Reason codes that accompany return code 8
Reason codes that accompany return code 8.
The codes are listed in Table 1.
| Return code, decimal | Reason code, decimal (hex) | Description |
|---|---|---|
| 8 | 012 (00C) | The token-validation value in an external key token is not valid. |
| 8 | 022 (016) | The ID number in the request field is not valid. |
| 8 | 023 (017) | An access to the data area is outside the data-area boundary. |
| 8 | 024 (018) | The master key verification pattern is not valid. |
| 8 | 025 (019) | The value that the text_length parameter specifies is not valid. |
| 8 | 026 (01A) | The value of the PIN is not valid. |
| 8 | 029 (01D) | The token-validation value in an internal key token is not valid. |
| 8 | 030 (01E) | No record with a matching key label is in key storage. |
| 8 | 031 (01F) | The control vector does not specify a DATA key. The key may be a CIPHER key which does not have the XPRTCPAC bit set in the control vector. |
| 8 | 032 (020) | A key label format is not valid. |
| 8 | 033 (021) | A rule_array or other parameter specifies a keyword that is not valid. |
| 8 | 034 (022) | A rule_array keyword combination is not valid or a keyword is specified that conflicts with another keyword. |
| 8 | 035 (023) | A rule_array_count is not valid. |
| 8 | 036 (024) | The action command must be specified in the rule_array. |
| 8 | 037 (025) | The object type must be specified in the rule_array. |
| 8 | 039 (027) | A control vector violation occurred. Check all control vectors employed with the verb. For security reasons, no detail is provided. |
| 8 | 040 (028) | The service code does not contain numerical character data. |
| 8 | 041 (029) | The keyword supplied with the key_form parameter is not valid. |
| 8 | 042 (02A) | The expiration date is not valid. |
| 8 | 043 (02B) | The keyword supplied with the key_length or the key_token_length parameter is not valid. |
| 8 | 044 (02C) | A record with a matching key label already exists in key storage. |
| 8 | 045 (02D) | The input character string cannot be found in the code table. |
| 8 | 046 (02E) | The card-validation value (CVV) is not valid. |
| 8 | 047 (02F) | A source key token is unusable because it contains data that is not valid or is undefined. This could be due to a incorrect combination of fields, such as having a NOCV key-encryption key with a non-default control vector. |
| 8 | 048 (030) | One or more keys has a master key verification pattern that is not valid. |
| 8 | 049 (031) | A key-token-version-number found in a key token is not supported. |
| 8 | 050 (032) | The key-serial-number specified in the rule_array is not valid. |
| 8 | 051 (033) | The value that the text_length parameter specifies is not a multiple of eight bytes. |
| 8 | 054 (036) | The value that the pad_character parameter specifies is not valid. |
| 8 | 055 (037) | The initialization vector in the key token is enciphered. |
| 8 | 056 (038) | The master key verification pattern in the OCV is not valid. |
| 8 | 058 (03A) | The parity of the operating key is not valid. |
| 8 | 059 (03B) | Control information (for example, the processing method or the pad character) in the key token conflicts with that in the rule_array. |
| 8 | 060 (03C) | A cryptographic request with the FIRST or MIDDLE keywords and a text length less than eight bytes is not valid. |
| 8 | 061 (03D) | The keyword supplied with the key_type parameter is not valid. |
| 8 | 062 (03E) | The source key is not present. |
| 8 | 063 (03F) | A key token has an invalid token header (for example, not an internal token). |
| 8 | 064 (040) | The RSA key is not permitted to perform the requested operation. Likely cause is key distribution usage is not enabled for the key. |
| 8 | 065 (041) | The key token failed consistency checking. |
| 8 | 066 (042) | The recovered encryption block failed validation checking. |
| 8 | 067 (043) | RSA encryption failed. |
| 8 | 068 (044) | RSA decryption failed. |
| 8 | 070 (046) | An invalid block identifier (identifier tag) was found. Either a block ID (identifier tag) that was proprietary was found, a reserved block ID was used, a duplicate block ID was found, or the specified optional block in the TR-31 key block could not be found. |
| 8 | 072 (048) | The value that the size parameter specifies is not valid (too small, too large, negative, or zero). |
| 8 | 085 (055) | The date or the time value is not valid. |
| 8 | 090 (05A) | Access control checking failed. See the Required Commands descriptions for the failing verb. |
| 8 | 091 (05B) | The time that was sent in your logon request was more than five minutes different from the clock in the secure module. |
| 8 | 092 (05C) | The user profile is expired. |
| 8 | 093 (05D) | The user profile has not yet reached its activation date. |
| 8 | 094 (05E) | The authentication data (for example, passphrase) is expired. |
| 8 | 095 (05F) | Access to the data is not authorized. |
| 8 | 096 (060) | An error occurred reading or writing the secure clock. |
| 8 | 100 (064) | The PIN length is not valid. |
| 8 | 101 (065) | The PIN check length is not valid. It must be in the range from 4 to the PIN length inclusive. |
| 8 | 102 (066) | The value of the decimalization table is not valid. |
| 8 | 103 (067) | The value of the validation data is not valid. |
| 8 | 104 (068) | The value of the customer-selected PIN is not valid or the PIN length does not match the value supplied with the PIN_length parameter or defined by the PIN-block format specified in the PIN profile. |
| 8 | 105 (069) | The value of the transaction_security parameter is not valid. |
| 8 | 106 (06A) | The PIN-block format keyword is not valid. |
| 8 | 107 (06B) | The format control keyword is not valid. |
| 8 | 108 (06C) | The value or the placement of the padding data is not valid. |
| 8 | 109 (06D) | The extraction method keyword is not valid. |
| 8 | 110 (06E) | The value of the PAN data is not numeric character data. |
| 8 | 111 (06F) | The sequence number is not valid. |
| 8 | 112 (070) | The PIN offset is not valid. |
| 8 | 114 (072) | The PVV value is not valid. |
| 8 | 116 (074) | The clear PIN value is not valid. For example, digits other than 0 - 9 were found. |
| 8 | 118 (76) | The issuer domestic code is invalid. This value must be five alphanumeric characters. |
| 8 | 120 (078) | An origin or destination identifier is not valid. |
| 8 | 121 (079) | The value of the inbound_key, key_value_structure, or source_key parameter is not valid. |
| 8 | 125 (07D) | A PKA92-encrypted key having the same Environment Identifier (EID) as the local node cannot be imported. |
| 8 | 129 (081) | Required rule-array keyword not found. |
| 8 | 153 (099) | The text length exceeds the system limits. |
| 8 | 154 (09A) | The key token specified by the key_identifier parameter is not an internal key token or a key label. |
| 8 | 155 (09B) | The value that the generated_key_identifier parameter specifies is not valid or it is not consistent with the value that the key_form parameter specifies. |
| 8 | 156 (09C) | A keyword is not valid with the specified parameters. |
| 8 | 157 (09D) | The key-token type is not specified in the rule_array. |
| 8 | 159 (09F) | The keyword supplied with the option parameter is not valid. |
| 8 | 160 (0A0) | The key type and the key length are not consistent. |
| 8 | 161 (0A1) | The value that the dataset_name_length parameter specifies is not valid. |
| 8 | 162 (0A2) | The offset value is not valid. |
| 8 | 163 (0A3) | The value that the dataset_name parameter specifies is not valid. |
| 8 | 164 (0A4) | The starting address of the output area falls inside the input area. |
| 8 | 165 (0A5) | The carry_over_character_count specified in the chaining vector is not valid. |
| 8 | 168 (0A8) | A hexadecimal MAC value contains characters that are not valid or the MAC, on a request or reply failed, because the user session key in the host and the adapter card do not match. |
| 8 | 169 (0A9) | Specific to MDC Generate, indicates that the length of the text supplied is not correct, either not long enough for the algorithm parameters used or not the correct multiple (must be multiple of eight bytes). |
| 8 | 170 (0AA) | Special authorization through the operating system is required to use this verb. |
| 8 | 171 (0AB) | The control_array_count value is not valid. |
| 8 | 175 (0AF) | The key token cannot be parsed because no control vector is present. |
| 8 | 180 (0B4) | A key token presented for parsing is null. |
| 8 | 181 (0B5) | The key token is not valid. The first byte is not valid or an incorrect token type was presented. |
| 8 | 183 (0B7) | The key type is not consistent with the key type of the control vector. |
| 8 | 184 (0B8) | An input pointer is null. |
| 8 | 185 (0B9) | A disk I/O error occurred: perhaps the file is in-use, does not exist, and so forth. |
| 8 | 186 (0BA) | The key-type field in the control vector is not valid. |
| 8 | 187 (0BB) | The requested MAC length (MACLEN4, MACLEN6, MACLEN8) is not consistent with the control vector (key-A, key-B). |
| 8 | 191 (0BF) | The requested MAC length (MACLEN6, MACLEN8) is not consistent with the control vector (MAC-LN-4). |
| 8 | 192 (0C0) | A key-storage record contains a record validation value that is not valid. |
| 8 | 194 (0C2) | A private-key section length is invalid. |
| 8 | 199 (0C7) | A public exponent is invalid. |
| 8 | 204 (0CC) | A memory allocation failed. This can occur in the host and in the coprocessor. Try closing other host tasks. If the problem persists, contact the IBM® support center. |
| 8 | 205 (0CD) | The X9.23 ciphering method is not consistent with the use of the CONTINUE keyword. |
| 8 | 323 (143) | The ciphering method the Decipher verb used does not match the ciphering method the Encipher verb used. |
| 8 | 335 (14F) | Either the specified cryptographic hardware component or the environment cannot implement this function. |
| 8 | 340 (154) | One of the input control vectors has odd parity. |
| 8 | 343 (157) | Either the data block or the buffer for the block is too small or a variable has caused an attempt to create an internal data structure that is too large. |
| 8 | 345 (159) | Insufficient storage space exists for the data in the data block buffer. |
| 8 | 374 (176) | Less data was supplied than expected or less data exists than was requested. |
| 8 | 377 (179) | A key-storage error occurred. |
| 8 | 382 (17E) | A time-limit violation occurred. |
| 8 | 385 (181) | The cryptographic hardware component reported that the data passed as part of a command is not valid for that command. |
| 8 | 387 (183) | The cryptographic hardware component reported that the user ID or role ID is not valid. |
| 8 | 393 (189) | The command was not processed because the profile cannot be used. |
| 8 | 394 (18A) | The command was not processed because the expiration date was exceeded. |
| 8 | 397 (18D) | The command was not processed because the active profile requires the user to be verified first. |
| 8 | 398 (18E) | The command was not processed because the maximum PIN or password failure limit is exceeded. |
| 8 | 407 (197) | There is a PIN-block consistency-check-error. |
| 8 | 439 (1B7) | Key cannot be completed because all required key parts have not yet been accumulated, or key is already complete. |
| 8 | 441 (1B9) | Key part cannot be added because key is complete. The key to be processed should be partial, but the key is not partial according to the control vector or other control bits of the key. |
| 8 | 442 (1BA) | DES keys with replicated halves are not allowed or a DES key with CV bit 40 = B'1' (DOUBLE-O or TRIPLE-O) has replicated key parts. |
| 8 | 605 (25D) | The number of output bytes is greater than the number that is permitted. |
| 8 | 703 (2BF) | A new master-key value is one of the weak DES keys. |
| 8 | 704 (2C0) | A new master key cannot have the same master key verification pattern as the current master key. |
| 8 | 705 (2C1) | Both exporter keys specify the same key-encrypting key. |
| 8 | 706 (2C2) | Pad count in deciphered data is not valid. |
| 8 | 707 (2C3) | The master-key registers are not in the state required for the requested function. |
| 8 | 714 (2CA) | A reserved parameter must be a null pointer or an expected value. |
| 8 | 715 (2CB) | A parameter that must have a value of zero is not valid. |
| 8 | 718 (2CE) | The hash value of the data block in the decrypted RSA-OAEP block does not match the hash of the decrypted data block. |
| 8 | 719 (2CF) | The block format (BT) field in the decrypted RSA-OAEP block does not have the correct value. |
| 8 | 720 (2D0) | The initial byte (I) in the decrypted RSA-OAEP block does not have a valid value. |
| 8 | 721 (2D1) | The V field in the decrypted RSA-OAEP does not have the correct value. |
| 8 | 752 (2F0) | The key-storage file path is not usable. |
| 8 | 753 (2F1) | Opening the key-storage file failed. |
| 8 | 754 (2F2) | An internal call to the key_test command failed. |
| 8 | 756 (2F4) | Creation of the key-storage file failed. |
| 8 | 760 (2F8) | An RSA-key modulus length in bits or in bytes is not valid. |
| 8 | 761 (2F9) | An RSA-key exponent length is not valid. |
| 8 | 762 (2FA) | The key values structure for CSNDPKB has a field in error. A length or format is not correct. |
| 8 | 763 (2FB) | The section identification number within a key token is not valid. |
| 8 | 770 (302) | The PKA key token has a field that is not valid. |
| 8 | 771 (303) | The user is not logged on. |
| 8 | 772 (304) | The requested role does not exist. |
| 8 | 773 (305) | The requested profile does not exist. |
| 8 | 774 (306) | The profile already exists. |
| 8 | 775 (307) | The supplied data is not replaceable. |
| 8 | 776 (308) | The requested ID is already logged on. |
| 8 | 777 (309) | The authentication data is not valid. |
| 8 | 778 (30A) | The checksum for the role is in error. |
| 8 | 779 (30B) | The checksum for the profile is in error. |
| 8 | 780 (30C) | There is an error in the profile data. |
| 8 | 781 (30D) | There is an error in the role data. |
| 8 | 782 (30E) | The function-control-vector header is not valid. |
| 8 | 783 (30F) | The command is not permitted by the function-control-vector value. |
| 8 | 784 (310) | The operation you requested cannot be performed because the user profile is in use. |
| 8 | 785 (311) | The operation you requested cannot be performed because the role is in use. |
| 8 | 786 (312) | A profile load is being attempted for a profile that has the same authentication key as another profile in the domain that already exists. |
| 8 | 787 (313) | A profile load is being attempted for a profile that has a key that is too weak for the compliance level of the domain where the profile is being loaded. |
| 8 | 816 (330) | The public-key certificate length is invalid. |
| 8 | 817 (331) | The public key does not match. |
| 8 | 818 (332) | The signature of the input public-key certificate does not verify. |
| 8 | 819 (333) | The public-key certificate type is invalid or not allowed. |
| 8 | 821 (335) | The subject name provided is either missing, malformed, or of invalid length. |
| 8 | 822 (336) | The issuer name provided is either missing, malformed, or of invalid length. |
| 8 | 823 (337) | The serial number provided is either unexpected, missing, malformed, or of invalid length. |
| 8 | 825 (339) | The extension data provided is either unexpected, missing, malformed, or of invalid length. |
| 8 | 826 (33A) | The expiration days value provided is either unexpected, missing, or out of range. |
| 8 | 827 (33B) | The pathLenConstraint provided is either unexpected, missing,
or out of range.
|
| 8 | 829 (33D) | Error in GSK/SSL/ASN.1 processing. |
| 8 | 830 (33E) | Error in ASN.1 processing. No more data. |
| 8 | 831 (33F) | Error in ASN.1 processing. Length value is not valid. |
| 8 | 833 (341) | Error in ASN.1 processing. Attribute value separator is missing. |
| 8 | 834 (342) | Error in ASN.1 processing. Unknown attribute identifier. |
| 8 | 835 (343) | Error in ASN.1 processing. Object identifier syntax error. |
| 8 | 837 (345) | Error in ASN.1 processing. Interval is not valid. |
| 8 | 838 (346) | Error in ASN.1 processing. X.500 name syntax error. |
| 8 | 839 (347) | Error in ASN.1 processing. Data type is not correct. |
| 8 | 841 (349) | Error in ASN.1 processing. Character string cannot be converted. |
| 8 | 842 (34A) | Error in ASN.1 processing. Indefinite-length encoding is not supported. |
| 8 | 843 (34B) | Error in ASN.1 processing. Data element must be constructed. |
| 8 | 845 (34D) | Error in ASN.1 processing. Data element must be an ASN.1 primitive. |
| 8 | 846 (34E) | Error in ASN.1 processing. Indefinite-length encoding is not allowed. |
| 8 | 847 (34F) | Error in ASN.1 processing. Data encoding is not valid. |
| 8 | 849 (351) | Error in ASN.1 processing. Data value overflow. |
| 8 | 850 (352) | Error in ASN.1 processing. Unused bit count is not valid. |
| 8 | 851 (353) | Error in ASN.1 processing. Unused bit count is not valid for a segmented bit string. |
| 8 | 853 (355) | Error in ASN.1 processing. Required data element is missing. |
| 8 | 854 (356) | Error in ASN.1 processing. Excess data found at end of data element. |
| 8 | 855 (357) | Error in ASN.1 processing. Parameter is not valid. |
| 8 | 857 (359) | Error in ASN.1 processing. Data value is not present. |
| 8 | 858 (35A) | Error in ASN.1 processing. Selection is not within the valid range. |
| 8 | 859 (35B) | Error in ASN.1 processing. No selection found. |
| 8 | 861 (35D) | Error in ASN.1 processing. Syntax already set. |
| 8 | 862 (35E) | Error in ASN.1 processing. Codeset is not allowed. |
| 8 | 863 (35F) | Error in ASN.1 processing. Attribute value is not valid. |
| 8 | 865 (361) | Error in ASN.1 processing. Attribute value is missing. |
| 8 | 866 (362) | Error in ASN.1 processing. Object identifier element count is not valid. |
| 8 | 867 (363) | Error in ASN.1 processing. Incorrect value for the first object identifier element. |
| 8 | 869 (365) | Error in ASN.1 processing. Incorrect value for the second object identifier element. |
| 8 | 870 (366) | Error in ASN.1 processing. Version is not supported. |
| 8 | 871 (367) | Error in certificate processing. Certificate contains a duplicate extension. |
| 8 | 873 (369) | The extension data provided conflicts with the rule array data provided. |
| 8 | 874 (36A) | Error in certificate processing. Elliptic Curve is not supported. |
| 8 | 875 (36B) | Error in certificate processing. Signature not supplied. |
| 8 | 878 (36E) | Error in certificate processing. Cryptographic algorithm is not supported. |
| 8 | 879 (36F) | Error in certificate processing. Incorrect Base64 encoding. |
| 8 | 881 (371) | Error in certificate processing. Unrecognized file or message encoding. |
| 8 | 882 (372) | The HSM internal clock has not been set. |
| 8 | 883 (373) | Error in certificate processing. Key not supported by encryption or signature algorithm. |
| 8 | 885 (375) | The X.509 certificate presented has an invalid, or missing KeyUsage extension. |
| 8 | 886 (376) | Error in certificate processing. Certificate extension is not supported. |
| 8 | 887 (377) | Error in certificate processing. The input certificate does not have a valid signature. |
| 8 | 889 (379) | Error in certificate processing. Input/Output request failed. |
| 8 | 890 (37A) | Error in certificate processing. Database is not valid. |
| 8 | 891 (37B) | Error in certificate processing. Signature not supplied. |
| 8 | 893 (37D) | Error in certificate processing. Certificate extension data has an incorrect critical indicator. |
| 8 | 894 (37E) | Error in certificate processing. Required certificate extension is missing. |
| 8 | 895 (37F) | Error in certificate processing. Certificate not valid for host. |
| 8 | 897 (381) | Error in certificate processing. Subject name is not valid. |
| 8 | 898 (382) | Error in certificate processing. Certificate extension data is incorrect. |
| 8 | 899 (383) | Error in certificate processing. Validation option is not valid. |
| 8 | 901 (385) | Error in certificate processing. Name constraints violated. |
| 8 | 902 (386) | Error in certificate processing. Record not found. |
| 8 | 903 (387) | Error in certificate processing. Certificate chain is not trusted. |
| 8 | 905 (389) | Error in certificate processing. Required basic constraints certificate extension is missing. |
| 8 | 906 (38A) | Error in certificate processing. An internal error has occurred. |
| 8 | 907 (38B) | Error in certificate processing. Issuer certificate not found. |
| 8 | 909 (38D) | Error in certificate processing. Name format is not supported. |
| 8 | 910 (38E) | Error in certificate processing. Self-signed certificate not in database. |
| 8 | 911 (38F) | Error in certificate processing. Certificate is expired. |
| 8 | 913 (391) | Error in certificate processing. Certificate is not yet valid. |
| 8 | 914 (392) | Error in certificate processing. Issuer name is not valid. |
| 8 | 915 (393) | Error in certificate processing. Certificate is revoked. |
| 8 | 917 (395) | Error in certificate processing. Numeric value is not valid. |
| 8 | 918 (396) | Error in certificate processing. Variable argument security level is not valid. |
| 8 | 919 (397) | Error in certificate processing. Variable argument validate root is not valid. |
| 8 | 921 (399) | Error in certificate processing. Variable argument count is not valid. |
| 8 | 922 (39A) | Error in certificate processing. Extended key usage comparison failed. |
| 8 | 923 (39B) | Error in certificate processing. Certificate does not have an extended key usage extension. |
| 8 | 925 (39D) | Error in certificate processing. Extended key usage type is not supported for this operation. |
| 8 | 926 (39E) | Error in certificate processing. Extended key usage input is not supplied. |
| 8 | 927 (39F) | Error in certificate processing. Extended key usage input count is not valid. |
| 8 | 929 (3A1) | Error in certificate processing. Input certificate not supplied. |
| 8 | 930 (3A2) | Error in certificate processing. Incorrect key usage. |
| 8 | 931 (3A3) | Error in certificate processing. Cannot match CRL distribution points. |
| 8 | 933 (3A5) | Error in certificate processing. Acceptable policy intersection cannot be found. |
| 8 | 934 (3A6) | Error in certificate processing. Certification path is too long. |
| 8 | 935 (3A7) | Error in certificate processing. Issuer is not a certification authority. |
| 8 | 939 (3AB) | Certificate presented to load as a certification authority does not have a true value for CA in basic constraints certificate extension. |
| 8 | 941 (3AD) | Certificate presented to use as an end entity has a true value for cA in basic constraints certificate extension. |
| 8 | 942 (3AE) | Error in certificate processing. Label is not unique. |
| 8 | 943 (3AF) | Error in certificate processing. Certificate is not unique. |
| 8 | 946 (3B2) | The requested hash method differes from the hash method used when the certificate was loaded. |
| 8 | 947 (3B3) | Error in certificate processing. Record label is not valid. |
| 8 | 949 (3B5) | Error in certificate processing. Multiple certificates exist for label. |
| 8 | 950 (3B6) | Error in certificate processing. Record deleted. |
| 8 | 954 (3BA) | Error in certificate processing. Subject name cannot be changed. |
| 8 | 955 (3BB) | Error in certificate processing. Public key cannot be changed. |
| 8 | 957 (3BD) | The Certificate presented is not in the proper state for the requested operation. |
| 8 | 958 (3BE) | The Certificate hash presented does not match the stored hash. |
| 8 | 959 (3BF) | Error in certificate processing. Database contains certificates signed by the certificate. |
| 8 | 970 (3CA) | Error in certificate processing. The certificate revocation list is expired. |
| 8 | 997 (3E5) | The algorithm identifier provided is either missing, malformed, or invalid. |
| 8 | 998 (3E6) | The algorithm parameters provided are either missing, malformed, or invalid. |
| 8 | 1001 (3E9) | Error in certificate processing. The provided expiration date is invalid. |
| 8 | 1002 (3EA) | Error in certificate processing. The provided RSASSA PSS digest algorithm is not supported. |
| 8 | 1003 (3EB) | Error in certificate processing. The provided RSASSA PSS mask generation algorithm is not supported. |
| 8 | 1005 (3ED) | The provided private/public key pair and certificate are mismatched. |
| 8 | 1006 (03EE) | The provided TR-31 optional block is not allowed with the provided key block header algorithm. |
| 8 | 1007 (03EF) | The provided TR-31 optional block is malformed. |
| 8 | 1009 (03F1) | The provided TR-31 optional block contains data that cannot be used by the HSM, so it must be rejected. |
| 8 | 1010 (03F2) | The provided TR-31 optional block is not allowed with the provided key block header usage. For the CSNBT31X COMP-TAG, this indicates that the opt_blocks parameter is not empty. |
| 8 | 1011 (03F3) | The provided set of TR-31 optional blocks contains duplicate block IDs provided either directly as input and or indirectly by specifying rule array keywords. |
| 8 | 1013 (03F5) | The provided skeleton attributes do not match the attributes provided in the optional block. |
| 8 | 1014 (03F6) | The DA optional block has more members than are allowed (expected one member). |
| 8 | 1015 (03F7) | TR-31 block support is not available for this option. |
| 8 | 1025 (401) | The registered public key or retained private key name already exists. |
| 8 | 1026 (402) | The key name (registered public key or retained private key) does not exist. |
| 8 | 1027 (403) | Environment identifier data is already set. |
| 8 | 1028 (404) | Master key share data is already set. |
| 8 | 1029 (405) | There is an error in the Environment Identifier (EID) data. |
| 8 | 1030 (406) | There is an error in using the master key share data. |
| 8 | 1031 (407) | There is an error in using registered public key or retained private key data. |
| 8 | 1032 (408) | There is an error in using registered public key hash data. |
| 8 | 1033 (409) | The public key hash was not registered. |
| 8 | 1034 (40A) | The public key was not registered. |
| 8 | 1035 (40B) | The public key certificate signature was not verified. |
| 8 | 1037 (40D) | There is a master key shares distribution error. |
| 8 | 1038 (40E) | The public key hash is not marked for cloning. |
| 8 | 1039 (40F) | The registered public key hash does not match the registered hash. |
| 8 | 1040 (410) | The master key share enciphering key failed encipher. |
| 8 | 1041 (411) | The master key share enciphering key failed decipher. |
| 8 | 1042 (412) | The master key share digital signature generate failed. |
| 8 | 1043 (413) | The master key share digital signature verify failed. |
| 8 | 1044 (414) | There is an error in reading VPD data from the adapter. |
| 8 | 1045 (415) | Encrypting the cloning information failed. |
| 8 | 1046 (416) | Decrypting the cloning information failed. |
| 8 | 1047 (417) | There is an error loading the new master key from the master key shares. |
| 8 | 1048 (418) | The clone information has one or more sections that are not valid. |
| 8 | 1049 (419) | The master key share index is not valid. |
| 8 | 1050 (41A) | The public-key encrypted-key is rejected because the Environment Identifier (EID) with the key is the same as the EID for this node. |
| 8 | 1051 (41B) | The private key is rejected because the key is not flagged for use in master-key cloning. |
| 8 | 1052 (41C) | The token identifier of the trusted block's header section is in the range X'20' - X'FF'. Check the token identifier of the trusted block. |
| 8 | 1053 (41D) | The active flag in the trusted block’s trusted block section X'14' is not disabled. Use the Trusted Block Create verb to create an inactive/external trusted block. |
| 8 | 1054 (41E) | The token identifier of the trusted block’s header section is not X'1E' (external). Use the Trusted Block Create verb to create an inactive/external trusted block. |
| 8 | 1055 (41F) | The active flag of the trusted block’s trusted block section X'14' is not enabled. Use the Trusted Block Create verb to create an active/external trusted block. |
| 8 | 1056 (420) | The token identifier of the trusted block’s header section is not X'1F' (internal). Use the PKA Key Import verb to import the trusted block. |
| 8 | 1057 (421) | The trusted block rule section X'12' rule ID does not match input parameter rule ID. Verify that the trusted block used has the rule section specified. |
| 8 | 1058 (422) | The trusted block contains a value that is too small or too large. |
| 8 | 1059 (423) | A trusted block parameter that must have a value of zero (or a grouping of bits set to zero) is invalid. |
| 8 | 1060 (424) | The trusted block public key section failed consistency checking. |
| 8 | 1061 (425) | The trusted block contains extraneous sections or subsections (TLVs). Check the trusted block for undefined sections or subsections. |
| 8 | 1062 (426) | The trusted block contains missing sections or subsections (TLVs). Check the trusted block for required sections and subsections applicable to the verb invoked. |
| 8 | 1063 (427) | The trusted block contains duplicate sections or subsections (TLVs). Check the trusted block’s sections and subsections for duplicates. Multiple rule sections are allowed. |
| 8 | 1064 (428) | The trusted block expiration date has expired (as compared to the IBM 4764 clock). Validate the expiration date in the trusted block’s trusted information section’s Activation and Expiration Date TLV object |
| 8 | 1065 (429) | The trusted block expiration date is at a date prior to the activation date. Validate the expiration date in the trusted block’s trusted information section’s Activation and Expiration Date TLV object. |
| 8 | 1066 (42A) | The trusted block public key modulus length in bits is not consistent with the byte length. The bit length must be less than or equal to byte length * 8 and greater than (byte length - 1) * 8. |
| 8 | 1067 (42B) | The trusted block public key modulus length in bits exceeds the maximum allowed bit length, as defined by the Function Control Vector. |
| 8 | 1068 (42C) | One or more trusted block sections or TLV objects contained data that is invalid (an example would be invalid label data in label section X'13'). |
| 8 | 1069 (42D) | Trusted block verification was attempted by a verb other than CSNDDSV, CSNDKTC, CSNDPKI, CSNDRKX, or CSNDTBC. |
| 8 | 1070 (42E) | The trusted block rule ID contained within a rule section has invalid characters. |
| 8 | 1071 (42F) | The source key's length or CV does not match what is expected by the rule section in the trusted block that was selected by the rule ID input parameter. |
| 8 | 1072 (430) | The activation data is not valid. Validate the activation data in the trusted block’s trusted information section’s Activation and Expiration Date TLV object. |
| 8 | 1073 (431) | The source-key label does not match the template in the export key DES token parameters TLV object of the selected trusted block rule section. |
| 8 | 1074 (432) | The control-vector value specified in the common export key parameters TLV object in the selected rule section of the trusted block contains a control vector that is not valid. |
| 8 | 1075 (433) | The source-key label template in the export key DES token parameters TLV object in the selected rule section of the trusted block contains a label template that is not valid. |
| 8 | 1077 (435) | Key wrapping option input error. |
| 8 | 1078 (436) | Key wrapping Security Relevant Data Item (SRDI) error. |
| 8 | 1079 (437) | The format of the decrypted PIN block is not supported in this function. |
| 8 | 1081 (439) | The ISO-1 format PIN block or ISO-2 PIN block operation is not allowed by your
configuration. For ISO-1, the Disallow PIN block format ISO-1 access control is enabled. For ISO-2, one of the following access control points is enabled:
|
| 8 | 1082 (43A) | The key strength of the input or output key is not allowed by your access control point settings. For DES/TDES keys, consider also the effective strength of the key, whether there are repeated 56-bit sections among K1,K2 or K1,K2,K3. For example, if effective single-length TDES keys are disabled by access control point settings, consider if K1=K2, K2=K3, or K1=K2=K3. |
| 8 | 1083 (43B) | When the wrap type in the token indicates WRAPENH3, this verb requires a skeleton token. The verb cannot reuse a token containing a key. There may be multiple reasons for this. The most common is that the length of the key is hidden when the WRAPENH3 method is used. Therefore, a skeleton token with the true requested key length is needed. |
| 8 | 1085 (43D) | When the wrap type in the token indicates WRAPENH3, or WRAPENH3 is requested for a token and the right-most clear key material in K2 or K3, or both, is all 0, then the token can not be wrapped with WRAPENH3. |
| 8 | 1100 (44C) | There is a general hardware device driver execution error. |
| 8 | 1101 (44D) | There is a hardware device driver parameter that is not valid. |
| 8 | 1102 (44E) | There is a hardware device driver non-valid buffer length. |
| 8 | 1103 (44F) | The hardware device driver has too many opens. The device cannot open now. |
| 8 | 1104 (450) | The hardware device driver is denied access. |
| 8 | 1105 (451) | The hardware device driver device is busy and cannot perform the request now. |
| 8 | 1106 (452) | The hardware device driver buffer is too small and the received data is truncated. |
| 8 | 1107 (453) | The hardware device driver request is interrupted and the request is aborted. |
| 8 | 1108 (454) | The hardware device driver detected a security tamper event. |
| 8 | 1114 (45A) | The communications manager detected that the host-supplied buffer for the reply control block is too small. |
| 8 | 1115 (45B) | The communications manager detected that the host-supplied buffer for the reply data block is too small. |
| 8 | 1117 (45D) | Hardware device driver operation not permitted. |
| 8 | 1118 (45E) | Hardware device driver received bad address. |
| 8 | 1119 (45F) | Hardware device driver hardware error. |
| 8 | 1121 (461) | Hardware device driver firmware error. |
| 8 | 1122 (462) | Hardware device driver temperature of out range. |
| 8 | 1123 (463) | Hardware device driver received bad request. |
| 8 | 1125 (465) | Hardware device driver host timeout. |
| 8 | 2034 (7F2) | The environment variable that was used to set the default coprocessor is not valid, or does not exist for a coprocessor in the system. |
| 8 | 2036 (7F4) | The contents of a chaining vector are not valid. Ensure the chaining vector was not modified by your application program. |
| 8 | 2038 (7F6) | No RSA private key information is provided. |
| 8 | 2041 (7F9) | A default card environment variable is not valid. |
| 8 | 2050 (802) | The current key serial number field in the PIN profile variable is not valid (not hexadecimal or too many one bits). |
| 8 | 2051 (803) | There is a non-valid message length in the OAEP-decoded information. |
| 8 | 2053 (805) | No message found in the OAEP-decoded data. |
| 8 | 2054 (806) | There is a non-valid RSA Enciphered Key cryptogram: OAEP optional encoding parameters failed validation. |
| 8 | 2055 (807) | Based on the hash method and size of the symmetric key specified, the RSA public key size is too small to format the symmetric key into a PKOAEP2 message. |
| 8 | 2062 (80E) | The active role does not permit you to change the characteristic of a double-length key in the key_Part_Import parameter. |
| 8 | 2065 (811) | The specified key token is not null. |
| 8 | 2080 (820) | The group profile was not found. |
| 8 | 2081 (821) | The group has duplicate elements. |
| 8 | 2082 (822) | The group profile is not in the group. |
| 8 | 2083 (823) | The group has the wrong user ID count. |
| 8 | 2084 (824) | The group user ID failed. |
| 8 | 2085 (825) | The profile is not in the specified group. |
| 8 | 2086 (826) | The group role was not found. |
| 8 | 2087 (827) | The group profile has not been activated. |
| 8 | 2088 (828) | The expiration date of the group profile has been reached or exceeded. |
| 8 | 2089 (829) | The verb contains multiple keywords or parameters that indicate the algorithm to be used, and at least one of these specifies a different algorithm from the others. |
| 8 | 2090 (82A) | A required SRDI was not found. |
| 8 | 2091 (82B) | A required CA SRDI was not found. |
| 8 | 2093 (82D) | Specific toIBM Z® - an AES key is encrypted under a DES master key, which is not acceptable for the requested operation. |
| 8 | 2095 (82F) | The key_form is incompatible with the key_type. |
| 8 | 2097 (831) | The key_length is incompatible with the key_type. |
| 8 | 2098 (832) | Either a key bit length that was not valid was found in an AES key token (length not 128, 192, or 256 bits) or a version X'01' DES token had a token-marks field that was not valid. |
| 8 | 2099 (833) | Invalid encrypted key length in the AES token, when an encrypted key is present. |
| 8 | 2106 (83A) | An input/output error occurred while accessing the logged on users table. |
| 8 | 2110 (83E) | Invalid wrapping type. |
| 8 | 2111 (83F) | Control vector enhanced bit (bit 56) conflicts with key wrapping keyword. |
| 8 | 2113 (841) | A key token contains invalid payload. |
| 8 | 2114 (842) | Clear-key bit length is out of range. |
| 8 | 2115 (843) | Input key token cannot have a key present when importing the first key part; skeleton key token is required. |
| 8 | 2118 (846) | One or more invalid values in the TR-31 key block header. |
| 8 | 2119 (847) | The "mode" value in the TR-31 header is invalid or is not acceptable in the chosen operation. |
| 8 | 2121 (849) | The "algorithm" value in the TR-31 header is invalid or is not acceptable in the chosen operation. |
| 8 | 2122 (84A) | For import, the exportability byte in the TR-31 header contains a value that does not support import of the key into CCA. For export, the requested exportability does not match circumstances (for example, a 'B' Key Block Version ID key can be wrapped only by a KEK that is wrapped in CBC mode, the ECB mode KEK violates ANSI X9.24). |
| 8 | 2123 (84B) | The length of the cleartext key in the TR-31 block is invalid (for example, the algorithm is 'D' for single-length DES, but the key length is not 64 bits). |
| 8 | 2125 (84D) | The Key Block Version ID in the TR-31 header contains an invalid value. |
| 8 | 2126 (84E) | The key-usage field in the TR-31 header contains a value that is not supported for import of the key into CCA. |
| 8 | 2127 (84F) | The key-usage field in the TR-31 header contains a value that is not valid with the other parameters in the header. |
| 8 | 2129 (851) | Either a parameter for building a TR-31 key block (a TR-31 key block or a component, such as a tag for an optional block) contains one or more ASCII characters that are not printable as described in TR-31, or a field contains ASCII characters that are not allowed for that field. |
| 8 | 2130 (852) | The control vector carried in the optional blocks of the TR-31 key block is inconsistent with other attributes of the key. |
| 8 | 2131 (853) | The key-token failed the MAC validate step of the Key Block unwrap and verify steps (for either Key Block Version ID method). MAC validation failed for a parameter in a key block, such as a trusted block or a TR-31 key block. This might be the result of tampering, corruption, or using a validation key that is different from the one use to generate the MAC. |
| 8 | 2134 (856) | No valid PIN decimalization tables are present. |
| 8 | 2135 (857) | The PIN decimalization table provided as input is not allowed to be used because it does not match any of the active tables stored on the coprocessor. |
| 8 | 2137 (859) | There is an error involving the PIN decimalization table input data. No PIN tables have been changed. |
| 8 | 2138 (85A) | At least one of the PIN decimalization tables requested to be activated is empty or already in the active state (not in the loaded state). No PIN tables have been activated. |
| 8 | 2139 (85B) | At least one PIN decimalization table provided as input to be activated does not match the corresponding table that is loaded on the coprocessor. No PIN tables have been changed from the loaded state to the active state. |
| 8 | 2141 (84D) | The key verification pattern for the key-encrypting key is not valid. |
| 8 | 2142 (85E) | A key-usage field setting prevents operation. |
| 8 | 2143 (85F) | A key-management field setting prevents operation. |
| 8 | 2145 (861) | An attempt to wrap a stronger key with a weaker key was disallowed. |
| 8 | 2147 (863) | The key type to be generated is not valid. |
| 8 | 2149 (865) | The key to be generated is stronger than the input material. |
| 8 | 2151 (867) | At least one PIN decimalization table identifier provided as input is out of range or is a duplicate. No PIN tables have been changed. |
| 8 | 2153 (869) | The input token is incompatible with the service (that is, clear key when encrypted key was expected). |
| 8 | 2154 (86A) | At least one key token does not have the required key type for the specified function. For TR-31 tokens, this may indicate wrong usage or mode. For example, a KEK with TR-31 mode of key use "E" when "D" is required. |
| 8 | 2158 (86E) | There is a mismatch between ECC key tokens of curve types, key lengths, or both. Curve types and key lengths must match. |
| 8 | 2159 (86F) | A key-encrypting key is invalid. |
| 8 | 2161 (871) | A wrap type, either requested or default, is in conflict with one or more input tokens. |
| 8 | 2163 (873) | At least two of the key parts of a new operational or master key have identical parts and an error has been requested by the setting of an appropriate access control point. |
| 8 | 2165 (875) | An RSA key token contains a private section that is not valid with this command. |
| 8 | 2167 (877) | Invalid hash type in certificate. |
| 8 | 2169 (879) | Invalid signature type in certificate. |
| 8 | 2170 (87A) | Translation of text using an outbound key that has an effective key strength weaker than the effective strength of the inbound key is not allowed. |
| 8 | 2174 (87E) | The provided data was not hexadecimal digits. |
| 8 | 2175 (87F) | A weak PIN was presented. The PIN change has been rejected. |
| 8 | 2177 (881) | The PAN presented to the PAN change verb was the same as the PAN in the encrypted PIN block. The change has been rejected. |
| 8 | 2178 (882) | The PAN provided is inconsistent with a PAN incorporated in another piece of data. |
| 8 | 2181 (885) | |
| 8 | 2182 (886) | A rule array keyword was passed to the TR31 Key Import (CSNBT31I) callable service or a TR-31 Key Block header field indicated that a particular TR-31 optional block was required. This optional block was not found in the TR-31 key block or the optional block has data that is invalid for the service call. |
| 8 | 2183 (887) | There is an error in the weak PIN entry structure input header length. No entries have been changed. |
| 8 | 2185 (889) | For at least one of the inputs, the weak PIN entry requested to be activated is not in the loaded state. No weak PIN entries have been activated. |
| 8 | 2186 (88A) | For at least one of the inputs, the weak PIN entry requested to be activated did not match the weak PIN entry structure to be activated. No weak PIN entries have been activated. |
| 8 | 2187 (88B) | One or more of the weak PIN entry ID numbers in the input verb data was invalid, out or range, or a duplicate. No weak PIN entries have been changed. |
| 8 | 2189 (88D) | There is an error in the weak PIN entry structure input type. No entries have been changed. |
| 8 | 2190 (88E) | There is an error in the weak PIN entry structure input header version. No entries have been changed. |
| 8 | 2191 (88F) | There is an error in the weak PIN entry structure input header count. No entries have been changed. |
| 8 | 2193 (891) | The presented PIN is a duplicate of one already in the table. No entries have been changed. |
| 8 | 2194 (892) | Invalid or out of range passphrase length. |
| 8 | 2197 (895) | The presented PIN failed verification. No processing has been done. |
| 8 | 2198 (896) | The presented CMAC failed verification. No processing has been done. |
| 8 | 2199 (897) | A variable-length symmetric key-token (version X'05') contains invalid key-usage field data. |
| 8 | 2201 (899) | A variable-length symmetric key-token (version X'05') contains invalid key-management field data. |
| 8 | 2203 (89B) | RSA engine check-sum error. |
| 8 | 2227 (8B3) | The triple-length key cannot be imported because the TR-31 key block does not include a CCA control vector. |
| 8 | 2229 (8B5) | The type of the specified key is not valid because a diversified key-generating key must be used to derive this symmetric key type. |
| 8 | 2231 (8B7) | There was a problem converting or formatting the PAN. |
| 8 | 2232 (8B8) | There was a problem converting or formatting the cardholder name. |
| 8 | 2233 (8B9) | There was a problem converting or formatting the track 1 data. |
| 8 | 2235 (8BB) | There was a problem converting or formatting the track 2 data. |
| 8 | 2237 (8BD) | Data presented for VFPE processing is not in VFPE enciphered. |
| 8 | 2238 (8BE) | An incorrect PIN profile is specified. |
| 8 | 2239 (8BF) | The check digit compliance indicator/keyword denotes compliant check digit but the input PAN does not have a compliant check digit. |
| 8 | 2243 (8C3) | The key-derivation section is missing or the attributes in the key-derivation section do not match those in the output skeleton token as defined by AES-DUKPT derivation data. |
| 8 | 2245 (8C5) | A randomly generated source key is required, but the pedigree of the source key indicates that the key is not randomly generated. |
| 8 | 2246 (8C6) | A required tag-length-value (TLV) object is not present in the IBM Extended Associated Data (IEAD) section. |
| 8 | 2247 (8C7) | Error in PSS signature salt length. |
| 8 | 2254 (8CE) | The SECURE LOG SRDI that is stored on the coprocessor is full, no auditable actions are allowed. |
| 8 | 2261 (8D5) | Cannot adjust time twice within a 24 hour period. |
| 8 | 2262 (8D6) | Last adjustment time was > 24 hours; however, the amount of time to be adjusted is > 1 second. |
| 8 | 2298 (8FA) | Hash function has a digest size less than the bit length of the curve. |
| 8 | 2401 (961) | Tried to enter compliance mode or change compliance state but not in correct starting mode. |
| 8 | 2402 (962) | Tried to use a compliance-tagged key but domain is not in active compliance mode. |
| 8 | 2403 (963) | This verb is not allowed to use compliance-tagged key tokens. |
| 8 | 2405 (965) | This service of this verb is not allowed to use with compliance-tagged tokens. |
| 8 | 2406 (966) | An attempt was made to use compliant-tagged tokens with non-compliant-tagged tokens or with
legacy compliant-tagged tokens. All compliant-tagged tokens must be the same level.
Either use all compliant-tagged tokens or all non-compliant-tagged tokens to the latest level. |
| 8 | 2407 (967) | This service has been asked to generate or derive a comp-tagged key, or to check a key token for compliance but the requested/given strength is too weak for the configured compliance mode. |
| 8 | 2409 (969) | This service has been asked to generate or derive a comp-tagged key, or to check a key token for compliance, but the requested/given key type or usage is non-compliant. |
| 8 | 2410 (96A) | This service has been asked to use or create a Key-Encrypting-Key (KEK) that has had the NOCV flag set in token flags. Since the flags are not part of the CV it is possible the flag was added on the host side. These types of KEKs are non-compliant. |
| 8 | 2411 (96B) | The requested service is only available when the domain is configured in migration mode, and the domain is not in this mode now. |
| 8 | 2413 (96D) | The service has been asked to use a comp-tagged KEK to wrap or unwrap an external token but the external token key type is non-compliant. |
| 8 | 2414 (96E) | The service for comp-tag migration checking or migration tagging has been given a token type that is not currently supported. |
| 8 | 2415 (96F) | The service to enter imprint or compliance mode cannot complete because card cannot support compliance mode. |
| 8 | 2417 (971) | A token passed in identifies a KDF for a compliance mode that is not the current compliance mode. |
| 8 | 2418 (972) | A token passed into KTR2 already has a comp-tag in CV. |
| 8 | 2419 (973) | Failed to retrieve the compliance mode flags. |
| 8 | 2421 (975) | A CCA service was requested without the COMPMODE keyword for a domain that is in imprint mode or a compliance mode that requires the COMPMODE keyword. |
| 8 | 2422 (976) | A CCA service was passed the COMPMODE keyword but the domain is not in imprint mode or a compliance mode. |
| 8 | 2423 (977) | Cannot change default imprint mode role (INITADDM) while in imprint mode. |
| 8 | 2425 (979) | INIT-AC inactive and activate COMPMODE keywords were different |
| 8 | 2426 (97A) | Action is restricted because domain is in imprint mode. For example the default domain-scope profile cannot update DFLTxxxx or its own role. Also, the CSNBMKP and CSNDPIM verbs cannot be used in imprint mode. |
| 8 | 2427 (97B) | A compliance-tagged token was passed to the HSM while the HSM was in Migration Mode. Compliance-tag token services are not available in migration mode. |
| 8 | 2429 (97D) | A CCA service was requested that, because of the compliance state of the domain, requires a signed command from a TKE. However, the request was not received in this format. |
| 8 | 2430 (97E) | A CCA service has been passed a key part to be ether the first key part or to be combined with previously passed key parts for either the Master Key or an operational key that is being built from parts. The key part passed may be long enough but is not valid because it matches (bit for bit) one of the known weak key patterns (such as all 0x00 bytes) for that key algorithm. |
| 8 | 2431 (97F) | A CCA service has been passed an external token with the COMP-TAG marker or bit set. This is bit 58 in the Control Vector (CV) for DES tokens. |
| 8 | 2433 (981) | The attempted operation must be performed as a dual-control operation when the target domain is in compliance or imprint mode. The command was single control. |
| 8 | 2434 (982) | The ACP list associated with the role-to-load violates the PCI-HSM complimentary ACP restrictions. |
| 8 | 2435 (983) | The ACP quorum rules are not satisfied. |
| 8 | 2437 (985) | Provided PIN block formats do not match in compliance mode. |
| 8 | 2438 (986) | An attempt was made to update DFLTxxxx role with one or more ACPs from the complimentary ACP list while in imprint- or compliance-mode. |
| 8 | 2439 (987) | An attempt to load DFLTxxxx from a card-scope domain when 'xxxx' is a domain-scope domain. |
| 8 | 2510 (9CE) | The input tweak length for format FF2 or FF2.1 exceeds the maximum allowed, as calculated by (length * log2(tweak_alphabet_length)) ≤ (15 - 2) * 8. |
| 8 | 2511 (9CF) | The input plaintext or ciphertext length for format FF2 or FF2.1 exceeds the maximum allowed, as calculated by (length * log2(alphabet_length)) / 2 ≤ (15 - 1) * 8. |
| 8 | 2513 (9D1) | Invalid duplicate data provided to an API, such as when the alphabet provided to an FF2 service has duplicate characters. |
| 8 | 2514 (9D2) | An error was found in the ISO PIN block format. The specific error is not noted. This error will only be returned if ACP X'039F' is enabled. |
| 8 | 2849 (B21) | A verb data keyword specifies a keyword that is not valid. |
| 8 | 2850 (B22) | A verb data keyword combination is not valid. |
| 8 | 2851 (B23) | The verb data length value is not valid. |
| 8 | 2945 (B81) | A required verb data keyword is not found. |
| 8 | 2946 (B82) | Initialization vector length is too small, or text length exceeds maximum. |
| 8 | 2947 (B83) | The computed authentication tag does not match the data identified by the key_parms parameter. |
| 8 | 3001 (BB9) | The RSA-OAEP block contains a PIN block and the verb did not request PINBLOCK processing. |
| 8 | 3006 (BBE) | Specific to IBM Z - UDX not authorized. |
| 8 | 3009 (BC1) | Specific to IBM Z - UDX Password hash mismatch. |
| 8 | 3011 (BC3) | CRT component is too long. |
| 8 | 3013 (BC5) | The longitudinal redundancy check (LRC) checksum in the AES key-token does not match the LRC checksum of the clear key. |
| 8 | 3047 (BE7) | Use of clear key provided is not allowed. A secure key is required. |
| 8 | 3055 (BEF) | The CPRB domain does not match the PCB domain. |
| 8 | 3057 (BF1) | Missing parameter in TLV. |
| 8 | 3059 (BF3) | Session failure. |
| 8 | 6000 (1770) | The specified device is already allocated. |
| 8 | 6001 (1771) | No device is allocated. |
| 8 | 6002 (1772) | The specified device does not exist. |
| 8 | 6003 (1773) | The specified device is an improper type. |
| 8 | 6013 (177D) | The length of the cryptographic resource name is not valid. |
| 8 | 6014 (177E) | The cryptographic resource name is not valid or does not refer to a coprocessor that is available in the system. |
| 8 | 6015 (177F) | An ECC curve type is invalid, its usage is inconsistent, or the required hardware level is not available. |
| 8 | 6017 (1781) | Curve size p is invalid or its usage is inconsistent. |
| 8 | 6018 (1782) | Error returned from CLiC module. |
| 8 | 6019 (1783) | Domain already allocated. |
| 8 | 6021 (1785) | No domain has been allocated. |
| 8 | 6022 (1786) | A group does not exist. |
| 8 | 6023 (1787) | User does not belong to required group. |
| 8 | 10028 (272C) | One of the following occurred:
User action: Determine which key identifier is in error and use the key identifier that is required by the service. If this is an attempt to export a key to CPACF protected key format, either use a DATA key or a CIPHER key with the XPRTCPAC bit set in the control vector. |
| 8 | 10036 (2734) | Specific to IBM Z - Invalid control vectors (L-R) in key token supplied. |
| 8 | 10044 (273C) | Specific to IBM Z - The key_type parameter and the CV key type for the supplied key token do not match. |
| 8 | 10056 (2748) | Specific to IBM Z - The key_type parameter contains TOKEN, which is invalid for the requested operation. |
| 8 | 10124 (278C) | Specific to IBM Z - The key id cannot be exported because of prohibit export restriction in the token supplied. |
| 8 | 10128 (2790) | Specific to IBM Z - The NOCV-KEK or CV-KEK rule_array keyword does not apply in this case. Check other keywords passed. |
| 8 | 10129 (2791) | Specific to IBM Z - The NOCV-KEK importer key or transport key is not allowed in the Remote Key Export operation requested. |