Required commands
The required commands for CSNBUKD.
The Unique Key Derive verb requires the Unique Key Derive command (offset X'01C8') to be enabled in the active role.
In addition, these commands are required to be enabled in the active role, depending on the rule-array keyword or keywords:
| Rule-array keyword | Offset | Command |
|---|---|---|
| K3IPEK | X'0335' | Unique Key Derive - K3IPEK |
| PIN-DATA | X'01C9' | Unique Key Derive - Allow PIN-DATA processing |
| WRAP-ECB or WRAP-ENH and default key-wrapping method setting does not match keyword | X'01CA' | Unique Key Derive - Override default wrapping |
The following access control points control the use of weak transport keys:
- To disallow the import of a key wrapped with a weaker transport key, the Symmetric Key Import2 - disallow weak import command (offset X'032B') must be enabled in the active role.
- To receive a warning against the wrapping of a key with a weaker key, the Warn when weak wrap - Transport keys command (offset X'032C') must be enabled in the active role. The Symmetric Key Import2 - disallow weak import command overrides this command.
The following access control points control the use of weak master keys:
- To disable the wrapping of a key with a weaker master key, the Prohibit weak wrapping - Master keys command (offset X'0333') must be enabled in the active role.
- To receive a warning when wrapping a key with a weaker master key, enable the Warn when weak wrap - Master keys command (offset X'0332') in the active role. The Prohibit weak wrapping - Master keys command overrides this command.