Access control points and callable services

For information about PKCS #11 access control points, see 'PKCS #11 Coprocessor Access Control Points' in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Access to callable services that are executed on a coprocessor is through access control points in the domain role. To execute services on the coprocessor, access control points must be enabled for each service in the domain role. The access control points available depend on the coprocessor you are using.

A new or a zeroized coprocessor (or domain) comes with an initial set of access control points (ACPs) that are enabled by default. The table of access control points lists the default setting of each access control point.

When a firmware upgrade is applied to an existing cryptographic coprocessor, the upgrade may introduce new ACPs.
Note: Access control points for ICSF utilities are listed in z/OS Cryptographic Services ICSF Administrator's Guidez/OS Cryptographic Services ICSF Administrator's Guidez/OS Cryptographic Services ICSF Administrator's Guide.

If an access control point is disabled, the corresponding ICSF callable service will fail during execution with an access denied error.

The following tables list usage information using the following abbreviations:
AE
Always enabled, cannot be disabled.
ED
Enabled by default.
DD
Disabled by default.
SC
Usage of this access control point requires special consideration.

This table lists access control points that affect multiple services or have require special consideration when enabling the access control point.

Table 1. Access control points affecting multiple services or requiring special consideration
Name Callable Services Notes Usage
Allow weak DES wrap of RSA CSNDPKG / CSNFPKG When enabled, a weaker DES key-encrypting key is allowed to wrap an RSA private key token. The Prohibit weak wrap – Transport keys access control point must be enabled and this access control point will override the restriction. See Key Strength and Wrapping of Key for more information. DD, SC
ANSI X9.8 PIN - Allow modification of PAN CSNBPTR / CSNEPTR See ANSI X9.8 PIN Restrictions for a description of this control. DD, SC
ANSI X9.8 PIN - Allow only ANSI PIN blocks CSNBPTR / CSNEPTR See ANSI X9.8 PIN Restrictions for a description of this control. DD, SC
ANSI X9.8 PIN - Enforce PIN block restrictions CSNBCPA / CSNECPA, CSNBPTR / CSNEPTR, and CSNBSPN / CSNESPN See ANSI X9.8 PIN Restrictions for a description of this control. DD, SC
ANSI X9.8 PIN – Use stored decimalization tables only CSNBPGN / CSNEPGN, CSNBCPA / CSNECPA, CSNBEPG / CSNEEPG and CSNBPVR / CSNEPVR See ANSI X9.8 PIN Restrictions for a description of this control. DD, SC
DATAM Key Management Control CSNBKGN / CSNEKGN, CSNBKIM / CSNEKIM, CSNBKEX / CSNEKEX and CSNBDKG / CSNEDKG When enabled, the DATAM and DATAMV key types can be used. When disabled, the key types are not allowed. ED
Disallow 24-byte DATA wrapped with 16-byte Key All callable services that wrap key under an exporter or importer KEK or a 16-byte DES master key When enabled, a triple-length 0 CV DATA keys cannot be wrapped by a 16-byte DES Key, either the master key or a key-encrypting key. See Key strength and wrapping of key for more information. DD, SC
Enhanced PIN Security CSNBCPE / CSNECPE, CSNBCPA / CSNECPA, CSNBEPG / CSNEEPG, CSNBPTR / CSNEPTR, CSNBPVR / CSNEPVR, and CSNBPCU / CSNEPCU Enhanced PIN Security Mode for a description of this control DD, SC
NOCV KEK usage for export-related functions CSNBKEX / CSNEKEX, CSNBSKM / CSNESKM, and CSNBKGN / CSNEKGN When enabled, NOCV key-encrypting keys can be used by the listed services. ED, SC
NOCV KEK usage for import-related functions CSNBKIM / CSNEKIM, CSNBSKI / CSNESKI, CSNBSKM / CSNESKM, and CSNBKGN / CSNEKGN When enabled, NOCV key-encrypting keys can be used by the listed services. ED, SC
Prohibit weak wrap – Master keys All Services that wrap or import keys. Both symmetric and asymmetric keys are affected When enabled, an error return code will be returned when attempting to wrap a stronger key with a weaker master key. Also, an error return code will be returned when the last part is loaded into the DES or RSA new master key register, if the complete master key is weak. See Key strength and wrapping of key and Key Strength and Wrapping of Key for more information. DD, SC
Prohibit weak wrap – Transport keys All Services that wrap or import keys. Both symmetric and asymmetric keys are affected When enabled, an error return code will be returned when attempting to wrap a stronger key with a weaker key-encrypting key. See Key strength and wrapping of key for more information. DD, SC
Symmetric Key Token Change – RTCMK Services that use symmetric key tokens When enabled, this control allows symmetric key tokens under the old master key to be reenciphered under the current master key. These reenciphered tokens are returned from all callable service that use symmetric tokens. AE
Symmetric Key Token Change2 – RTCMK Services that use the variable-length symmetric key tokens When enabled, this control allows symmetric key tokens under the old master key to be reenciphered under the current master key. These reenciphered tokens are returned from all callable service that use symmetric tokens. AE
Symmetric token wrapping - internal enhanced method Services that wrap internal symmetric key tokens When enabled, this control will cause all generated or imported keys to be wrapped with the enhanced method. This control can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. DD, SC
Symmetric token wrapping - internal original method Services that wrap internal symmetric key tokens When enabled, this control will cause all generated or imported keys to be wrapped with the original method. This control can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. ED
Symmetric token wrapping - external enhanced method Services that wrap external symmetric key tokens When enabled, this control will cause all generated or exported keys to be wrapped with the enhanced method. This control can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. DD, SC
Symmetric token wrapping - external original method Services that wrap external symmetric key tokens When enabled, this control will cause all generated or exported keys to be wrapped with the original method. This control can be overridden by rule array keywords for certain services. See Key strength and wrapping of key for more information. ED
UKPT - PIN Verify, PIN Translate CSNBPVR / CSNEPVR and CSNBPTR / CSNEPTR When enabled, the listed services can use UKPT key derivation. ED
Warn when weak wrap – Master keys All Services that wrap or import keys. Both symmetric and asymmetric keys are affected When enabled, an informational return code will be returned when attempting to wrap a stronger key with a master key that is weaker. Also, a warning return code will be returned when the last part is loaded into the DES or RSA new master key register, if the master key is weak. See Key strength and wrapping of key and Key Strength and Wrapping of Key for more information. DD. SC
Warn when weak wrap – Key-encrypting keys All Services that wrap or import keys. Both symmetric and asymmetric keys are affected When enabled, an informational return code will be returned when attempting to wrap a stronger key with a weaker key or when attempting to import a key token that has previously been wrapped with a weaker key, as indicated by its security history field. See Key strength and wrapping of key and Key Strength and Wrapping of Key for more information. DD. SC
There are relationships between certain access control points. A controlling access control point is required to be enabled before subordinate access control points can enabled. The TKE workstation will enable the controlling access control point when a subordinate access control point is enabled.

This following table lists access control points that affect specific services indicated in the access control point name. There is a description of the usage of the access control point in the Usage Notes section of the callable service description.

Note: If the domain role has been changed via the TKE workstation, all new access control points are disabled by default.
Table 2. Access control points – Callable Services
Name Callable Service Usage
Authentication Parameter Generate CSNBAPG / CSNEAPG ED
Authentication Parameter Generate - Clear CSNBAPG / CSNEAPG DD
Cipher Text translate2 CSNBCTT2 / CSNECTT2 and CSNBCTT3 / CSNECTT3 ED
Cipher Text translate2 – Allow translate from AES to TDES CSNBCTT2 / CSNECTT2 and CSNBCTT3 / CSNECTT3 ED
Cipher Text translate2 – Allow translate to weaker AES CSNBCTT2 / CSNECTT2 and CSNBCTT3 / CSNECTT3 ED
Cipher Text translate2 – Allow translate to weaker DES CSNBCTT2 / CSNECTT2 and CSNBCTT3 / CSNECTT3 ED
Cipher Text translate2 – Allow only cipher text translate types CSNBCTT2 / CSNECTT2 and CSNBCTT3 / CSNECTT3 DD
Clear Key Import / Multiple Clear Key Import - DES CSNBCKI / CSNECKI and CSNBCKM / CSNECKM ED
Clear PIN Encrypt CSNBCPE / CSNECPE ED
Clear PIN Generate - 3624 CSNBPGN / CSNEPGN ED
Clear PIN Generate - GBP CSNBPGN / CSNEPGN ED
Clear PIN Generate - VISA PVV CSNBPGN / CSNEPGN ED
Clear PIN Generate - Interbank CSNBPGN / CSNEPGN ED
Clear Pin Generate Alternate - 3624 Offset CSNBCPA / CSNECPA ED
Clear PIN Generate Alternate - VISA PVV CSNBCPA / CSNECPA ED
Control Vector Translate CSNBCVT / CSNECVT ED
Cryptographic Variable Encipher CSNBCVE / CSNECVE ED
CVV Key Combine CSNBCKC / CSNECKC ED
CVV Key Combine - Allow wrapping override keywords CSNBCKC / CSNECKC ED
CVV Key Combine - Permit mixed key types CSNBCKC / CSNECKC ED
Data Key Export CSNBDKX / CSNEDKX ED
Data Key Export - Unrestricted CSNBDKX / CSNEDKX ED
Data Key Import CSNBDKM / CSNEDKM ED
Data Key Import - Unrestricted CSNBDKM / CSNEDKM ED
Decipher - DES CSNBDEC / CSNEDEC ED
Digital Signature Generate CSNDDSG / CSNFDSG ED
DSG - ZERO-PAD restriction lifted CSNDDSG / CSNFDSG ED
Digital Signature Verify CSNDDSV / CSNFDSV ED
Diversified Key Generate - CLR8–ENC CSNBDKG / CSNEDKG ED
Diversified Key Generate - SESS-XOR CSNBDKG / CSNEDKG ED
Diversified Key Generate - TDES-ENC CSNBDKG / CSNEDKG ED
Diversified Key Generate - TDES-CBC CSNBDKG / CSNEDKG ED
Diversified Key Generate - TDES-DEC CSNBDKG / CSNEDKG ED
Diversified Key Generate - TDES-XOR CSNBDKG / CSNEDKG ED
Diversified Key Generate - TDESEMV2/TDESEMV4 CSNBDKG / CSNEDKG ED
Diversified Key Generate - Allow wrapping override keywords CSNBDKG / CSNEDKG ED
Diversified Key Generate - single length or same halves CSNBDKG / CSNEDKG ED
Diversified Key Generate - DKYGENKY - DALL CSNBDKG / CSNEDKG DD, SC
Diversified Key Generate2 – AES EMV1 SESS CSNBDKG2 / CSNEDKG2 ED
Diversified Key Generate2 - DALL CSNBDKG2 / CSNEDKG2 DD, SC
DK Deterministic PIN Generate CSNBDDPG / CSNEDDPG DD
DK Migrate PIN CSNBDMP / CSNEDMP DD
DK PAN Modify in Transaction CSNBDPMT / CSNEDPMT DD
DK PAN Translate CSNBDPT / CSNEDPT DD
DK PIN Verify CSNBDPV / CSNEDPV DD
DK PIN Change CSNBDPC / CSNEDPC DD
DK PRW Card Number Update CSNBPNU / CSNEPNU DD
DK PRW CMAC Generate CSNBDPCG / CSNBPCG DD
DK Random PIN Generate CSNBDRPG / CSNEDRPG DD
DK Regenerate PRW CSNBDRP / CSNEDRP DD
ECC Diffie-Hellman CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow Prime Curve 192 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow Prime Curve 224 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow Prime Curve 256 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow Prime Curve 384 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow Prime Curve 521 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 160 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 192 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 224 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 256 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 320 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 384 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow BP Curve 512 CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow PASSTHRU CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Allow key wrap override CSNDEDH / CSNFEDH ED
ECC Diffie-Hellman – Prohibit weak key generate CSNDEDH / CSNFEDH DD, SC
Encipher - DES CSNBENC / CSNEENC ED
Encrypted PIN Generate - 3624 CSNBEPG / CSNEEPG ED
Encrypted PIN Generate - GBP CSNBEPG / CSNEEPG ED
Encrypted PIN Generate - Interbank CSNBEPG / CSNEEPG ED
Encrypted PIN Translate - Translate CSNBPTR / CSNEPTR ED
Encrypted PIN Translate - Reformat CSNBPTR / CSNEPTR ED
Encrypted PIN Verify - 3624 CSNBPVR / CSNEPVR ED
Encrypted PIN Verify - GPB CSNBPVR / CSNEPVR ED
Encrypted PIN Verify - VISA PVV CSNBPVR / CSNEPVR ED
Encrypted PIN Verify - Interbank CSNBPVR / CSNEPVR ED
FPE Decipher CSNBFPED / CSNEFPED ED
FPE Encipher CSNBFPEE / CSNEFPEE ED
FPE Translate CSNBFPET / CSNEFPET ED
HMAC Generate – SHA-1 CSNBHMG / CSNBHMG1 and CSNEHMG / CSNEHMG1 ED
HMAC Generate – SHA-224 CSNBHMG / CSNBHMG1 and CSNEHMG / CSNEHMG1 ED
HMAC Generate – SHA-256 CSNBHMG / CSNBHMG1 and CSNEHMG / CSNEHMG1 ED
HMAC Generate – SHA-384 CSNBHMG / CSNBHMG1 and CSNEHMG / CSNEHMG1 ED
HMAC Generate – SHA-512 CSNBHMG / CSNBHMG1 and CSNEHMG / CSNEHMG1 ED
HMAC Verify – SHA-1 CSNBHMV / CSNBHMV1 and CSNEHMV / CSNEHMV1 ED
HMAC Verify – SHA-224 CSNBHMV / CSNBHMV1 and CSNEHMV / CSNEHMV1 ED
HMAC Verify – SHA-256 CSNBHMV / CSNBHMV1 and CSNEHMV / CSNEHMV1 ED
HMAC Verify – SHA-384 CSNBHMV / CSNBHMV1 and CSNEHMV / CSNEHMV1 ED
HMAC Verify – SHA-512 CSNBHMV / CSNBHMV1 and CSNEHMV / CSNEHMV1 ED
Key Export CSNBKEX / CSNEKEX ED
Key Export - Unrestricted CSNBKEX / CSNEKEX ED
Key Generate – OP CSNBKGN / CSNEKGN ED
Key Generate – Key set CSNBKGN / CSNEKGN ED
Key Generate – Key set extended CSNBKGN / CSNEKGN ED
Key Generate - SINGLE-R CSNBKGN / CSNEKGN ED
Key Generate2 – DK PIN admin1 key MAC CSNBKGN2 / CSNEKGN2 DD
Key Generate2 – DK PIN admin1 key PINPROT CSNBKGN2 / CSNEKGN2 DD
Key Generate2 – DK PIN admin2 key MAC CSNBKGN2 / CSNEKGN2 DD
Key Generate2 – DK PIN key set CSNBKGN2 / CSNEKGN2 DD
Key Generate2 – DK PIN print key CSNBKGN2 / CSNEKGN2 DD
Key Generate2 – Key set CSNBKGN2 / CSNEKGN2 ED
Key Generate2 – Key set extended CSNBKGN2 / CSNEKGN2 ED
Key Generate2 – OP CSNBKGN2 / CSNEKGN2 ED
Key Import CSNBKIM / CSNEKIM ED
Key Import - Unrestricted CSNBKIM / CSNEKIM ED
Key Part Import - First key part CSNBKPI / CSNEKPI ED
Key Part Import - Middle and final CSNBKPI / CSNEKPI ED
Key Part Import - ADD-PART CSNBKPI / CSNEKPI ED
Key Part Import - COMPLETE CSNBKPI / CSNEKPI ED
Key Part Import - Allow wrapping override keywords CSNBKPI / CSNEKPI ED
Key Part Import - Unrestricted CSNBKPI / CSNEKPI ED
Key Part Import2 – Load first key part, require 3 key parts CSNBKPI2 / CSNEKPI2 ED
Key Part Import2 – Load first key part, require 2 key parts CSNBKPI2 / CSNEKPI2 ED
Key Part Import2 - Load first key part, require 1 key parts CSNBKPI2 / CSNEKPI2 ED
Key Part Import2 - Add second of 3 or more key parts CSNBKPI2 / CSNEKPI2 ED
Key Part Import2 - Add last required key part CSNBKPI2 / CSNEKPI2 ED
Key Part Import2 - Add optional key part CSNBKPI2 / CSNEKPI2 ED
Key Part Import2 – Complete key CSNBKPI2 / CSNEKPI2 ED
Key Test and Key Test2 CSNBKYT / CSNEKYT and CSNBKYT2 / CSNEKYT2 AE
Key Test2 – AES, ENC-ZERO CSNBKYT2 / CSNEKYT2 AE
Key Test - Warn when keyword inconsistent with key length CSNBKYTX / CSNFKYTX DD
Key Translate CSNBKTR / CSNEKTR ED
Key Translate2 CSNBKTR2 / CSNEKTR2 ED
Key Translate2 - Allow use of REFORMAT CSNBKTR2 / CSNEKTR2 ED
Key Translate2 - Allow wrapping override keywords CSNBKTR2 / CSNEKTR2 ED
Key Translate2 - Disallow AES ver 5 to ver 4 conversion CSNBKTR2 / CSNEKTR2 DD
Key Translate2 – Translate fixed to variable payload CSNBKTR2 / CSNEKTR2 DD, SC
MAC Generate CSNBMGN / CSNEMGN ED
MAC Generate2 – AES CMAC CSNBMGN2 / CSNEMGN2 / CSNBMGN3 / CSNEMGN3 ED
MAC Verify CSNBMVR / CSNEMVR ED
MAC Verify2 – AES CMAC CSNBMVR2 / CSNEMVR2 / CSNBMVR3 / CSNEMVR3 ED
Multiple Clear Key Import / Multiple Secure Key Import - AES CSNBCKM / CSNECKM and CSNBSKM / CSNESKM ED
Multiple Clear Key Import - Allow wrapping override keywords CSNBCKM / CSNECKM ED
Multiple Secure Key Import - Allow wrapping override keywords CSNBSKM / CSNESKM ED
Operational Key Load CSNBOKL / CSNEOKL ED
Operational Key Load - Variable-Length Tokens CSNBOKL / CSNEOKL ED
PIN Change/Unblock - change EMV PIN with OPINENC CSNBPCU / CSNEPCU ED
PIN Change/Unblock - change EMV PIN with IPINENC CSNBPCU / CSNEPCU ED
PKA Decrypt CSNDPKD / CSNFPKD ED
PKA Encrypt CSNDPKE / CSNFPKE ED
PKA Key Generate CSNDPKG / CSNFPKG ED
PKA Key Generate – Clear RSA keys CSNDPKG / CSNFPKG ED
PKA Key Generate – Clear ECC keys CSNDPKG / CSNFPKG ED
PKA Key Generate - Clone CSNDPKG / CSNFPKG ED
PKA Key Generate - Permit Regeneration Data CSNDPKG / CSNFPKG ED
PKA Key Generate - Permit Regeneration Data Retain CSNDPKG / CSNFPKG ED
PKA Key Import CSNDPKI / CSNFPKI ED
PKA Key Import - Import an External Trusted Key Block to internal form CSNDPKI / CSNFPKI ED
PKA Key Token Change RTCMK CSNDKTC / CSNFKTC ED
PKA Key Translate - from CCA RSA to SC Visa format CSNDPKT / CSNFPKT ED
PKA Key Translate - from CCA RSA to SC ME format CSNDPKT / CSNFPKT ED
PKA Key Translate - from CCA RSA to SC CRT format CSNDPKT / CSNFPKT ED
PKA Key Translate – Translate internal key token CSNDPKT / CSNFPKT ED
PKA Key Translate – Translate external key token CSNDPKT / CSNFPKT ED
PKA Key Translate - from source EXP KEK to target EXP KEK CSNDPKT / CSNFPKT ED
PKA Key Translate - from source IMP KEK to target EXP KEK CSNDPKT / CSNFPKT ED
PKA Key Translate - from source IMP KEK to target IMP KEK CSNDPKT / CSNFPKT ED
PKA Key Translate - from CCA RSA CRT to EMVDDA format CSNDPKT / CSNFPKT ED
PKA Key Translate - from CCA RSA CRT to EMVDDAE format CSNDPKT / CSNFPKT ED
PKA Key Translate - from CCA RSA CRT to EMVCRT format CSNDPKT / CSNFPKT ED
Prohibit Export CSNBPEX / CSNEPEX ED
Prohibit Export Extended CSNBPEXX /CSNEPEXX ED
Recover PIN From Offset CSNBPFO / CSNEPFO ED
Remote Key Export - Generate or export a key for use by a non-CCA node CSNDRKX / CSNFRKX ED
Remote Key Export – Include RKX in Default Key-Wrapping Configuration CSNDRKX / CSNFRKX DD
Remote Key Export - Allow wrapping override keywords CSNDRKX / CSNFRKX DD
RKX/TBC – Disallow triple-length MAC key CSNDRKX / CSNFRKX and CSNDTBC / CSNFTBC DD, SC
Restrict Key Attribute – Export Control CSNBRKA / CSNERKA ED
Restrict Key Attribute - Permit setting the TR-31 export bit CSNBRKA / CSNERKA ED
Retained Key Delete CSNDRKD / CSNFRKD ED
Retained Key List CSNDRKL / CSNFRKL ED
Secure Key Import – DES, IM CSNBSKI / CSNESKI and CSNBSKM / CSNESKM ED
Secure Key Import – DES, OP CSNBSKI / CSNESKI and CSNBSKM / CSNESKM ED
Secure Key Import2 - OP CSNBSKI2 / CSNESKI2 ED
Secure Key Import2 - IM CSNBSKI2 / CSNESKI2 ED
Secure Messaging for Keys CSNBSKY / CSNESKY ED
Secure Messaging for PINs CSNBSPN / CSNESPN ED
SET Block Compose CSNDSBC / CSNFSBC ED
SET Block Decompose CSNDSBD / CSNFSBD ED
SET Block Decompose - PIN ext IPINENC CSNDSBD / CSNFSBD ED
SET Block Decompose - PIN ext OPINENC CSNDSBD / CSNFSBD ED
Symmetric Algorithm Decipher - Secure AES CSNBSAD / CSNESAD and CSNBSAD1 / CSNESAD1 ED
Symmetric Algorithm Encipher - Secure AES CSNBSAE / CSNESAE and CSNBSAE1 / CSNESAE1 ED
Symmetric Key Encipher/Decipher - Encrypted DES keys CSNBSYD / CSNBSYE and CSNBSYD1 / CSNESYD1 ED
Symmetric Key Encipher/Decipher - Encrypted AES keys CSNBSYD / CSNBSYE and CSNBSYD1 / CSNESYD1 ED
Symmetric Key Export with Data CSNDSXD / CSNFSXD DD
Symmetric Key Export with Data - Special CSNDSXD / CSNFSXD DD
Symmetric Key Export - AES, PKCSOAEP, PKCS-1.2 CSNDSYX / CSNFSYX ED
Symmetric Key Export - AES, PKOAEP2 CSNDSYX / CSNFSYX ED
Symmetric Key Export - AES, ZERO-PAD CSNDSYX / CSNFSYX ED
Symmetric Key Export - AESKW CSNDSYX / CSNFSYX ED
Symmetric Key Export - AESKWCV CSNDSYX / CSNFSYX ED
Symmetric Key Export - DES, PKCS-1.2 CSNDSYX / CSNFSYX ED
Symmetric Key Export - DES, ZERO-PAD CSNDSYX / CSNFSYX ED
Symmetric Key Export – HMAC,PKOAEP2 CSNDSYX / CSNFSYX ED
Symmetric Key Generate - AES, PKCSOAEP, PKCS-1.2 CSNDSYG / CSNFSYG ED
Symmetric Key Generate - AES, ZERO-PAD CSNDSYG / CSNFSYG ED
Symmetric Key Generate - DES, PKCS-1.2 CSNDSYG / CSNFSYG ED
Symmetric Key Generate - DES, ZERO-PAD CSNDSYG / CSNFSYG ED
Symmetric Key Generate - DES, PKA92 CSNDSYG / CSNFSYG ED
Symmetric Key Generate - Allow wrapping override keywords CSNDSYG / CSNFSYG ED
Symmetric Key Import - AES, PKCSOAEP, PKCS-1.2 CSNDSYI / CSNFSYI ED
Symmetric Key Import - AES, ZERO-PAD CSNDSYI / CSNFSYI ED
Symmetric Key Import - DES, PKCS-1.2 CSNDSYI / CSNFSYI ED
Symmetric Key Import - DES, ZERO-PAD CSNDSYI / CSNFSYI ED
Symmetric Key Import - DES, PKA92 KEK CSNDSYI / CSNFSYI ED
Symmetric Key Import - Allow wrapping override keywords CSNDSYI / CSNFSYI ED
Symmetric Key Import2 – AES,PKOAEP2 CSNDSYI2 / CSNFSYI2 ED
Symmetric Key Import2 - AESKW CSNDSYI2 / CSNFSYI2 ED
Symmetric Key Import2 - AESKWCV CSNDSYI2 / CSNFSYI2 ED
Symmetric Key Import2 - Allow wrapping override keywords CSNDSYI2 / CSNFSYI2 ED
Symmetric Key Import2 - disallow weak import CSNDSYI2 / CSNFSYI2 DD, SC
Symmetric Key Import2 – HMAC,PKOAEP2 CSNDSYI2 / CSNFSYI2 ED
TR31 Export – Permit version A TR-31 key blocks CSNBT31X / CSNET31X ED
TR31 Export – Permit version B TR-31 key blocks CSNBT31X / CSNET31X ED
TR31 Export – Permit version C TR-31 key blocks CSNBT31X / CSNET31X ED
TR31 Export – Permit any CCA key if INCL-CV is specified CSNBT31X / CSNET31X ED
TR31 Export – Permit KEYGENKY:UKPT to B0 CSNBT31X / CSNET31X ED
TR31 Export – Permit MAC/MACVER:AMEXCSC to C0:G/C/V CSNBT31X / CSNET31X DD
TR31 Export – Permit MAC/MACVER:CVVKEYA to C0:G/C/V CSNBT31X / CSNET31X DD
TR31 Export – Permit MAC/MACVER:ANYMAC to C0:G/C/V CSNBT31X / CSNET31X ED
TR31 Export – Permit DATA to C0:G/C CSNBT31X / CSNET31X ED
TR31 Export – Permit ENCIPHER/DECIPHER/CIPHER to D0:E/D/B CSNBT31X / CSNET31X ED
TR31 Export – Permit DATA to D0:B CSNBT31X / CSNET31X ED
TR31 Export – Permit EXPORTER/OKEYXLAT to K0:E CSNBT31X / CSNET31X DD
TR31 Export – Permit IMPORTER/IKEYXLAT to K0:D CSNBT31X / CSNET31X DD
TR31 Export – Permit EXPORTER/OKEYXLAT to K1:E CSNBT31X / CSNET31X DD
TR31 Export – Permit IMPORTER/IKEYXLAT to K1:D CSNBT31X / CSNET31X DD
TR31 Export – Permit MAC/DATA/DATAM to M0:G/C CSNBT31X / CSNET31X DD
TR31 Export – Permit MACVER/DATAMV to M0:V CSNBT31X / CSNET31X ED
TR31 Export – Permit MAC/DATA/DATAM to M1:G/C CSNBT31X / CSNET31X ED
TR31 Export – Permit MACVER/DATAMV to M1:V CSNBT31X / CSNET31X ED
TR31 Export – Permit MAC/DATA/DATAM to M3:G/C CSNBT31X / CSNET31X ED
TR31 Export – Permit MACVER/DATAMV to M3:V CSNBT31X / CSNET31X ED
TR31 Export – Permit OPINENC to P0/E CSNBT31X / CSNET31X ED
TR31 Export – Permit IPINENC to P0/D CSNBT31X / CSNET31X ED
TR31 Export – Permit PINVER:NO-SPEC to V0 CSNBT31X / CSNET31X DD
TR31 Export – Permit PINGEN:NO-SPEC to V0 CSNBT31X / CSNET31X DD
TR31 Export – Permit PINVER:NO-SPEC/IBM-PIN/IBM-PINO to V1 CSNBT31X / CSNET31X ED
TR31 Export – Permit PINGEN:NO-SPEC/IBM-PIN/IBM-PINO to V1 CSNBT31X / CSNET31X ED
TR31 Export – Permit PINVER:NO-SPEC/VISA-PVV to V2 CSNBT31X / CSNET31X ED
TR31 Export – Permit PINGEN:NO-SPEC/VISA-PVV to V2 CSNBT31X / CSNET31X ED
TR31 Export – Permit DKYGENKY:DKYL0+DMAC to E0 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DMV to E0 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DALL to E0 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DMAC to E0 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DMV to E0 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DALL to E0 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DDATA to E1 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DMPIN to E1 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DALL to E1 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DDATA to E1 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DMPIN to E1 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DALL to E1 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DMAC to E2 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DALL to E2 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DMAC to E2 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL1+DALL to E2 CSNBT31X / CSNET31X DD
TR31 Export – Permit DATA/MAC/CIPHER/ENCIPHER to E3 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DDATA to E4 CSNBT31X / CSNET31X ED
TR31 Export – Permit DKYGENKY:DKYL0+DALL to E4 CSNBT31X / CSNET31X ED
TR31 Export – Permit DKYGENKY:DKYL0+DEXP to E5 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DMAC to E5 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DDATA to E5 CSNBT31X / CSNET31X DD
TR31 Export – Permit DKYGENKY:DKYL0+DALL to E5 CSNBT31X / CSNET31X ED
TR31 Export – Permit PINGEN/PINVER to V0/V1/V2:N CSNBT31X / CSNET31X DD
TR31 Import – Permit version A TR-31 key blocks CSNBT31I / CSNET31I ED
TR31 Import – Permit version B TR-31 key blocks CSNBT31I / CSNET31I ED
TR31 Import – Permit version C TR-31 key blocks CSNBT31I / CSNET31I ED
TR31 Import – Permit override of default wrapping method CSNBT31I / CSNET31I ED
TR31 Import – Permit C0 to MAC/MACVER:CVVKEY-A CSNBT31I / CSNET31I DD
TR31 Import – Permit C0 to MAC/MACVER:AMEX-CSC CSNBT31I / CSNET31I DD
TR31 Import – Permit K0:E to EXPORTER/OKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K0:D to IMPORTER/IKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K0:B to EXPORTER/OKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K0:B to IMPORTER/IKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K1:E to EXPORTER/OKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K1:D to IMPORTER/IKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K1:B to EXPORTER/OKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit K1:B to IMPORTER/IKEYXLAT CSNBT31I / CSNET31I DD
TR31 Import – Permit M0/M1/M3 to MAC/MACVER:ANY-MAC CSNBT31I / CSNET31I ED
TR31 Import – Permit P0:E to OPINENC CSNBT31I / CSNET31I ED
TR31 Import – Permit P0:D to IPINENC CSNBT31I / CSNET31I ED
TR31 Import – Permit V0 to PINGEN:NO-SPEC CSNBT31I / CSNET31I DD
TR31 Import – Permit V0 to PINVER:NO-SPEC CSNBT31I / CSNET31I DD
TR31 Import – Permit V1 to PINGEN:IBM-PIN/IBM-PINO CSNBT31I / CSNET31I ED
TR31 Import – Permit V1 to PINVER:IBM-PIN/IBM-PINO CSNBT31I / CSNET31I ED
TR31 Import – Permit V2 to PINGEN:VISA-PVV CSNBT31I / CSNET31I ED
TR31 Import – Permit V2 to PINVER:VISA-PVV CSNBT31I / CSNET31I ED
TR31 Import – Permit E0 to DKYGENKY:DKYL0+DMAC CSNBT31I / CSNET31I DD
TR31 Import – Permit E0 to DKYGENKY:DKYL0+DMV CSNBT31I / CSNET31I DD
TR31 Import – Permit E0 to DKYGENKY:DKYL1+DMAC CSNBT31I / CSNET31I DD
TR31 Import – Permit E0 to DKYGENKY:DKYL1+DMV CSNBT31I / CSNET31I DD
TR31 Import – Permit E1 to DKYGENKY:DKYL0+DMPIN CSNBT31I / CSNET31I DD
TR31 Import – Permit E1 to DKYGENKY:DKYL0+DDATA CSNBT31I / CSNET31I DD
TR31 Import – Permit E1 to DKYGENKY:DKYL1+DMPIN CSNBT31I / CSNET31I DD
TR31 Import – Permit E1 to DKYGENKY:DKYL1+DDATA CSNBT31I / CSNET31I DD
TR31 Import – Permit E2 to DKYGENKY:DKYL0+DMAC CSNBT31I / CSNET31I DD
TR31 Import – Permit E2 to DKYGENKY:DKYL1+DMAC CSNBT31I / CSNET31I DD
TR31 Import – Permit E3 to ENCIPHER CSNBT31I / CSNET31I DD
TR31 Import – Permit E4 to DKYGENKY:DKYL0+DDATA CSNBT31I / CSNET31I ED
TR31 Import – Permit E5 to DKYGENKY:DKYL0+DMAC CSNBT31I / CSNET31I DD
TR31 Import – Permit E5 to DKYGENKY:DKYL0+DDATA CSNBT31I / CSNET31I DD
TR31 Import – Permit E5 to DKYGENKY:DKYL0+DEXP CSNBT31I / CSNET31I DD
TR31 Import – Permit V0/V1/V2:N to PINGEN/PINVER CSNBT31I / CSNET31I DD
Transaction Validation – Generate CSNBTRV / CSNETRV ED
Transaction Validation - Verify CSC-3 CSNBTRV / CSNETRV ED
Transaction Validation - Verify CSC-4 CSNBTRV / CSNETRV ED
Transaction Validation - Verify CSC-5 CSNBTRV / CSNETRV ED
Trusted Block Create - Activate an Inactive Trusted Key Block CSNDTBC / CSNFTBC ED
Trusted Block Create - Create Trusted Key Block in Inactive Form CSNDTBC / CSNFTBC ED
Unique Key Derive CSNBUKD / CSNEUKD ED
Unique Key Derive - Allow PIN-DATA processing CSNBUKD / CSNEUKD DD
Unique Key Derive - K3IPEK CSNBUKD / CSNEUKD DD
Unique Key Derive - Override default wrapping CSNBUKD / CSNEUKD ED
VISA CVV Generate CSNBCSG / CSNECSG ED
VISA CVV Verify CSNBCSV / CSNECSV ED
There are relationships between certain access control points. A controlling access control point is required to be enabled before subordinate access control points can enabled. The TKE workstation will enable the controlling access control point when a subordinate access control point is enabled.