Required commands
The required commands for CSNDPKT.
This verb requires the following commands to be enabled in the active role based on the keyword:
| Rule-array keyword | Offset | Command |
|---|---|---|
| COMP-TAG | X'01EE' | PKA Key Translate - allow COMP-TAG |
| COMP-CHK | X'01EF' | PKA Key Translate - allow COMP-CHK |
| CKM-RAKW | X'03B6' | PKA Key Translate - From CCA RSA to CKM-RAKW format |
| CKM-RAKW | X'03B7' | PKA Key Translate - From CCA ECC to CKM-RAKW format |
| EMVCRT | X'033A' | PKA Key Translate - from CCA RSA CRT to EMV CRT format |
| EMVDDA | X'0338' | PKA Key Translate - from CCA RSA CRT to EMV DDA format |
| EMVDDAE | X'0339' | PKA Key Translate - from CCA RSA CRT to EMV DDAE format |
| EXTDWAKW | X'00FF' | PKA Key Translate - Translate external key token |
| INTDWAKW | X'00FE' | PKA Key Translate - Translate internal key token |
| SCVISA | X'0318' | PKA Key Translate - from CCA RSA to SC Visa Format |
| SCCOMME | X'0319' | PKA Key Translate - from CCA RSA to SC ME Format |
| SCCOMCRT | X'031A' | PKA Key Translate - from CCA RSA to SC CRT Format |
| ECC-AES1 | X'00EF' | Allow ECC Private Key Export - CSNDPKT service ECC-AES1 |
| QSA-AES1 | X'020F' | PKA Key Translate - Allow QSA private key export |
These commands must also be enabled to allow the key type combinations shown in this table:
| Source transport key type | Target transport key type | Offset | Command |
|---|---|---|---|
| EXPORTER | EXPORTER | X'031B' | PKA Key Translate - from source EXP KEK to target EXP KEK |
| IMPORTER | EXPORTER | X'031C' | PKA Key Translate - from source IMP KEK to target EXP KEK |
| IMPORTER | IMPORTER | X'031D' | PKA Key Translate - from source IMP KEK to target IMP KEK |
| EXPORTER | IMPORTER | N/A | This key type combination is not allowed. |
The following access control points control the use of weak transport keys:
- To disable the wrapping of a key with a weaker transport key, the Prohibit weak wrapping - Transport keys command (offset X'0328') must be enabled in the active role.
- To receive an informational message when wrapping a key with a weaker key-encrypting key, enable the Warn when weak wrap - Transport keys command (offset X'032C') in the active role. The Prohibit weak wrapping - Transport keys command overrides this command.
The following access control points control the use of weak master keys:
- To disable the wrapping of a key with a weaker master key, the Prohibit weak wrapping - Master keys command (offset X'0333') must be enabled in the active role.
- To receive a warning when wrapping a key with a weaker master key, enable the Warn when weak wrap - Master keys command (offset X'0332') in the active role. The Prohibit weak wrapping - Master keys command overrides this command.
The CKM_RAKW - Allow RSA2048 to wrap stronger keys (e.g.,AES-128,192,256) (offset X'033E') is used to create an exception when ACPs X'0328' or X'032C' or both are enabled, and you are using the CKM-RAKW keyword in verbs CSNDPKT and CSNDSYX to wrap a stronger key with a weaker key. If ACPs X'0328' and X'032C' are not enabled, then you do not need X'033E', but it does not cause any issues if it is enabled. The CKM_RAKW - Allow RSA2048 to wrap stronger keys (e.g.,AES-128,192,256) command (offset X'033E') enables a relaxed RSA KEK strength when used with CKM-RAKW. That is, if Prohibit weak wrapping - Transport keys (offset X'0328') is ON and ALLOW_CKMRAKW_RSA2K_KW is ON, and the caller supplies a 2048-bit (or larger) RSA key, the CSNDPKT and CSNDSYX operations using keyword CKM-RAKW complete without error. If ALLOW_CKMRAKW_RSA2K_KW was OFF, the same operation would fail with return code/reason code 8/2145.
In releases before Release 5.4 and Release 6.2, triple-length TDES keys are not supported, thus limiting an outbound TDES key to double length. Beginning with Release 5.4 and Release 6.2, Triple-length TDES keys are supported, and an outbound TDES key can be double-length or triple-length. This makes it possible for data that is encrypted using a triple-length key to be translated to data encrypted using a weaker double-length key. Such a translation reduces the security of the data and causes a security exposure, and CCA normally restricts such a translation from occurring. To override this restriction, the Cipher Text Translate2 - Allow translate to weaker DES command (offset X’01C3’) must be enabled in the active role.