Required commands
The CSNBKGN2 required commands.
Depending on your specification of key form and key type, different commands are required to enable the processing of the Key Generate2 verb.
| Offset | Command |
|---|---|
| X'039D' | Key Generate2 - Allow GEN of OPOP EPVR/OPIN Key Pair This command is
required, if key form and key type combinations are specified that are shown with an
F in Table 2. |
| X'00D0' | Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS This command is required if you want to allow key generation of AES DKYGENKY D-MAC keys with MMSAUTH1 or MMSAUTH2 key usage fields. |
| X'00D3' | Disallow CSNBKGN2 from generating AES MAC keys with PTR2AUTH This command is required if you want to disallow key generation of AES keys with PTR2AUTH key usage field. |
| X'00EA' | Key Generate2 - OP This command is
required, if key form and key type combinations are specified that are shown with an
X in Table 1. |
| X'00EB' | Key Generate2 - Key set This command is
required, if key form and key type combinations are specified that are shown with an
X in Table 2. |
| X'00EC' | Key Generate2 - Key set extended This command is
required, if key form and key type combinations are specified that are shown with an
E in Table 2. |
To disallow the wrapping of a key with a weaker key-encrypting key, enable the Prohibit weak wrapping - Transport keys command (offset X'0328') in the active role. This command affects multiple verbs. See Access control points and verbs.
To receive a warning when wrapping a key with a weaker key-encrypting key, enable the Warn when weak wrap - Transport keys command (offset X'032C') in the active role. The Prohibit weak wrapping - Transport keys command (offset X'0328') overrides this command.
To disable the wrapping of a key with a weaker master key, the Prohibit weak wrapping - Master keys command (offset X'0333') must be enabled in the active role.
To receive a warning when wrapping a key with a weaker master key, enable the Warn when weak wrap - Master keys command (offset X'0332') in the active role. The Prohibit weak wrapping - Transport keys command overrides this command.
To allow the creation of keys used in Multi-MAC Scheme (CSNBMMS), enable the command Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS (offset X'00D0').
To prevent the creation of AES MAC keys with the PTR2AUTH KUF rule, enable the command Disallow CSNBKGN2 from generating AES MAC keys with PTR2AUTH (offset X’00D3’).
The following access-control points support DK keys (DK enabled AES key types MAC, PINCALC, PINPROT, and PINPRW):
| Offset | Command |
|---|---|
| X'02BB' | Key Generate2 - DK PIN key set |
| X'02BC' | Key Generate2 - DK PIN print key |
| X'02BD' | Key Generate2 - DK PIN admin1 key set PINPROT |
| X'02BE' | Key Generate2 - DK PIN admin1 key set MAC |
| X'02BF' | Key Generate2 - DK PIN admin2 key set MAC |