Required commands
The required commands for CSNBKTR2.
This verb requires the Key Translate2 - Allow use of REFORMAT command (offset X'014B') to be enabled in the active role if the REFORMAT re-encipherment keyword is used.
Otherwise, the verb requires the Key Translate2 command (offset X'0149') to be enabled.
To use the translation control keyword WRAP-ECB or WRAP-ENH when the default key-wrapping method setting does not match the keyword, the Key Translate2 - Allow wrapping override keywords command (offset X'014A') must be enabled.
If the WRAP-ECB translation-control keyword is specified and the key in the input key token is wrapped by the enhanced wrapping method (WRAP-ENH), the verb requires the CKDS Conversion2 - Convert from enhanced to original command (offset X'0147') to be enabled. An active role with offset X'0149' enabled can also use the Key Token Change verb to translate a key from the enhanced key-wrapping method to the less-secure legacy method.
The Key Translate2 - Disallow AES ver 5 to ver 4 conversion command (offset X'032A') prevents CIPHER keys, which are in variable-length AES key tokens (newer version X'05') and wrapped under the AES master-key, from being reformatted into DATA keys, which are in fixed-length AES key tokens (older version X'04') and wrapped under the less-secure DES master-key. This command overrides the Key Translate2 - Allow use of REFORMAT command (offset X'014B').
In releases before Release 5.4 and Release 6.2, triple-length TDES keys are not supported, thus limiting an outbound TDES key to double length. Beginning with Release 5.4, Triple-length TDES keys are supported, and an outbound TDES key can be double-length or triple-length. This makes it possible for data that is encrypted using a triple-length key to be translated to data encrypted using a weaker double-length key. Such a translation reduces the security of the data and causes a security exposure, and CCA normally restricts such a translation from occurring. To override this restriction, the Cipher Text Translate2 - Allow translate to weaker DES command (offset X’01C3’) must be enabled in the active role.
| Algorithm of input KEK key | Algorithm of output KEK key | Command offset (Release 5.4 or later) | Command to disallow translation using a weaker key |
|---|---|---|---|
| AES | DES | X'01C5' | Disallow translation from AES wrapping to DES wrapping |
| AES | AES | X'01C6' | Disallow translation from AES wrapping to weaker AES wrapping |
| DES | DES | X'01C7' | Disallow translation from DES wrapping to weaker DES wrapping |