the key used to check the signatures is the correct.
41A (1050)	A KEK RSA-enciphered at this node (EID) cannot be imported at this same node.
41C (1052)	Token identifier of the trusted block's header section is in the range 0x20 and 0xFF. User Action: Check the token identifier of the trusted block.
41D (1053)	The Active flag in the trusted block's trusted block section 0x14 is not disabled. User Action: Use the trusted block create callable service to create an inactive/external trusted block.
41E (1054)	Token identifier of the trusted block's header section is not 0x1E (external). User Action: Use the trusted block create callable service to create an inactive/external trusted block.
41F (1055)	The Active flag of the trusted block's trusted block section 0x14 is not enabled. User Action: Use the trusted block create callable service to create an active/external trusted block.
420 (1056)	Token identifier of the trusted block's header section is not 0x1F (internal). User Action: Use the PKA public key import callable service to import the trusted block.
421 (1057)	Trusted block rule section 0x12 Rule ID does not match input parameter rule ID. User Action: Verify the trusted block used has the rule section specified.
422 (1058)	Trusted block contains a value that is too small/too large.
423 (1059)	A trusted block parameter that must have a value of zero (or a grouping of bits set to zero) is invalid.
424 (1060)	Trusted block public key section failed consistency checking.
425 (1061)	Trusted block contains extraneous sections or subsections (TLVs). User Action: Check the trusted block for undefined sections or subsections.
426 (1062)	Trusted block is missing sections or subsections (TLVs). User Action: Check the trusted block for required sections and subsections applicable to the callable service invoked.
427 (1063)	Trusted block contains duplicate sections or subsections (TLVs). User Action: Check the trusted block's sections and subsections for duplicates. Multiple rule sections are allowed.
428 (1064)	Trusted block expiration date has expired (as compared to the 4764 clock). User Action: Validate the expiration date in the trusted block's trusted information section's Activation and Expiration Date TLV Object.
429 (1065)	Trusted block expiration date is at a date prior to the activation date. User Action: Validate the expiration date in the trusted block's trusted information section's Activation and Expiration Date TLV Object.
42A (1066)	Trusted Block Public Key Modulus bit length is not consistent with the byte length. The bit length must be less than or equal to byte length * 8 and greater than (byte length - 1) * 8.
42B (1067)	Trusted block Public Key Modulus Length in bits exceeds the maximum allowed bit length as defined by the Function Control Vector.
42C (1068)	One or more trusted block sections or TLV Objects contained data which is invalid (an example would be invalid label data in label section 0x13).
42D (1069)	Trusted block verification was attempted by a function other than CSNDDSV, CSNDKTC, CSNDKPI, CSNDRKX, or CSNDTBC.
42E (1070)	Trusted block rule ID contained within a Rule section contains invalid characters.
42F (1071)	The source key's length or CV does not match what is expected by the rule section in the trusted block that was selected by the rule ID input parameter.
430 (1072)	The activation data is not valid. User Action: Validate the activation data in the trusted block's trusted information section's Activation and Expiration Date TLV Object.
431 (1073)	The source-key label does not match the template in the export key DES token parameters TLV object of the selected trusted block rule section.
432 (1074)	The control-vector value specified in the common export key parameters TLV object in the selected rule section of the trusted block contains a control vector that is not valid.
433 (1075)	The source-key label template in the export key DES token parameters TLV object in the selected rule section of the trusted block contains a label template that is not valid.
439 (1081)	The ISO-1 format PIN block is not allowed by your configuration. The Disallow PIN block format ISO-1 access control is enabled. User Action: Check with your ICSF administrator.
43A (1082)	The key strength of the input or output key is not allowed by your access control point settings. For DES/TDES keys, consider also the effective strength of the key, whether there are repeated 56-bit sections among K1,K2 or K1,K2,K3. For example, if effective single-length TDES keys are disabled by ACP, consider if K1=K2, K2=K3, or K1=K2=K3. User Action: If weak key usage is permitted by your installation, determine the failing key strength and disable access control point 'Disable 56-bit length DES Keys', 'Disable 56-bit effective length DES keys', 'Disable RSA keys with less than 1024-bit modulus length', 'Disable RSA keys with less than 2048-bit modulus length', or 'Disable ECC keys weaker than 224-bit'.
7D1 (2001)	TKE: DH generator is greater than the modulus.
7D2 (2002)	TKE: DH registers are not in a valid state for the requested operation.
7D3 (2003)	TKE: TSN does not match TSN in pending change buffer.
7D4 (2004)	A length parameter has an incorrect value. The value in the length parameter could have been zero (when a positive value was required) or a negative value. If the supplied value was positive, it could have been larger than your installation's defined maximum, or for MDC generation with no padding, it could have been less than 16 or not an even multiple of 8. User action: Check the length you specified. If necessary, check your installation's maximum length with your ICSF administrator. Correct the error. REASONCODES: TSS 019 (025)
7D5 (2005)	TKE: PCB data exceeds maximum data length.
7D8 (2008)	Two parameters (perhaps the plaintext and ciphertext areas, or text_in and text_out areas) overlap each other. That is, some part of these two areas occupy the same address in memory. This condition cannot be processed. User action: Determine which two areas are responsible, and redefine their positions in memory. REASONCODES: TSS 0A4 (164)
7D9 (2009)	TKE: ACI cannot load both roles and profiles in one call.
7DA (2010)	TKE: ACI can only load one role or one profile at a time.
7DB (2011)	TKE: DH transport key algorithm match.
7DC (2012)	The rule_array_count parameter contains a number that is not valid. User action: Refer to the rule_array_count parameter described in this publication under the appropriate callable service for the correct value. REASONCODES: TSS 023 (035)
7DD (2013)	TKE: Length of hash pattern for keypart is not valid for DH transport key algorithm specified.
7DE (2014)	TKE: PCB buffer is empty.
7DF (2015)	An error occurred in the Domain Manager.
7E0 (2016)	The rule_array parameter contents are incorrect. One or more of the rules specified are not valid for this service OR some of the rules specified together may not be combined. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the correct value. REASONCODES: TSS 021 (033)
7E2 (2018)	The form parameter specified in the random number generate callable service should be ODD, EVEN, or RANDOM. One of these values was not supplied. User action: Change form parameter to use one of the required values for the form parameter. REASONCODES: TSS 021 (033)
7E3 (2019)	TKE: Signature in request CPRB did not verify.
7E4 (2020)	TKE: TSN in request CPRB is not valid.
7E8 (2024)	A reserved field in a parameter, probably a key identifier, has a value other than zero. User action: Key identifiers should not be changed by application programs for other uses. Review any processing you are performing on key identifiers and leave the reserved fields in them at zero.
7EB (2027)	TKE: DH transport key hash pattern does not match.
7EC (2028)	While deciphering ciphertext that had been created using a padding technique, it was found that the last byte of the plaintext did not contain a valid count of pad characters. Note that all cryptographic processing has taken place, and the clear_text parameter contains the deciphered text. When deciphering ciphertext that had been created using Galois/Counter Mode (GCM) either through PKCS #11 Secret key decrypt (CSFPSKD or CSFPSKD6), PKCS #11 Unwrap Key (CSFPUWK and CSFPUWK6), or Symmetric Key Decipher (CSNBSYD, CSNBSYD1, CSNESYD, or CSNESYD1), the GCM tag provided did not match the data provided. No cleartext was returned. User action: The text_length parameter was not reduced. Therefore, it contains the length of the base message, plus the length of the padding bytes and the count byte. Review how the message was padded prior to it being enciphered. The count byte that is not valid was created prior to the message's encipherment. You may need to check whether the ciphertext was not created using a padding scheme. Otherwise, check with the creator of the ciphertext on the method used to create it. You could also look at the plaintext to review the padding scheme used, if any. If using GCM, verify that the parameters provided (ciphertext, additional authenticated data, and tag) match those provided to, or returned from, the corresponding call to PKCS #11 Secret key encrypt (CSFPSKE or CSFPSKE6), PKCS #11 Wrap Key (CSFPWPK and CSFPWPK6), or Symmetric Key Encipher (CSNBSYE, CSNBSYE1, CSNESYE, or CSNESYE1). REASONCODES: TSS 2C2 (706)
7ED (2029)	TKE: Request data block hash does not match hash in CPRB.
7EE (2030)	TKE: DH supplied hash length is not correct.
7EF (2031)	Reply data block too large.
7F1 (2033)	TKE: Change type does not match PCB change type.
7F4 (2036)	The contents of a chaining vector or the chaining data passed to a callable service are not valid. If you called the MAC Generate callable service, or the MDC Generate callable service with a MIDDLE or LAST segmenting rule, the count field has a number that is not valid. If you called the MAC verification callable service, then this will have been a MIDDLE or LAST segmenting rule. If you called the Symmetric Key Encipher, Symmetric Key Decipher, PKCS #11 Secret Key Encrypt or PKCS #11 Secret Key Decrypt, the chaining data passed is unusable, either because a CONTINUE or FINAL was not preceded by an INITIAL or CONTINUE, or because an attempt was made to continue chaining calls after a partial block has been processed. User action: Check to ensure that the chaining vector or chaining data is not modified by your program. The chaining vector or chaining data returned by ICSF should only be used to process one message set, and not intermixed between alternating message sets. This means that if you receive and process two or more independent message streams, each should have its own chaining vector. Similarly, each message stream should have its own key identifier. If you use the same chaining vector and key identifier for alternating message streams, you will not get the correct processing performed. REASONCODES: TSS 0A5 (165)
7F6 (2038)	No RSA private key information was provided in the supplied token. User action: Check that the token supplied was of the correct type for the service.
7F8 (2040)	This check is based on the first byte in the key identifier parameter. The key identifier provided is either an internal token, where an external or null token was required; or an external or null token, where an internal token was required. The token provided may be none of these, and, therefore, the parameter is not a key identifier at all. Another cause is specifying a key_type of IMP-PKA for a key in importable form. User action: Check the type of key identifier required and review what you have provided. Also check that your parameters are in the required sequence. REASONCODES: TSS 03F (063) and TSS 09A (154)
7FC (2044)	The caller must be in task mode, not SRB mode.
800 (2048)	The key_form is not valid for the key_type User action: Review the key_form and key_type parameters. For a key_type of IMP-PKA, the secure key import callable service supports only a key_form of OP.
802 (2050)	A DUKPT keyword was specified, but there is an error in the PIN_profile key serial number. User action: Correct the PIN profile key serial number.
803 (2051)	Invalid message length in OAEP-decoded information.
804 (2052)	A single-length key, passed to the secure key import callable service in the clear_key parameter, must be padded on the right with binary zeros. The fact that it is a single-length key is identified by the key_form parameter, which identifies the key as being DATA, MACGEN, MACVER, and so on. User action: If you are providing a single-length key, pad the parameter on the right with zeros. Alternatively, if you meant to pass a double-length key, correct the key_form parameter to a valid double-length key type.
805 (2053)	No message found in OAEP-decoded information.
806 (2054)	Invalid RSA enciphered key cryptogram; OAEP optional encoding parameters failed validation.
807 (2055)	The RSA public key is too small to encrypt the DES key.
808 (2056)	The key_form parameter is neither IM nor OP. Most constants, these included, can be supplied in lowercase or uppercase. Note that this parameter is 4 bytes long, so the value IM or OP is not valid. They must be padded on the right with blanks. User action: Review the value provided and change it to IM or OP, as required. REASONCODES: TSS 029 (041)
80C (2060)	The value specified for the key_length parameter of the key generate callable service is not valid. User action: Review the value provided and change it as appropriate. REASONCODES: TSS 02B (043)
810 (2064)	The key_type and the key_length are not consistent. User action: Review the key_type parameter provided and match it with the key_length parameter. REASONCODES: TSS 0A0 (160)
811 (2065)	A null key token was not specified for a key identifier parameter. User action: Check the service description and determine which key identifier parameter must be a null token.
813 (2067)	TKE: A key part register is in an invalid state. This includes the case where an attempt is made to load a FIRST key part, but a register already contains a key or key part with the same key name. User action: Supply a different label name for the key part register or clear the existing key part register with the same label name.
814 (2068)	You supplied a key identifier or token to the key generate, key import, multiple secure key import, key export, or CKDS key record write callable service. This key identifier holds an importer or exporter key, and the NOCV bit is on in the token. Only programs running in supervisor state or in a system key (key 0–7) may provide a key identifier with this bit set on. Your program was not running in supervisor state or a system key. User action: Either use a different key identifier, or else run in supervisor state or a system key.
815 (2069)	TKE: The control vector in the key part register does not match the control vector in the key structure.
816 (2070)	TKE: All key part registers are already in use. User action: Either free existing key part registers by loading keys from ICSF or clearing selected key part registers from TKE or select another coprocessor for loading the key part register.
817 (2071)	TKE: The key part hash pattern supplied does not match the hash pattern of the key part currently in the register.
81B (2075)	TKE: The length of the key part received is different from the length of the accumulated value already in the key part register.
81C (2076)	A request was made to the key import callable service to import a single-length key. However, the right half of the key in the source_key_identifier parameter is not zeros. Therefore, it appears to identify the right half of a double-length key. This combination is not valid. This error does not occur if you are using the word TOKEN in the key_type parameter. User action: Check that you specified the value in the key_type parameter correctly, and that you are using the correct or corresponding source_key_identifier parameter.
81D (2077)	TKE: An error occurred storing or retrieving the key part register data. User action: Verify that the selected coprocessor is functioning correctly and retry the operation.
81F (2079)	An encrypted symmetric key token was passed to the service. Either an encrypted key token is not supported for this service (CSNDPKE) or the required hardware is not present (CSNBSYD and CSNBSYE).
829 (2089)	The algorithm does not match the algorithm of the key identifier. User action: Make sure the rule_array keywords specified are valid for the type of key specified. Refer to the rule_array parameter described in this publication under the appropriate callable service for the valid values.
82D (2093)	Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable. User action: Use a token containing the required version number.
82E (2094)	The key_length value is not compatible with the key_form value.
82F (2095)	The value in the key_form parameter is incompatible with the value in the key_type parameter. User action: Ensure compatibility of the selected parameters.
831 (2097)	The value in the key_identifier_length parameter is incompatible with the value in the key_type parameter. User action: Ensure compatibility of the selected parameters.
832 (2098)	Either a key bit length that was not valid was found in an AES key token (length not 128, 192, or 256 bits) or a version X'01' DES token had a token-marks field that was not valid.
833 (2099)	Encrypted key length in an AES key token was not valid when an encrypted key is present in the token.
834 (2100)	A parameter was specified with a non-zero value. For example: Key Token Build The value of the master_key_version_number parameter must be zero when the KEY keyword is specified. Key Token Build The value of the pad_character parameter must be zero when building a MAC token. DK PIN Change The value of the script_initialization_vector parameter must be zero. PKA Key Generate The value of the regeneration_data_length parameter must be zero when generating a DSS key. User action: Check that you specified the valid value for the parameter. REASONCODES: TSS 2CB (715)
836 (2102)	In operational key load, the key part register specified is incompatible with the rule provided.
838 (2104)	An input character is not in the code table. User action: Correct the code table or the source text. REASONCODES: TSS 02D (045)
83C (2108)	An unused field must be binary zeros, and an unused key identifier field generally must be zeros. User action: Correct the parameter list. REASONCODES: TSS 02F (047)
83E (2110)	The supplied symmetric key token is wrapped using a method that is not supported by the CCA coprocessor or this release of ICSF. The token cannot be used for this request. User action: See Key wrapping for support requirements.
83F (2111)	There is an inconsistency between the wrapping information in the key token and the request to wrap a key.
840 (2112)	The length is incorrect for the key type. User action: Check the key length parameter. DATA keys may have a length of 8, 16, or 24. MAC keys must have a length of 8. All other keys should have a length of 16. Also check that the parameters are in the required sequence.
841 (2113)	A key token contains invalid payload. User action: Re-create the key token.
844 (2116)	Parameter contents or a parameter value is not correct. User action: Specify a valid value for the parameter. REASONCODES: TSS 021 (033)
846 (2118)	Invalid value or values in TR-31 key block header. User action: Check the TR-31 key block header for correctness. Also check that the PADDING optional block is the last optional block in a set of optional blocks.
847 (2119)	“Mode” value in the TR-31 header is invalid or is not acceptable in the chosen operation. User action: Check the TR-31 key block header for correctness.
849 (2121)	“Algorithm” value in the TR-31 header is invalid or is not acceptable in the chosen operation. User action: Check the TR-31 key block header for correctness.
84A (2122)	If importing a TR-31 key block, the exportability byte in the TR-31 header contains a value that is not supported. If exporting a TR-31 key block, the requested exportability is inconsistent with the key block. For example a ‘B’ Key Block Version ID key can only be wrapped by a KEK that is wrapped in CBC mode, the ECB mode KEK violates ANSI X9.24. User action: Check the TR-31 key block header for correctness.
84B (2123)	The length of the cleartext key in the TR-31 block is invalid, for example the algorithm is “D” for single-DES but the key length is not 64 bits. User action: Check that the values in the TR-31 header are consistent with the key fields.
84D (2125)	The Key Block Version ID in the TR-31 header contains an invalid value. User action: Check the TR-31 key block header for correctness.
84E (2126)	The key usage field in the TR-31 header contains a value that is not supported for import of the key into CCA. User action: Check the TR-31 key block header for correctness.
84F (2127)	The key usage field in the TR-31 header contains a value that is not valid with the other parameters in the header. User action: Check the TR-31 key block header for correctness
851 (2129)	A parameter to a TR-31 service such as a TR-31 key block, a set of optional blocks, or a single optional block contains invalid characters. It may be that the parameter contains EBCDIC characters when ASCII is expected or vice-versa, or the wrong characters were found in a field which only accepts a limited range of characters. For example some length fields can be populated by characters '0' - '9' and 'A' - 'F', while other length fields can only contain characters '0' - '9'. User action: Check the TR-31 parameters for correctness
852 (2130)	The CV carried in the TR-31 key block optional blocks is inconsistent with other attributes of the key User action: Check the TR-31 key block header for correctness.
853 (2131)	The MAC validate step failed for a parameter. This may result from tampering, corruption, or attempting to use a different key to validate the MAC from the one used to generate it. User action: Check each parameter which includes a MAC for correctness. If the parameter is wrapped by a key-encrypting-key (KEK), ensure that the correct KEK is supplied.
856 (2134)	The requested PIN decimalization table does not exist or no PIN decimalization tables have been stored in the coprocessor.
857 (2135)	The supplied PIN decimalization table is not in the list of active tables stored in the coprocessor.
85D (2141)	A key verification pattern failed to verify. Either the key-encrypting key provided to unwrap an encrypted key contained in an external key-token is incorrect or an external key-token is invalid.
85E (2142)	The key usage attributes of the variable-length key token does not allow the requested operation. For example, the request might have been to encrypt data, but encryption is not allowed, or the request might have been to use the ECB cipher mode, but that mode is not allowed. User action: Use the variable-length key token in a manner consistent with its usage attributes or create a new key token with the desired attributes.
85F (2143)	On a call to Key Translate2 using the REFORMAT Encipherment rule and providing a variable-length AES token, the key management fields for input_key_token contain disallowed values or prohibit the operation. User action: Call Key Translate2 using a key token whose key-management fields contain allowed values.
861 (2145)	The service failed because a key would have been wrapped by a weaker key (transport or master key). This is disallowed by the "Prohibit weak wrapping - Transport keys" and "Prohibit weak wrapping - Master keys" access control points. User action: If weak key wrapping is to be allowed, disable access control point "Prohibit weak wrapping - Transport keys" and "Prohibit weak wrapping - Master keys" using the TKE workstation.
863 (2147)	The key type that was to be generated by this callable service is not valid. User action: Refer to the parameters described in this publication under the appropriate callable service for the correct parameter values.
865 (2149)	The key that was to be generated by this callable service is stronger than the input material. User action: Validate the key material is is at least as strong as the key to be generated.
869 (2153)	The input token is incompatible with the service (for example, clear key when encrypted key was expected).
86A (2154)	At least one key token passed to this callable service does not have the required key type for the specified function. User action: Refer to the parameters described in this publication under the appropriate callable service for the correct parameter values.
86C (2156)	Multiple ECC tokens were passed to this callable service. The curve types of the all the token parameters do not match. User action: Check that the curve types of the input ECC tokens are the same.
86F (2159)	One or more key-encrypting key passed to the service is not valid for the service. User action: Check the requirements of the service and the key-encrypting keys you supplied, determine which key is incorrect and supply a key that is correct.
871 (2161)	The requested or default wrapping method conflicts with one or both input tokens. User action: On the call to the CVV Key Combine service, make sure that the desired wrapping method (either specified as a rule_array keyword or the default wrapping method) is consistent with the wrapping method of the input token or tokens. For example, an input token that can only be wrapped in the enhanced method (ENH-ONLY flag on in the CV) cannot produce an output token wrapped in the original method (ECB mode).
873 (2163)	A weak master key was detected when the final key part was loaded for the DES or RSA master key. A key is weak if any of the three parts are the same as another part. For example, when the first and third key parts are the same, the key is weak (effectively a double-length key). User action: Create new key values for the new master key and retry master key entry.
875 (2165)	The RSA key token contains a private section that is not valid with the service.
87A (2170)	Translation of text using an outbound key that has an effective key strength weaker than the effective strength of the inbound key is not allowed. User action: Provide an outbound key of equal or greater key strength of the inbound key.
87F (2175)	A weak PIN was presented. The PIN change has been rejected. User action: Provide another PIN.
881 (2177)	The PAN presented to the DK PAN change service was the same as the PAN in the encrypted PIN block. The change has been rejected. User action: Check the PAN parameters and correct the parameter in error.
882 (2178)	The PAN data supplied to the DK Deterministic PIN Generate service does not match the supplied data in the account_info_ER parameter. User action: Supply the correct PAN.
895 (2197)	The input PIN could not be verified. User action: Ensure that the correct values were supplied for the parameters used to verify the PIN and ensure that the input PIN is correct.
896 (2198)	The supplied MAC was compared against a MAC calculated from the supplied parameters. The MACs did not match. User action: Ensure that the correct values were supplied for the parameters used to calculate the MAC and ensure that the supplied MAC is correct.
897 (2199)	A variable-length symmetric key-token (version X'05') contains invalid key-usage field data. User action: Supply a valid key token
899 (2201)	A variable-length symmetric key-token (version X'05') contains invalid key-management field data. User action: Supply a valid key token
89B (2203)	A malformed request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
89C (2204)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
89D (2205)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
89E (2206)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
89F (2207)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A0 (2208)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A1 (2209)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A2 (2210)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A3 (2211)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A4 (2212)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A5 (2213)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A6 (2214)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A7 (2215)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A8 (2216)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8A9 (2217)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8AA (2218)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8AB (2219)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8AC (2220)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8AD (2221)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8AE (2222)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8AF (2223)	A request caused processor recovery and ICSF takes a dump to capture the data for analysis. User action: Contact the system programmer to save the dump and contact the ICSF administrator to contact IBM.
8B5 (2229)	The type of key specified is not valid because a diversified key generating key must be used to derive this symmetric key type. User action: Supply a valid key type or token for the service.
8B7 (2231)	There was a problem converting or formatting the PAN. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the valid values.
8B8 (2232)	There was a problem converting or formatting the cardholder name. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the valid values.
8B9 (2233)	There was a problem converting or formatting the track 1 data. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the valid values.
8BB (2235)	There was a problem converting or formatting the track 2 data. User action: Refer to the rule_array parameter described in this publication under the appropriate callable service for the valid values.
8BD (2237)	Data presented for VFPE processing is not in VFPE enciphered.
8BE (2238)	The supplied PIN profile has an invalid value. User action: Review the requirement of the service and correct the PIN profile.
8BF (2239)	The check digit compliance keyword denotes compliant check digit, but the input PAN does not have a compliant check digit.
8C3 (2243)	The CSNDEDH service was called and the token attributes in the skeleton token do not match those in the key-derivation section of the ECC private key token. User action: Provide a skeleton token with attributes that match the ECC private key token.
8C5 (2245)	The CSNDEDH service was called and the key-token pedigree / key source of the ECC private key did not meet requirements; for example, it was not randomly generated. User action: Supply an ECC private key token with the correct pedigree.
8C6 (2246)	The CSNDPKG service was passed an ECC private key token that is ill-formed. The token has an associated data section version of X'01' and is missing the IBM extended associated data required for a version X'01' token. User action: Supply an ECC private key token with the correct IBM extended associated data for a version X'01' token.
8C7 (2247)	An error was encountered in the RSA PSS signature salt length. User action: Correct the PSS salt length.
8CE (2254)	The SECURE LOG SRDI that is stored on the coprocessor is full. No auditable actions are allowed. User action: Inform the system programmer that the coprocessor adapter secure log is full.
962 (2402)	An attempt was made to use a compliance-tagged key, but the domain is not in an active compliance mode. User action: Place the domain in compliance mode and retry the request.
963 (2403)	An attempt was made to use compliant-tagged tokens with a callable service that does not allow compliant-tagged tokens. User action: Either use a different callable service or non-compliant-tagged tokens.
965 (2405)	An attempt was made to perform a callable service operation that is not allowed with compliant-tagged tokens. Though the callable service supports compliant-tagged tokens, the specific operation requested of the service does not. User action: See the callable service documentation for restrictions on the use of compliant-tagged tokens.
966 (2406)	An attempt was made to use compliant-tagged tokens with non-compliant-tagged tokens. User action: Either use all compliant-tagged tokens or all non-compliant-tagged tokens in the service.
967 (2407)	An attempt was made to generate a compliant-tagged key token or check the compliance of a key token. The strength of the key is too weak for the configured compliance mode. User action: Increase the strength of the key to be compliant with the configured compliance mode and retry the request.
969 (2409)	An attempt was made to generate a compliant-tagged key token or check the compliance of a key token. The key type or usage is not compliant with the configured compliance mode. User action: Update the key type or usage to be compliant with the configured compliance mode and retry the request.
96A (2410)	An attempt was made to generate a NOCV KEK compliant-tagged key token or check the compliance of a NOCV KEK key token. NOCV KEKs cannot be compliant-tagged. User action: If attempting to generate a compliant-tagged KEK, recreate the skeleton token without the NOCV flag. NOCV KEKs cannot be compliant-tagged.
96D (2413)	An attempt was made to use a compliant-tagged KEK to wrap or unwrap an external key token, but the key type, a key attribute, or the wrapping method of the external key token is not compliant. User action: Only use compliant-tagged KEKs with compliant key tokens, or change to use a non-compliant-tagged KEK.
96E (2414)	An attempt was made to either check the compliance of or apply the compliance tag to an unsupported key token. User action: Only attempt to compliant-check or compliant-tag supported key tokens.
971 (2417)	The key derivation function value in the key token is invalid. The token is possibly corrupted. User action: Recreate the key token if possible.
973 (2419)	Unable to retrieve the compliance mode flags. This is an internal error. User action: Contact IBM Service.
97A (2426)	The operation is not allowed in imprint mode. User action: Remove the coprocessor out of imprint mode and retry the operation.
97D (2429)	A CCA service was requested that, because of the compliance state of the domain, requires a signed command from a TKE. However, the request was not received in the correct format. User action: Use the TKE to perform the operation.
97F (2431)	An external key token has the compliance tag, but it is not allowed. User action: Recreate the external key token without the compliance tag.
985 (2437)	The PIN block translation is not allowed. User action: See Table 4 for the PIN block translations allowed when using compliant-tagged key tokens.
9C5 (2501)	The length of the random data is invalid. User action: Select a valid length for the random data.
9C6 (2502)	The length of the additional derivation data is invalid. User action: Select and define additional derivation data which is valid.
9C7 (2503)	The length of the derivation data is invalid. User action: Select a valid length for the derivation data.
9C9 (2505)	The length of the key type vector is invalid. User action: Select a valid length for the key type vector.
9CA (2506)	The PIN changes request failed authentication. User action: Correct the PAN authentication data.
9CB (2507)	The key type vector contains invalid values. User action: Correct the key type vector.
9CD (2509)	The length of the PAN data is invalid. User action: Correct the PAN data length.
B21 (2849)	A keyword was passed in the service_data parameter of Key Token Build2 service and it is not a valid keyword for the service. User action: Correct the keywords in the service_data parameter.
B22 (2850)	The combination of keywords in the service_data parameter of the Key Token Build2 service is not valid. User action: Check the keywords allowed for the key type being derived and correct the service_data parameter.
B23 (2851)	The service_data_length parameter of the Key Token Build2 service does not have a valid value. User action: The length must be a multiple of 8 and the keywords in the service_data parameter must be left-justified and padded with blanks.
B81 (2945)	A required keyword for the key type being derived is not in the service_data parameter of the Key Token Build2 service. User action: Review the keywords for the key type being derived and supply all required keywords.
B82 (2946)	The maximum amount of plaintext/ciphertext that can be processed in the GCM mode by the CSNBSAD and CSNBSAE services was exceeded.
B83 (2947)	When deciphering ciphertext that had been created using Galois/Counter Mode (GCM) with the CSNBSAD service, the GCM tag provided did not match the data provided. No cleartext was returned. User action: Verify that the parameters provided (ciphertext, additional authenticated data, and tag) match those provided to, or returned from, the corresponding call to the CSNBSAE service.
BB9 (3001)	SET Block Decompose service was called with an encrypted OAEP block with a block contents identifier that indicates a PIN block is present. No PIN encrypting key was supplied to process the PIN block. The block contents identifier is returned in the block_contents_identifier parameter. User action: Supply a PIN encrypting key and resubmit the job.
BBB (3003)	An output parameter is too short to hold the output of the request. The length parameter for the output parameter has been updated with the required length for the request. User action: Update the size of the output parameter and length specified in the length field and resubmit the request.
BBC (3004)	A request was made to the Clear PIN generate or Encrypted PIN verify callable service, and the PIN_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive. User action: Correct the value in the PIN_length parameter to be within the valid range from 4 to 16. REASONCODES: TSS 064 (100)
BBE (3006)	The UDX verb in the coprocessor is not authorized to be executed.
BC0 (3008)	A request was made to the Clear PIN generate, Clear PIN generate alternate, or Encrypted PIN verify callable service, and the PIN_check_length parameter has a value outside the valid range. The valid range is from 4 to 16, inclusive. User action: Correct the value in the PIN_check_length parameter to be within the valid range from 4 to 16. REASONCODES: TSS 065 (101)
BC1 (3009)	For PKCS #11 attribute processing, an attribute has been specified in the template that is not consistent with another attribute of the object being created or updated. User action: Correct the template for the object.
BC3 (3011)	The CRT value (p, q, Dp, Dq or U) is longer than the length allowed by the parameter block for clear key processing on an accelerator. A modulus whose length is less than or equal to 1024 bits is 64 bytes in length. A modulus whose length is greater than 1024 bits but less than or equal to 2048 bits is 128 bytes in length. User action: Reconfigure the accelerator as a coprocessor to make use of the key (if the CRT value is not in error and there is no coprocessor installed). REASONCODES: TSS 065 (101)
BC4 (3012)	A request was made to the Clear PIN generate, Clear PIN generate alternate, Encrypted PIN generate, or Encrypted PIN verify callable service to generate a VISA-PVV PIN, and the trans_sec_parm field has a value outside the valid range. The field being checked in the trans_sec_parm is the key index, in the 12th byte. This trans_sec_parm field is part of the data_array parameter. User action: Correct the value in the key index, held within the trans_sec_parm field in the data_array parameter, to hold a number from the valid range. REASONCODES: TSS 069 (105)
BC5 (3013)	The AES clear key value LRC in the token failed validation. User action: Correct the AES clear key value.
BC8 (3016)	A request was made to the Encrypted PIN Translate or the Encrypted PIN verify callable service, and the PIN block value or PADDIGIT value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid. User action: Correct the PIN block value. REASONCODES: TSS 06A (106)
BCB (3019)	The call to insert or delete a z/OS PKCS #11 token object failed because the token was not found in the TKDS data space or a request to delete a PKCS #11 session object failed because the token was not found in the session data space.
BCC (3020)	For a PKCS #11 callable service, the PKCS #11 object specified is the incorrect class for the request. User action: Specify the correct class of object for the service.
BCD (3021)	The call to add a z/OS PKCS #11 token failed because the token already exists in the TKDS data space or a request to add a z/OS PKCS #11 token object failed because an object with the same handle already exists.
BCE (3022)	The call to add or update a z/OS PKCS #11 token object failed because the supplied attributes are too large to be stored in the TKDS.
BD0 (3024)	A request was made to the Encrypted PIN Translate callable service and the format control value in the input_PIN_profile or output_PIN_profile parameter has a value that is not valid. The only valid value is NONE. User action: Correct the format control value to NONE. REASONCODES: TSS 06B (107)
BD1 (3025)	The call to create a list of z/OS PKCS #11 tokens, a list of objects of a z/OS PKCS #11 token, the information for a z/OS PKCS #11 token or the attributes of a PKCS #11 object failed because the length of the output field was insufficient to hold the data. The length field has been updated with the length of a single list or entry, token information or object attributes.
BD2 (3026)	The z/OS PKCS #11 token or object handle syntax is invalid.
BD3 (3027)	The call to read or update a z/OS PKCS #11 token or token object failed because the token or object was not found in the TKDS data space, or the call to read or update a PKCS #11 session object failed because the object was not found.
BD4 (3028)	A request was made to the Clear PIN generate callable service. The clear_PIN supplied as part of the data_array parameter for an GBP-PINO request begins with a zero (0). This value is not valid. User action: Correct the clear_PIN value. REASONCODES: TSS 074 (116)
BD5 (3029)	For PKCS #11 attribute processing, an invalid attribute was specified in the template. The attribute is neither a PKCS #11 or vendor-specified attribute supported by this implementation of PKCS #11. User action: Correct the template by removing the invalid attribute or changing the attribute to a valid attribute.
BD6 (3030)	An invalid value was specified for a particular PKCS #11 attribute in a template when creating or updating an object.
BD7 (3031)	The certificate specified in creating a PKCS #11 certificate object was not properly encoded.
BD9 (3033)	The attribute template for creating or updating a PKCS #11 object was incomplete. Required attributes for the object class were not specified in the template.
BDA (3034)	The call to modify PKCS #11 object attributes failed because the CKA_MODIFIABLE attribute was set to false when the object was re-created.
BDB (3035)	For PKCS #11 attribute processing, an attribute was specified in the template which cannot be set or updated by the application. See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for a definition of attributes that can be set or updated by the application. User action: Remove the offending attribute from the template.
BDC (3036)	A request was made to the Encrypted PIN Translate callable service. The sequence_number parameter was required, but was not the integer value 99999. User action: Specify the integer value 99999. REASONCODES: TSS 06F (111)
BDE (3038)	For a PKCS #11 callable service, the attributes of the PKCS #11 object specified do not permit the requested function. User action: Specify an object that permits the requested function.
BDF (3039)	For a PKCS #11 callable service, where a PKCS #11 key object is required, the specified object is not of the correct key type for the requested function. User action: Specify an object that is the correct class of key.
BE0 (3040)	The PAN, expiration date, service code, decimalization table data, validation data, or pad data is not numeric (X'F0' through X'F9'). The parameter must be character representations of numerics or hexadecimal data. User action: Review the numeric parameters or fields required in the service that you called and change to the format and values required. REASONCODES: TSS 028 (040), TSS 02A (042), TSS 066 (102), TSS 067 (103), TSS 068 (104), TSS 069 (105), TSS 06E (110)
BE1 (3041)	PKCS #11 wrap key callable service failed because the wrapping key object is not of the correct class to wrap the key specified to be wrapped. User action: Specify a wrapping key object of the correct class to wrap the key object.
BE3 (3043)	PKCS #11 wrap key callable service failed because the key object to be wrapped does not exist or the key class does not match the wrapping mechanism. User action: Specify an existing key object that is correct for the wrapping mechanism.
BE4 (3044)	A PKCS #11 session data space is full. The request to create or update an object failed and the object was not created or updated. User action: Delete unused session objects and cryptographic state objects from incomplete chained operations to create space for new or updated objects.
BE5 (3045)	PKCS #11 wrap key callable service failed because the key object to be wrapped has CKA_EXTRACTABLE set to false. User action: Specify another key object that can be extracted.
BE6 (3046)	A key token was passed to a service using high performance encrypted key operations and RACF failed your request to use the key token. User action: Contact your ICSF or RACF administrator if you need to pass key tokens to a service using high performance encrypted key operations.
BE7 (3047)	A clear key was provided when a secure key was required. User action: Correct the appropriate key identifier.
BEA (3050)	A caller is attempting to overwrite one token type with another (for example, AES over DES).
BEC (3052)	A clear key token was supplied to a service where a secure token is required.
BED (3053)	A service was called with no parameter list, but a parameter list was expected. User action: Call the service with a parameter list.
BEE (3054)	A request was made to a callable service with a key token wrapped with the enhanced X9.24 CBC method. Tokens wrapped with the enhanced method are not supported by this release of ICSF. User action: Contact your ICSF administrator to resolve which key token is to be used.
BF3 (3059)	The provided key_identifier refers to an encrypted variable-length CCA key token or a key label of an encrypted variable-length CCA key token. The key-management field in the CCA token does not allow its use in high performance encrypted key operations. User action: Supply a key token or the label of a key token with the required key-management settings.
BF5 (3061)	The provided asymmetric key identifier cannot be used for the requested function. PKA Key Management Extensions have been enabled by a CSF.PKAEXTNS.ENABLE profile in the XFACILIT class. A CSFKEYS profile covering the key includes an ICSF segment, and the ASYMUSAGE field of that segment restricts the key from being used for the specified function. An SMF type 82 subtype 27 record is logged in the SMF database.
BF6 (3062)	The provided symmetric key identifier cannot be exported using the provided asymmetric key identifier. PKA Key Management Extensions have been enabled by a CSF.PKAEXTNS.ENABLE profile in the XFACILIT class. A CSFKEYS or XCSFKEY profile covering the symmetric key includes an ICSF segment and the SYMEXPORTABLE field of that segment places restrictions on how the key can be exported. The SYMEXPORTABLE field either specifies BYNONE, or else specifies BYLIST but the provided asymmetric key identifier is not one of those permitted to export the symmetric key (as identified by the SYMEXPORTCERTS or SYMEXPORTKEYS fields). An SMF type 82 subtype 27 record is logged to the SMF database.
BF7 (3063)	ICSF key store policy checking is active. The request failed the ICSF token policy check because the caller is not authorized to the label for the token in the key data set (CKDS or PKDS). The request is not allowed to continue because the token check policy is in FAIL mode. SMF type 82 subtype 25 records are logged in the SMF dataset. An SMF type 80 with event code qualifier of ACCESS is logged. The policy is defined by the CSF.CKDS.TOKEN.CHECK.LABEL.FAIL resource or the CSF.PKDS.TOKEN.CHECK.LABEL.FAIL resource in the XFACILIT class.
BF8 (3064)	ICSF key store policy checking is active. The specified token does not exist in the key data set (CKDS or PKDS as appropriate). The CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource in the CSFKEYS class is either not defined or the caller is not authorized to the CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource. The resource is not in WARNING mode, so the request is not allowed to continue. An SMF type 80 record with event qualifier ACCESS is logged indicating the request failed. The policy is defined by the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL or the CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class.
BF9 (3065)	ICSF token policy checking is active. The caller is requesting to add a token to the key data set (CKDS or PKDS as appropriate) that already exists within the key data set. The request fails. The policy is defined by the CSF.CKDS.TOKEN.NODUPLICATES resource or the CSF.PKDS.TOKEN.NODUPLICATES resource in the XFACILIT class.
BFB (3067)	The provided key_identifier refers to an encrypted CCA key token or a key label of an encrypted CCA key token, and the CSFKEYS profile covering it does not allow its use in high performance encrypted key operations. User action: Contact your ICSF or RACF administrator if you need to use this key with an ICSF service that supports secure keys for CPACF. For more details, see 'Enabling use of encrypted keys in callable services that exploit CPACF' in z/OS Cryptographic Services ICSF Administrator's Guide.
BFC (3068)	A cryptographic operation using a specific PKCS #11 key object is being requested. The key object has exceeded its useful life for the operation requested. The request is not processed. User action: Use a different key.
BFE (3070)	A cryptographic operation that requires FIPS 140-2 compliance is being requested. The desired algorithm, mode, or key size is not approved for FIPS 140-2. The request is not processed. User action: Repeat the request using an algorithm, mode, and/or key size approved for FIPS 140-2. Refer to z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for this list of approved algorithms, modes, and key sizes.
BFF (3071)	An application using a z/OS PKCS #11 token that is marked ‘Write Protected’ is attempting to do one of the following: Store a persistent object in the token. Delete the token. Reinitialize the token. ICSF always marks the session object only omnipresent token as ‘Write Protected.’ ICSF will also mark an ordinary token ‘Write Protected’ if it contains objects not supported by this release of ICSF. User action: Use a z/OS PKCS #11 token that is not marked ‘Read Only’ or, if this is an ordinary token (not the omnipresent token), attempt the delete or reinitialization from a different member of the sysplex.
C04 (3076)	The provided symmetric key label refers to an encrypted CCA key token, and the CSFKEYS profile covering it does not allow it to be returned in its protected-key CPACF form. User Action: Contact your ICSF or RACF administrator if you need to use this label in calls to the CKDS Key Record Read2 service with the PROTKEY rule.
C07 (3079)	A request was made to use a key token wrapped with the X9.24 enhanced wrapping method introduced in HCR7780. Key tokens wrapped with the enhanced method cannot be used on this release. Also, key tokens wrapped with the enhanced method cannot be updated or deleted from the CKDS on this release. User Action: Run your application on a release that support the enhanced wrapping method.
C08 (3080)	The use of a PKA key token has been attempted. The token is not supported on the release of ICSF currently running. User Action: Check the ICSF release for support of this token type.
C0B (3083)	The specified key token buffer length is of insufficient size for the buffer to contain the output key token. User action: Specify a key token buffer that is sufficiently large enough to receive the output key token.
C0C (3084)	The key token associated with the specified key label is a variable-length token, which is not compatible with this callable service. User action: Either modify the program logic to utilize a key label that is associated with a compatible key token or use an ICSF callable service that supports the symmetric key token type provided.
C0D (3085)	Rule array keyword specifies a function not supported by this hardware. Some examples include: ECC specified in rule array for the PKA Key Token Change callable service, but request is being executed on a system that does not support ECC keys. PROTKEY specified in rule array for the CKDS Key Record Read2 callable service against a clear key label, but request is being executed on a system that does not have CP Assist for Cryptographic Functions. PROTKEY specified in rule array for the CKDS Key Record Read2 against a secure key label, but request is being executed on a system that either does not have a cryptographic coprocessor or does not have one with a sufficient level of licensed internal code (LIC). User Action: Specify a different, supported, rule array keyword or execute the service on a system that supports the function.
C0E (3086)	Specified token is not supported by this hardware. For example, an ECC token is being used but request is being executed on a system that does not support ECC keys. User Action: Specify a different, supported, token, or execute the request on a system that supports the function.
C0F (3087)	A coordinated KDS refresh was attempted to an empty KDS. The new KDS of a coordinated KDS refresh must be initialized and must contain the same MKVP values as the active KDS. User action: Perform a coordinated KDS refresh using a new KDS that is initialized and that contains the same MKVP values as the active KDS.
C10 (3088)	A coordinated KDS change master key was attempted and either the new KDS or backup KDS contained a different LRECL attribute from the active KDS. The new KDS and optionally the backup KDS must contain the same LRECL attribute as the active KDS during a coordinate KDS change master key. User action: Perform a coordinated KDS change master key using a new KDS and optionally a backup KDS with the same LRECL attribute as the active KDS.
C11 (3089)	The new KDS specified for a coordinated KDS change master key was not empty when the operation began. The new KDS must be empty before performing a coordinated KDS change master key. User action: Perform the coordinated KDS change master key with a new KDS that is empty.
C12 (3090)	The backup KDS specified for a coordinated KDS change master key was not empty when the operation began. When using the optional backup function, the backup KDS must be empty before performing a coordinated KDS change master key. User action: Perform the coordinated KDS change master key with a backup KDS that is empty.
C13 (3091)	The new KDS specified for a coordinated KDS refresh contains different MKVPs than the active KDS. In order to perform a coordinated KDS refresh, the new KDS specified must contain the same MKVPs as the active KDS. User action: Perform the coordinated KDS refresh with a new KDS that contains the same MKVPs as the active KDS.
C14 (3092)	The system that is trying to do the CCMK has rejected update requests for higher version records, so the in-store KDS is incomplete and cannot be used for CCMK. User action: Retry the function from a sysplex KDS cluster member running the highest ICSF FMID level.
C1F (3103)	The new KDS specified for either a coordinated KDS refresh or coordinated KDS change master key is not a valid data set name. User action: Specify a valid data set name for the new KDS when performing either a coordinated KDS refresh or coordinated KDS change master key.
C20 (3104)	The backup KDS specified for a coordinated KDS change master key is not a valid data set name. User action: Specify a valid data set name for the backup KDS when performing a coordinated KDS change master key.
C21 (3105)	A coordinated KDS refresh or coordinated KDS change master key was attempted while at least one ICSF instance in the sysplex was below the HCR7790 FMID level. The coordinated KDS refresh and coordinated KDS change master key functions are only available when all ICSF instances in the sysplex, regardless of active KDS, are running at the HCR7790 FMID level or higher. User action: Remove or upgrade ICSF instances in the sysplex that are running below the HCR7790 FMID level and retry the function.
C22 (3106)	Either a coordinated KDS refresh or coordinated KDS change master key was attempted while another coordinated KDS refresh or coordinated KDS change master key was still in progress. The coordinated KDS function was initiated by this ICSF instance. Only one coordinated KDS function may execute at a time in the sysplex. User action: Wait for the previous coordinated KDS function to complete and retry the function.
C23 (3107)	A coordinated KDS change master key was attempted using a new KDS with the same name as the active KDS. The new KDS name must be different from the active KDS when performing a coordinated KDS change master key. User action: Specify a new KDS with a different name from the active KDS and retry the function. Coordinated KDS change master key requires the new KDS to be allocated and match the same VSAM attributes as the active KDS.
C24 (3108)	A coordinated KDS change master key was attempted using a backup KDS with the same name as the active KDS. When using the backup function, the backup KDS name must be different from the active KDS when performing a coordinated KDS change master key. User action: Specify a backup KDS with a different name from the active KDS and retry the function. Coordinated KDS change master key requires the backup KDS to be allocated and match the same VSAM attributes as the active KDS.
C25 (3109)	A coordinated KDS change master key was attempted using a new KDS with the same name as the backup KDS. If a backup KDS is specified, its name must be different from the new KDS. User action: Specify a backup KDS with a different name from the new KDS and retry the function. The backup KDS is optional. Coordinated KDS change master key requires the new KDS, and optionally the backup KDS, to be allocated and match the same VSAM attributes as the active KDS.
C26 (3110)	A coordinated KDS refresh or coordinated KDS change master key was attempted using an archive KDS name that is not valid. User action: Specify a valid data set name for the archive KDS and retry the function. The archive data set name is optional. The optional archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key.
C27 (3111)	A coordinated KDS change master key was attempted using an archive KDS with the same name as the backup KDS. When using the archive and backup functions, the archive KDS name must be different from the backup KDS. User action: Specify an archive KDS with a different name from the backup KDS and retry the function. The archive KDS name and the backup KDS are optional. The archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key. The backup KDS must be allocated and match the same VSAM attributes as the active KDS.
C28 (3112)	A coordinated KDS refresh or a coordinated KDS change master key was attempted using an archive KDS with the same name as the active KDS. When using the archive function, the archive KDS name must be different from the active KDS. User action: Specify an archive KDS with a different name from the active KDS and retry the function. The archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key.
C29 (3113)	A coordinated KDS refresh or a coordinated KDS change master key was attempted using an archive KDS with the same name as the new KDS. When using the archive function, the archive KDS name must be different from the new KDS. User action: Specify an archive KDS with a different name than the new KDS and retry the function. The archive KDS name must not exist on the system prior to performing a coordinated KDS refresh or a coordinated KDS change master key.
C2A (3114)	Either a coordinated KDS refresh or coordinated KDS change master key was attempted while another coordinated KDS refresh or coordinated KDS change master key was still in progress. The coordinated KDS function was initiated by another ICSF instance in the sysplex. Only one coordinated KDS function may execute at a time in the sysplex. User action: Wait for the previous coordinated KDS function to complete and retry the function.
C30 (3120)	A coordinated KDS change master key was attempted on an active KDS that was not initialized. The active KDS must be initialized before performing a coordinated KDS change master key. User action: Initialize the active KDS and retry the function
C31 (3121)	The archive option was specified for a coordinated KDS refresh of the active KDS. The archive option is only valid for coordinated KDS refreshes to a new KDS or coordinated KDS change master key. User action: Do not specify an archive data set when performing a coordinated KDS refresh of the active KDS.
C3C (3132)	The archive data set name specified for coordinated KDS refresh or coordinated KDS change master key is too long. The archive data set name must allow enough space for renaming the KDS VSAM data and index portions within 44 characters. User action: Specify a shorter name for the archive data set name to allow enough space for renaming the KDS VSAM data and index portions within 44 characters. The archive data set name is optional. When specified, the archive data set name must not exist on the system prior to performing the coordinated KDS function.
C3D (3133)	During a coordinated KDS refresh or coordinated KDS change master key with the archive option specified, the active KDS could not be renamed to the archive data set name. This failure occurred because the active KDS VSAM data and index suffix names were not valid for performing the rename. User action: Consider alternate names for the active KDS VSAM data and index suffixes. The archive data set name is optional. When specified the archive data set name must not exist on the system prior to performing the coordinated KDS function.
C3E (3134)	A coordinated KDS change master key attempted to use a new KDS that is currently another sysplex members active KDS. Performing a coordinated KDS change master key to another sysplex member's active KDS is not allowed as it would alter all sysplex members configured in that sysplex KDS group. User action: Specify a new KDS that is not currently the active KDS of another sysplex member and retry the function.
C5B (3163)	The supplied clear key value has replicated key parts. A rule array keyword or control vector in the supplied key token require that all key parts be unique. User action: Supply a key value that has unique key parts.
C81 (3201)	Operation requested requires a clear key, but a secure key was supplied. User action: Use a different key, one that is clear.
CE8 (3304)	There is a mismatch between the key data set specified in the rule array and a search criteria for the KDS list service. The key data set must be CKDS when the criteria is CKDS type. The key data set must be TKDS when the criteria is TKDS type. The key data set must be CKDS or PKDS when the criteria is unsupported CCA key. User action: Specify the correct key data set in the rule array.
CE9 (3305)	The metadata type in a structure in the metadata list for the KDS list service is zero and not allowed. User action: Specify a valid metadata tag.
CEA (3306)	A criterion flag in the search criteria for the KDS list service was not valid.
CEC (3308)	The length of the handle for a TKDS token for the KDS list service was not correct. User action: Specify a valid token handle and a length of 32.
CED (3309)	Output area specified for the KDS list and the KDS metadata read services is too small to contain the requested data. For the KDS metadata read service, the output is restricted to 1000 bytes. User action: Increase the size of the output area and specify the new size.
CEE (3310)	For the KDS list service, the continuation area contains inconsistent data. It must be binary zero for the initial call and be returned unchanged for subsequent calls. User action: Check that the continuation area is correct and not being changed for subsequent calls.
CEF (3311)	The search criteria length specified for the KDS list service is greater than 500 bytes. User action: Correct the length of the search criteria.
CF0 (3312)	A search criteria specified for the KDS list service was in an incorrect format. User action: Correct the search criteria.
CF1 (3313)	The search criterion in a search criteria structure was not recognized for the KDS list service. User action: Correct the search criteria.
CF2 (3314)	The length field in a search criteria structure was incorrect for the KDS list service. User action: Correct the search criteria.
CF3 (3315)	The PKCS #11 token name specified in the label filter for the KDS list service was not found in the TKDS.
CF5 (3317)	The date type in a search criteria for the KDS list service was not recognized. User action: Correct the search criteria.
CF6 (3318)	The comparison operator in a search criteria for the KDS list service was not recognized. User action: Correct the search criteria.
CF7 (3319)	A reserved length parameter was not zero. User action: Specify a length of zero for the reserved length parameters.
CF8 (3320)	The label filter for the KDS list service was not syntactically correct. User action: Correct the label filter.
CF9 (3321)	The label filter length for the KDS list service was too long. User action: Correct the label filter.
CFA (3322)	The TKDS object type in the search criteria for the KDS list service is incorrect. User action: Correct the search criteria.
CFB (3323)	The CKDS key type in the search criteria for the KDS list service is incorrect. User action: Correct the search criteria or rule array.
CFC (3324)	The unsupported keys specified in the structure for unsupported CCA keys for the KDS list service is not valid or not consistent with the key data set specified in the rule array. User action: Specify a valid metadata tag.
D03 (3331)	The metadata type in a structure in the metadata list for the KDS metadata write service is read only. The metadata block specified cannot be changed. User action: Remove the metadata tag that is read only.
D04 (3332)	The IBM variable-length metadata blocks are read only. The metadata blocks cannot be changed. User action: Remove the IBM variable metadata block from the metadata list.
D05 (3333)	A date in a structure in the action area for the KDS metadata write service is incorrect. User action: Correct the date.
D06 (3334)	The metadata list for the KDS metadata write service is incomplete. The metadata list length parameter does not match the sum of the lengths of the structures in the metadata list. User action: Correct the action area and length parameters.
D07 (3335)	The object handle specified for the KDS metadata read and KDS metadata write services for the TKDS is not the handle of a token object. User action: Only token objects have metadata. Tokens and session objects cannot have metadata.
D08 (3336)	The value specified for the input metadata length for the KDS metadata read and KDS metadata write services is incorrect. The value is either not large enough to contain valid date or is too large for the service. User action: Check the input metadata length and the metadata area.
D09 (3337)	The format of the input metadata for the KDS metadata read and KDS metadata write services is incorrect. User action: Check the format of the input metadata structure.
D0A (3338)	A data type in the input metadata for the KDS metadata read and KDS metadata write services is not recognized. User action: Check the contents of the input metadata structure.
D0B (3339)	A block in the input metadata area has a length specified that is inconsistent for the metadata type. User action: Check the contents of the input metadata structure.
D0C (3340)	The variable-length installation metadata in the input metadata area for the KDS metadata write service cannot be written to the record because the total limit of installation metadata would be exceeded. User action: Check the contents of the input metadata structure.
D0E (3342)	A service passed the label of a KDS record which is not yet active. The key material validity start date is in the future. The key material of the record is not available. User action: Determine if the KDS label is correct. If so, contact the ICSF administrator and determine if the record should be made active.
D0F (3343)	A service passed the label of a deactivated KDS record. The key material validity end date has passed. The key material of the record is not available. User action: Determine if the KDS label is correct. If so, contact the ICSF administrator and determine if the record should be made active.
D10 (3344)	A service passed the label of an archived KDS record. The key material of the record is not available. User action: Determine if the KDS label is correct. If so, contact the ICSF administrator and determine if the record should be recalled.
D11 (3345)	The value of a metadata flag for the KDS metadata write service or the KDS list service is incorrect. User action: Supply a proper value.
D20 (3360)	The KDS multi-Purpose callable service is in use. User action: Try again later.
D42 (3394)	ARPC generation failed. User action: Ensure that the correct key mode was specified and the issuer master key being used is valid for ARPC generation.
D43 (3395)	Secure messaging with integrity failure. User action: Ensure that the correct key mode was specified and the issuer master key being used is valid for EMV scripting with integrity.
D44 (3396)	Secure messaging with confidentiality failure. User action: Ensure that the correct key mode was specified and the issuer master key being used is valid for EMV scripting with confidentiality.
DAE (3502)	The Options Data Set Refresh function completed. No changes were made. User action: Check the ICSF joblog.
DB1 (3505)	The Options Data Set Refresh function ended. A syntax error was encountered in the options data set. User action: Check the ICSF joblog. Correct the syntax of the option parameters in the options data set. Re-run the Options Data Set Refresh function.
DB2 (3506)	The Options Data Set Refresh function ended. An error was encountered with the data set.
DB4 (3508)	The Options Data Set Refresh function ended. An error was encountered while attempting to allocate the options data set.
DB5 (3509)	The Options Data Set Refresh function ended. An error was encountered while retrieving the option information.
DC0 (3520)	The KDS name passed as input is not the active KDS for the KDS type specified. User action: The CSFKDU service only supports the updating of the active KDS in use by ICSF. Update your program to pass the active KDS name.
DC1 (3521)	The length of the original record is larger than the largest record size supported for the specified KDS type. User action: Only pass valid records to the service.
DC2 (3522)	The length of the new record is larger than the largest record size supported for the specified KDS type. User action: Only pass valid records to the service.
DC3 (3523)	The function code passed to the CSFKDU service is not a valid function. User action: Pass only documented function values.
DC4 (3524)	A request to create, update, or delete a record has failed because the state of the current record does not match what was passed as the original state. User action: Update your program to pass an original state of the record that matches what is in the KDS.
DC5 (3525)	A request to update a record has failed because the before and after labels are different. User action: Ensure that the before and after record labels match exactly.
DC6 (3526)	The input parameter with option flags has flags turned on that are not currently supported. User action: Clear the option flags field and only set supported option flags.
DC8 (3528)	For a TKDS update, the record passed is at a higher version than what the current release of ICSF supports. User action: Only attempt to create new records at a version that is supported by the ICSF release you are running. Optionally, ask your system programmer to install a more recent level of ICSF that supports the TKDS version desired.
DC9 (3529)	A key identifier was supplied to a callable service as a key token or the label of a key token in a key data set. Either the key type of the key or the algorithm of the key is unsupported by the cryptographic features available to ICSF. User action: Supply a key identifier supported by the cryptographic features.
DCA (3530)	The record type is not valid. User action: Ensure that the record has a valid KDS type and object type, if appropriate.
DCB (3531)	The CSFKDU service encountered an unexpected error while trying to create a TKDS record. This is most commonly caused by attempting to create an object for which no token record exists.
DCF (3535)	The cryptographic usage statistic to be updated by CSFSTAT is not enabled. User action: Enable the cryptographic usage statistic for tracking. For more details, see z/OS Cryptographic Services ICSF Administrator's Guide.
DD2 (3538)	The operation failed because an attempt was made to use or manage a compliant-tagged key token which is not supported on this system. User action: Retry the operation on a system that supports the compliant-tagged token being used.
D47 (3399)	Failure to decrypt the encrypted counter. User action: Ensure that a valid encrypted counter was passed and the correct issuer master key was used.
F9E (3998)	On a call to PCI Interface Callable Service, TKE sent a request to a specific PCI card queue using domain index 0 which is not one of the control domain indices listed in the LPAR activation profile. This occurs when using an older TKE workstation with a newer machine. User action: Use the level of TKE workstation that is required when ordering the newer machine or mark domain 0 as a control domain in the LPAR activation profile.
F9F (3999)	On a call to CKDS Key Record Delete or CKDS Key Record Write2, the label refers to a Variable-length Symmetric key token with an unrecognized algorithm or key type in the associated data section. Only key tokens with a recognized algorithm or key type can be managed on this release of ICSF. User action: Call CKDS Key Record Delete or CKDS Key Record Write2 on a release of ICSF which recognizes the algorithm and key type of this token.
FA0 (4000)	The encipher and decipher callable services sometime require text (plaintext or ciphertext) to have a length that is an exact multiple of 8 bytes. Padding schemes always create ciphertext with a length that is an exact multiple of 8. If you want to decipher ciphertext that was produced by a padding scheme, and the text length is not an exact multiple of 8, then an error has occurred. The CBC mode of enciphering requires a text length that is an exact multiple of 8. User action: Review the requirements of the service you are using. Either adjust the text you are processing or use another process rule. REASONCODES: TSS 033 (051)
177F (6015)	An ECC curve type is invalid or its usage is inconsistent. User action: Supply a valid ECC curve type.
1782 (6018)	One or more of the parameters passed to this callable service are in error. User action: Refer to the parameter descriptions in this publication under the appropriate callable service to ensure the parameter values specified by your application are valid.
2710 (10000)	A key identifier was passed to a service or token. It is checked in detail to ensure that it is a valid token, and that the fields within it are valid values. There is a token validation value (TVV) in the token, which is a non-cryptographic value. This value was again computed from the rest of the token, and compared to the stored TVV. If these two values are not the same, this reason code is returned. User action: The contents of the token have been altered because it was created by ICSF or TSS. Review your program to see how this could have been caused. REASONCODES: TSS 0C (12) and 1D (29)
2714 (10004)	A key identifier was passed to a service. The master key verification pattern in the token shows that the key was created with a master key that is neither the current master key nor the old master key. Therefore, it cannot be reenciphered to the current master key. User action: Re-import the key from its importable form (if you have it in this form), or repeat the process you used to create the operational key form. If you cannot do one of these, you cannot repeat any previous cryptographic process that you performed with this token. REASONCODES: TSS 030 (048)
271C (10012)	A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or PKDS. A key record with that label (and the specific type if required by the ICSF callable service) could not be found. For a retained key label, this error code is also returned if the key is not found in the CCA coprocessor specified in the PKDS record. User action: Check with your administrator if you believe that this key should be in the in-storage CKDS or the PKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label. REASONCODES: TSS 01E (030)
2720 (10016)	You specified a value for a key_type parameter that is not an ICSF-defined name. User action: Review the ICSF key types and use the appropriate one. REASONCODES: TSS 03D (061)
2724 (10020)	You specified the word TOKEN for a key_type parameter, but the corresponding key identifier, which implies the key type to use, has a value that is not valid in the control vector field. Therefore, a valid key type cannot be determined. User action: Review the value that you stored in the corresponding key identifier. Check that the value for key_type is obtained from the appropriate key_identifier parameter. REASONCODES: TSS 027 (039)
272C (10028)	One of the following occurred: Either the left half of the control vector in a key identifier (internal or external) equates to a key type that is not valid for the service you are using or the value is not that of any ICSF control vector. For example, an exporter key-encrypting key is not valid in the key import callable service. An attempt was made to export a non-DATA key to CPACF protected key format. The key may be a CIPHER key which does not have the XPRTCPAC bit set in the control vector. User action: Determine which key identifier is in error and use the key identifier that is required by the service. If this is an attempt to export a key to CPACF protected key format, either use a DATA key or a CIPHER key with the XPRTCPAC bit set in the control vector. REASONCODES: TSS 027 (039)
2730 (10032)	Either the right half of the control vector in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector. For example, an exporter key-encrypting key is not valid in the key import callable service. User action: Determine which key identifier is in error and use the key identifier that is required by the service. REASONCODES: TSS 027 (039)
2734 (10036)	Either the complete control vector (CV) in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector. The difference between this and reason codes 10028 and 10032 is that each half of the control vector is valid, but as a combination, the whole is not valid. For example, the left half of the control vector may be the importer key-encrypting key and the right half may be the input PIN-encrypting (IPINENC) key. User action: Determine which key identifier is in error and use the key identifier that is required by the service. REASONCODES: TSS 027 (039)
2738 (10040)	Key identifiers contain a version number. One of the following situations is possible: The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable. The version number in a supplied key token, or token retrieved by a supplied label, is not consistent or not valid with another parameter you specified. For example, a DES key token (version 0 or 1) is not valid with the rule array keyword AES in the Symmetric Key Encipher callable service. User action: Use a token, or the label of a token, containing the required version number. REASONCODES: TSS 031 (049)
273C (10044)	A cross-check of the control vector the key type implies has shown that it does not correspond with the control vector present in the supplied internal key identifier. User action: Change either the key type or key identifier. REASONCODES: TSS 0B7 (183)
2740 (10048)	The key_type parameter does not contain one of the valid types for the service or the keyword TOKEN. User action: Check the supplied parameter with the ICSF key types. If you supplied the keyword TOKEN, check that you have padded it on the right with blanks. REASONCODES: TSS 03D (061)
2744 (10052)	A null key identifier was supplied and the key_type parameter contained the word TOKEN. This combination of parameters is not valid. User action: Use either a null key identifier or the word TOKEN, not both. REASONCODES: TSS 027 (039)
2748 (10056)	You called the key import callable service. The importer key-encrypting key is a NOCV importer and you specified TOKEN for the key_type parameter. This combination is not valid. User action: Specify a value in the key_type parameter for the operational key form.
274C (10060)	You called the key export callable service. A label was supplied in the key_identifier parameter for the key to be exported and the key_type was TOKEN. This combination is not valid because the service needs a key type in order to retrieve a key from the CKDS. User action: Specify the type of key to be exported in the key_type parameter. REASONCODES: TSS 03D (061)
2754 (10068)	A flag in a key identifier indicates the master key verification pattern (MKVP) is not present in an internal key token. This setting is not valid. User action: Use a token containing the required flag values. REASONCODES: TSS 02F (047)
2758 (10072)	A flag in a key identifier indicates the encrypted key is not present in an external token. This setting is not valid. User action: Use a token containing the required flag values. REASONCODES: TSS 02F (047)
275C (10076)	A flag in a key identifier indicates the control vector is not present. This setting is not valid. User action: Use a token containing the required flag values. REASONCODES: TSS 02F (047)
2760 (10080)	An ICSF private flag in a key identifier has been set to a value that is not valid. User action: Use a token containing the required flag values. Do not modify ICSF or the reserved flags for your own use.
2768 (10088)	If you supplied a label in the key_identifier parameter, a record with the supplied label was found in the CKDS, but the key type (CV) is not valid for the service. If you supplied an internal key token for the key_identifier parameter, it contained a key type that is not valid. User action: Check with your ICSF administrator if you believe that this key should be in the in-storage CKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label. REASONCODES: TSS 027 (039)
2788 (10120)	The internal key token you supplied, or the key token that was retrieved by the label you supplied, contains a flag setting or data encryption algorithm bit that is not valid for this service. User action: Ensure that you supply a key token, or label, for a non-ANSI key type.
278C (10124)	The key identifier you supplied cannot be exported because there is a prohibit-export restriction on the key. User action: Use the correct key for the service. REASONCODES: TSS 027 (039)
2790 (10128)	The keyword you supplied in the rule_array parameter is not consistent or not valid with another parameter you specified. For example, the keyword SINGLE is not valid with the key type of EXPORTER in the key token build callable service. User action: Correct either the rule_array parameter or the other parameter. REASONCODES: TSS 09C (156)
2791 (10129)	NOCV KEKs are not permitted in the RKX service.
2AF8 (11000)	The value specified for length parameter for a key token, key, or text field is not valid. User action: Correct the appropriate length field parameter. REASONCODES: TSS 048 (072)
2AFC (11004)	The hash value (of the secret quantities) in the private key section of the internal token failed validation. The values in the token are corrupted. You cannot use this key. User action: Re-create the token using the appropriate combination of the PKA key token build, PKA key generate, and PKA key import callable services. REASONCODES: TSS 02F (047)
2B00 (11008)	The public or private key values are not valid (for example, the modulus or an exponent is zero or the exponent is even) or the key could not have created the signature (for example, the modulus value is less than the signature value). In any case, the key cannot be used to verify the signature. User action: You might need to re-create the token by using the PKA key token build or PKA key import callable service or regenerate the key values on another platform. REASONCODES: TSS 302 (770)
2B04 (11012)	The internal or external private key token contains flags that are not valid. User action: You may need to re-create the token using the PKA key token build or PKA key import callable service. REASONCODES: TSS 02F (047)
2B08 (11016)	The calculated hash of the public information in the PKA token does not match the hash in the private section of the token. The values in the token are corrupted. User action: Verify the public key section and the key name section of the token. If the token is still rejected, then you need to re-create the token using the appropriate combination of the PKA key token build, PKA key generate, and PKA key import callable services. REASONCODES: TSS 02F (047)
2B0C (11020)	The hash pattern of the master key in the supplied internal PKA private key token does not match the current system's PKA master key. This indicates the master key has changed since the token was created. You cannot use the token. User action: Re-create the token using the appropriate combination of the PKA key token build, PKA key generate, and PKA key import callable services. REASONCODES: TSS 030 (048)
2B10 (11024)	The PKA tokens have incomplete values, for example, a PKA public key token without modulus. User action: Re-create the key. REASONCODES: TSS 02F (047)
2B14 (11028)	The modulus of the PKA key is too short for processing the hash or PKCS block. User action: Either use a PKA key with a larger modulus size, use a hash algorithm that generates a smaller hash (digital signature services), or specify a shorter DATA key size (symmetric key export, symmetric key generate). REASONCODES: TSS 048 (072)
2B18 (11032)	The supplied private key can be used only for digital signature. Key management services are disallowed. User action: Supply a key with key management enabled. REASONCODES: TSS 040 (064)
2B20 (11040)	The recovered encryption block was not a valid PKCS-1.2 or zero-pad format. (The format is verified according to the recovery method specified in the rule-array.) If the recovery method specified was PKCS-1.2, refer to PKCS-1.2 for the possible error in parsing the encryption block. For the PKCS #11 services CSFPUWK and CSFPSKD, this reason could also indicate a non-RSA encryption block length problem. User action: Ensure that the parameters passed to CSNDSYI or CSNFSYI are correct. Possible causes for this error are incorrect values for the RSA private key or incorrect values in the RSA_enciphered_key parameter, which must be formatted according to PKCS-1.2 or zero-pad rules when created. REASONCODES: TSS 42 (66)
2B24 (11044)	The first section of a supplied PKA token was not a private or public key section. User action: Re-create the key. REASONCODES: TSS 0B5(181)
2B28 (11048)	The eyecatcher on the PKA internal private token is not valid. User action: Reimport the private token using the PKA key import callable service.
2B2C (11052)	An incorrect PKA token was supplied. One of the following situations is possible: The service requires a private key token of the correct type. The supplied token may be of a type that is not supported on this system. User action: Check that the supplied token is: a PKA private key token of the correct type. a type supported by this system.
2B30 (11056)	The input PKA token contains length fields that are not valid. User action: Re-create the key token.
2B38 (11064)	The RSA-OAEP block did not verify when it decomposed. The block type is incorrect (must be X'03'). User action: Re-create the RSA-OAEP block. REASONCODES: TSS 2CF (719)
2B3C (11068)	The RSA-OAEP block did not verify when it decomposed. The verification code is not correct (must be all zeros). User action: Re-create the RSA-OAEP block. REASONCODES: TSS 2D1 (721)
2B40 (11072)	The RSA-OAEP block did not verify when it decomposed. The random number I is not correct (must be non-zero with the high-order bit equal to zero). User action: Re-create the RSA-OAEP block. REASONCODES: TSS 2D0 (720)
2B48 (11080)	The RSA public or private key specified a modulus length that is incorrect for this service. User action: Re-invoke the service with an RSA key with the proper modulus length. REASONCODES: See reason codes 41 (65) and 2F8 (760)
2B4C (11084)	This service requires an RSA public key and the key identifier specified is not a public key. User action: Re-invoke the service with an RSA public key.
2B50 (11088)	This service requires an RSA private key that is for signature use only. User action: Re-invoke the service with a supported private key.
2B54 (11092)	There was an invalid subsection in the PKA token. User action: Correct the PKA token.
2B58 (11096)	This service requires an RSA private key that is for signature use. The specified key may be used for key management purposes only. User action: Re-invoke the service with a supported private key. REASONCODES: TSS 040 (064)
3E80 (16000)	RACF failed your request to use this service or PKCS #11 token. This may be caused by the CSFSERV or CRYPTOZ class. User action: Contact your ICSF or RACF administrator if you need this service.
3E84 (16004)	RACF failed your request to use the key label or token. This may be caused by either the CSFKEYS or XCSFKEY class, depending on the setting of the Granular Keylabel Access Controls and the type of token provided. Both key labels and the private-key name in a PKA secure private key are subject to controls implemented using the CSFKEYS class. User action: Contact your ICSF or RACF administrator if you need this key.
3E88 (16008)	Clear key generation denied by policy. Secure PKCS #11 services are not available and caller’s RACF access to CRYPTOZ class resource CLEARKEY.token-label does not permit the generation of non-secure (clear) PKCS #11 keys. User action: Contact your ICSF administrator ICSF administrator action: Either configure ICSF for secure PKCS #11 services or have your RACF administrator grant the user authority to use clear keys
3E8C (16012)	You requested the conversion service, but you are not running in an authorized state. User action: You must be running in supervisor state to use the conversion service. Contact your ICSF administrator.
3E90 (16016)	The input/output field contained a valid internal token with the NOCV bit on or encryption algorithm mark, but the key type was incorrect or did not match the type of the generated or imported key. Processing failed. User action: Correct the calling application. REASONCODES: TSS 027 (039)
3E94 (16020)	You called a service and specified the label of a CKDS system key, which is not allowed. User action: Correct the calling application. REASONCODES: TSS 0B5 (181)
3E98 (16024)	You called the CKDS key record write callable service, but the key token you supplied is not valid. User action: Check with your ICSF administrator if you believe that this key should be in the in-storage CKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label.
3EA0 (16032)	Invalid syntax for CKDS, PKDS or TKDS label name. User action: Correct key_label syntax. REASONCODES: TSS 020 (032)
3EA4 (16036)	The key record create callable service requires that the key created not already exist in the CKDS, PKDS, or TKDS. A key of the same label was found. User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer. REASONCODES: TSS 02C (044)
3EA8 (16040)	Data in the PKDS record did not match the expected data. This occurs if the record does not contain a null PKA token and CHECK was specified. User action: If the record is to be overwritten regardless of its content, specify OVERLAY.
3EAC (16044)	One or more key labels specified as input to the PKA key generate or PKA key import service incorrectly refer to a retained private key. If generating a retained private key, this error may result from one of these conditions: The private key name of the retained private key being generated is the same as an existing PKDS record, but the PKDS record label was not specified as the input skeleton (source) key identifier. The label specified in the generated_key_token parameter as the target for the retained private key was not the same as the private-key name. If generating or importing a non-retained key, this error occurs when the label specified as the target key specifies a retained private key. The retained private key cannot be over-written. User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer.
3EB0 (16048)	Retained keys on the PKDS cannot be deleted or updated using the PKDS key record delete or PKDS key record write callable services, respectively. User action: Use the retained key delete callable service to delete retained keys.
Reason code 0, return code 308 (776)	RACF failed your request to use this service. User action: Contact your ICSF or RACF administrator if you need this service.
Reason code 1, return code 308 (776)	RACF failed your request to use the key label. User action: Contact your ICSF or RACF administrator if you need this key.
06E (110)-PAN, 028 (040)-ser. code, 02A (042)-exp. date, 066 (102)-dec table, 067 (103)-val. table, 06C (198)-pad data	The PAN, expiration date, service code, decimalization table data, validation data, or pad data is not numeric (X'F0' through X'F9'). The parameter must be character representations of numerics or hexadecimal data. User action: Review the numeric parameters or fields required in the service that you called and change to the format and values required.