Restrictions

Edit online

The restrictions for CSNDPKG.

  • Not all IBM® implementations of CCA support a CRT form of the RSA private key; check the product-specific literature. The IBM implementations support an optimized RSA private key (a key in Chinese Remainder Theorem format). The formats vary between versions.
  • See PKA key tokens for the formats used when generating the various forms of key tokens.
  • When generating a key for use with ANSI X9.31 digital signatures, the modulus length must be a multiple of 256 bits starting at 1024, 1280, 1536, 1792, 2048, 2304, 2560, 2816, up to 8192 .
  • The key label used for a retained key must not exist in the external PKA key-storage held on the hard disk drive.
  • Due to potential loss of a retained private key within the cryptographic engine, retained keys should be avoided for key management purposes.
  • 2048-bit RSA keys may have a public exponent in the range of 1 - 256 bytes.
  • An ECC, CRYSTALS-Kyber, or ML-KEM key, or a CRYSTALS-Dilithium or ML-DSA key cannot be retained, nor can RSA keys in private key sections X'30' and X'31' be retained.
  • An ECC, CRYSTALS-Kyber, or ML-KEM key, or a CRYSTALS-Dilithium or ML-DSA key cannot be used for cloning, nor can RSA keys in private key sections X'30' and X'31' be used for cloning.
  • For ECC keys, the NIST security strength requirements are enforced with respect to ECC curve type and AES key length.
  • The use of regeneration data for generating an ECC, CRYSTALS-Kyber or CRYSTALS-Dilithium key is not supported. The regeneration_data_length variable must be 0 for ECC, CRYSTALS-Kyber and CRYSTALS-Dilithium keys.
  • PQC keys that can be generated have the following restrictions:
    • CRYSTALS-Dilithium (6,5) Round 2 is only available for CCA releases 7.1 and later.
    • CRYSTALS-Dilithium (8,7) Round 2 is only available for CCA releases 8.0 and later.
    • CRYSTALS-Kyber (1024) Round 2 is only available for CCA releases 8.0 and later.
    • CRYSTALS-Kyber (768), Round 2 is only available for CCA releases 8.2 and later.
    • CRYSTALS-Dilithium (6,5) Round 3 is only available for CCA releases 8.0 and later.
    • CRYSTALS-Dilithium (8,7) Round 3 is only available for CCA releases 8.0 and later.
    • CRYSTALS-Kyber (1024), Round 3 is only available for CCA releases 8.2 and later.
    • CRYSTALS-Kyber (768), Round 3 is only available for CCA releases 8.2 and later.
    • ML-KEM (768) or (1024) is only available for CCA releases 8.3 and later.
    • ML-DSA (4,4), (6,5), or (8,7) is only available for CCA releases 8.3 and later.

RSA key generation has the following restrictions:

  • For Modulus-Exponent, there are restrictions on the modulus, public exponent, and private exponent.
  • For CRT, there are restrictions on dp, dq, U, and the public exponent.
Note: As of CCA 5.4 and CCA 6.2, this verb supports three-key TDES keys. As a key management service this includes three-key TDES key encrypting keys (KEKs).

See the Key value structure in PKA Key Token Build (CSNDPKB) for a summary of restrictions.

TR-31 KEKs can only be used with this verb starting with CCA 8.1.