Parameters
The parameter definitions for CSUACFQ.
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see Parameters common to all verbs.
- rule_array_count
-
A pointer to an integer variable containing the number of elements in the rule_array variable. On input, this value must be 1 or 2.Direction: Input/Output Type: Integer On output, the verb sets the variable to the number of rule_array elements it returns to the application program.
Tip: With this verb, the number of returned rule_array elements can exceed the rule_array_count you specified on input. Be sure you allocate adequate memory to receive all the information elements according to the information class you select on input with the information-to-return keyword in the rule_array. - rule_array
-
The rule_array parameter is a pointer to a string variable containing an array of keywords. The keywords are eight bytes in length and must be left-aligned and padded on the right with space characters.Direction: Input/Output Type: String array On input, set the rule_array to specify the type of information to retrieve. There are two input rule_array elements, as described in Table 1. This table also indicates to which parameter, rule_array or verb_data, output data is returned for each keyword.Table 1. Keywords for Cryptographic Facility Query control information The first and third data row span all columns and serve as headers for table sections.
Keyword Description Output in rule_array Output in verb_data Adapter to use (Optional) ADAPTER1 This keyword is ignored. It is accepted for backward compatibility. n/a n/a Information to return (One required) DOM-CONT Obtain an array of enabled control domains. None. See DOM-CONT. DOM-NUMS Returns the total number of domains allocated for the system in the verb_data variable. None. See DOM-NUMS. DOM-USAG Obtain an array of enabled usage domains. None. See DOM-USAG. GETCOMPD Get compliance data. Returns official card and domain compliance information. See the SIGNSTAT keyword later in this table for a method to have the entire bundle hashed and signed by adapter firmware outbound authentication firmware keys. None. See GETCOMPD. GET-UDX Obtains UDX identifiers. This keyword applies only when using Linux® on IBM® Z.
None. See GET-UDX. MOREMKS This keyword returns additional master key information. It is in a second rule array class and used to signify that additional data is to be returned with one or more existing keywords. This keyword is only allowed when one of STATICSFB, STATCCA, or STATCCAE is also present. Any other use results in an error return code of ( 8 / 0x22 [ 34 ] ). When present, the reply rule array elements for the SYM and ASYM master keys have additional bytes populated. The master key status is still present in the same format in offset 0 of the element.
When STATICSFB is present, an ASCII '1' is in offset 7 of the reply rule array element if ACP '0x0330' was set when the master key parts were loaded. This forces the user to enter 24-bytes of key material. This is only present for the SYM MK.
Example output for STATICSFB MOREMKS
(truncated to show only the SYM reply):Rule array kw 0: Card Serial Number Rule array kw 1: “3 1“ SYM MK new mk reg is full and 24-bytes entered. Rule array kw 2: “2 “ SYM MK valid (contains a key) current mk. Rule array kw 3: “2 “ SYM MK valid old mk.NUM-DECT Returns the number of bytes of data required for the verb_data variable when the STATDECT rule-array keyword is specified. Note: A TKE is used to securely load PIN decimalization tables.None. See NUM-DECT. QPENDING TKE uses this rule_array keyword to request information about pending changes previously submitted by this TKE or another TKE to this adapter. Only TKE can submit changes to be stored in the Pending Change Buffer queried with this command. The keyword is available for normal users of Cryptographic Facility Query, for informational or debugging reasons (no secrets are exposed).
This keyword applies only when using Linux on IBM Z.
See Table 2. None. SIG2STAT deprecated:
SIGNSTATThis keyword causes the returned data to have a signature post-pended to the reply data which covers the reply data. It works in combination with the GETCOMPD and STATOAH2 keywords.
It always returns data prefixed with a signed_data_t structure that defines where the data is (following the signed_data_t) and where an optional signature is, (after the data BLOB).
- If SIG2STAT is not present, the signed_data_t beginning structure is still returned, however the signature fields show offset, length, and sig-type of 0x00.
- If SIG2STAT is present, adapter firmware signs the data, puts a signature after the data, and fixes the signature fields to allow for the signature fields and payload.
Note: Keywords SIGNSTAT and STATOAHL are deprecated and will return an error message if requested starting with CCA 8.0 on cryptographic coprocessors starting with CEX8S.None. See the extension of the GETCOMPD and STATOAH2 output in GETCOMPD and STATOAH2. SIZEWPIN Get the number of bytes of storage required for the output of a STATWPIN request. None. See Table 1. STATAES Obtains status information on AES master-key registers and AES key-length enablement. See Table 2. None. STATAPKA Obtains status information on APKA master-key registers and APKA key-length enablement. See Table 2. None. STATCARD Obtains coprocessor-related basic status information. This keyword is provided for backwards compatibility. The STATCRD2 should be used instead of STATCARD. See Table 2. None. STATCCA Obtains CCA-related status information. See Table 2. None. STATCCAE Obtains CCA-related extended status information. See Table 2. None. STATCRD2 Obtains extended basic status information about the coprocessor. See Table 2. None. STATDECT Obtains the information on all of the authorized PIN decimalization tables that are currently stored on the coprocessor. Output is returned in the verb_data variable. Note: A TKE is used to securely load PIN decimalization tables.None. See STATDECT. STATDIAG Obtains diagnostic information. See Table 2. None. STATEID Obtains the Environment Identifier (EID). See Table 2. None. STATEXPT Obtains function control vector-related status information. See Table 2. None. STATICSA Obtains the indicated master key hash and verification patterns to be returned for the master keys loaded in the current domain. This keyword applies only when using Linux on IBM Z.
See Table 2. See STATICSA. STATICSB Obtains the indicated master key hash and verification patterns to be returned for the master keys loaded in the current domain. See Table 2. See STATICSB. STATICSC Obtains the indicated master key hash and verification patterns to be returned for the master keys loaded in the current domain. None. See STATICSC. STATICSE Obtains the indicated master key hash and verification patterns to be returned for the master keys loaded in the current domain. This keyword applies only when using Linux on IBM Z.
See Table 2. See STATICSE. STATICSF This keyword returns the adapter serial number and status information about the SYM (DES) and ASYM (RSA) master-key registers, including whether a valid key is present in each of the old, current, and new registers. This keyword applies only when using Linux on IBM Z.
See Table 2. None. STATICSX Obtains the indicated master key hash and verification patterns to be returned for the master keys loaded in the current domain. This keyword applies only when using Linux on IBM Z.
See Table 2. See STATICSX. STATKPR Obtains non-secret information about an operational key part. This keyword applies only when using Linux on IBM Z.
None. See STATKPR. STATKPRL Obtains the names of the operational key parts. This keyword applies only when using Linux on IBM Z.
None. STATKPRL. STATMOFN Obtains master-key shares distribution information. See Table 2. None. STATOAH2 deprecated:
STATOAHLReturns the adapter health for firmware, with full bootloader fields. This data structure matches the signed health_t structure, which is returned by the secure bootloader of the HSM when a QueryHealth command is issued. (Such a command is issued by low level IBM Z® firmware which then caches the information for the management console). Thus, this STATOAH2 keyword returns the same health_t structure through CCA, signed by an OA key. Input:
The verb_data parameter holds the 32-byte nonce desired by the user to be signed in the returned health_t structure.
Output:
The verb_data parameter holds the health_t structure.
Note: Keywords SIGNSTAT and STATOAHL are deprecated and returns an error message if requested for CCA 8.0 or later.None. See STATOAH2. STATVKPL Obtains the names of all the operational key parts for variable length key token preparation. This keyword applies only when using Linux on IBM Z.
None. See STATVKPL. STATVKPR Obtains non-secret information about an operational key part. This is different from STATKPR in that a register for creating a key in a variable length key token is described.
This keyword applies only when using Linux on IBM Z.
None. See STATVKPR. STATTKPL Obtains the names of all the operational key parts for TR-31 key token preparation. Output will be in parameter verb_data, in the same format as returned by STATVKPL.
None. See STATTKPL. STATTKPR Obtains non-secret information about an operational key part.
This is different from STATKPR in that a register for creating a key in a TR-31 key token is described.
Output will be in parameter verb_data, in the same structure as returned by STATVKPR. The CMACZERO rule is the default for DES and AES, and not allowed with HMAC. The ENCZERO rule is only allowed for DES. The data returned is as described for the CMACZERO and ENC-ZERO rules. The skel field will contain the TR-31 key block header.
None. See STATTKPR. STATWPIN Returns the state information on all of the weak PIN entries that are currently stored on the coprocessor. None. See Table 1. TIMEDATE Reads the current date, time, and day of the week from the secure clock within the coprocessor. See Table 2. None. TKESTATE Indicates whether TKE access is enabled or not. This keyword applies only when using Linux on IBM Z.
See Table 2. None. WRAPMTHD Obtains the default key wrapping method. See Table 2. None. Verification Pattern Format selection for STATKPR, STATVKPR, and STATTKPR. The STATKPR, STATVKPR, and STATTKPR keywords request information about operational key parts that have been stored in the domain. Part of this information is a verification pattern for the key part, returned in the ver_pattern field of the STATKPR, STATVKPR, and STATTKPR output data. ENC-ZERO This keyword modifies the output returned in the ver_pattern field of the STATKPR or STATVKPR output data format structures when the subject key is a DES or TDES key. The length of returned data in the ver_pattern field from the ENC-ZERO calculation is 3 bytes when this keyword is used. The default length of returned data is 4 bytes. None. See STATKPR, STATVKPR, or STATTKPR. Hash Value Format selection for STATKPR, STATVKPR, and STATTKPR. The STATKPR, STATVKPR, and STATTKPR keywords request information about operational key parts that have been stored in the domain. Part of this information is a hash value for the key part, returned in the key_part_hash field of the STATKPR, STATVKPR, and STATTKPR output data. CMACZERO This keyword modifies the output returned in the key_part_hash field of the STATKPR or STATVKPR output data format structures. The returned data in the key_part_hash field is changed to be 5 bytes of a truncated CMAC over the subject key when this keyword is used. None. See STATKPR, STATVKPR, or STATTKPR. Different sets of rule_array elements are returned, depending on the input keyword. Table 2 describes these rule_array elements for keywords that result in output data in the rule_array parameter.For rule_array elements that contain numbers, those numbers are represented by numeric characters which are left-aligned and padded on the right with space characters. For example, a rule_array element that contains the number 2 contains the character string
2
(the number 2 followed by seven space characters).For some keywords, there is output data in the verb_data variable. This output data is described in Verb data returned for CSUACFQ keywords.
Table 2. Cryptographic Facility Query information returned in the rule_array This table contains data rows that span all columns and separate table sections for individual keywords.
Element number Name Description Output rule_array for option QPENDING 1 Change type (ASCII number) An ASCII number that indicates the type of pending change stored in the adapter (if there is one) - Value
- Description
- none
- No pending change
- 1
- Role load
- 2
- Profile load
- 3
- Role delete
- 4
- Profile delete
- 5
- Domain zeroize
- 6
- Enable
2 user ID (string) A string of eight ASCII characters for the user ID of the user who initiated the pending change. Output rule_array for option STATAES 1 AES NMK status State of the AES new master key register: - Value
- Description
- 1
- Register is clear
- 2
- Register contains a partially complete key
- 3
- Register contains a complete key
2 AES CMK status State of the AES current master key register: - Value
- Description
- 1
- Register is clear
- 2
- Register contains a key
3 AES OMK status State of the AES old master key register: - Value
- Description
- 1
- Register is clear
- 2
- Register contains a key
4 AES key length enablement The maximum AES key length that is enabled by the function control vector. The value is 0 (if no AES key length is enabled in the function control vector (FCV)), 128, 192, or 256. Output rule_array for option STATAPKA 1 ECC NMK status The state of the APKA new master key register: - Value
- Description
- 1
- Register is clear
- 2
- Register contains a partially complete key
- 3
- Register contains a complete key
2 ECC CMK status The state of the APKA current master key register: - Value
- Description
- 1
- Register is clear
- 2
- Register contains a key
3 ECC OMK status The state of the APKA old master key register: - Value
- Description
- 1
- Register is clear
- 2
- Register contains a key
4 ECC key length enablement The maximum ECC curve size that is enabled by the function control vector. The value is 0 (if no ECC keys are enabled in the function control vector (FCV)) and 521 for the maximum size. Output rule_array for option STATCARD 1 Number of installed adapters A numeric character string containing the number of active coprocessors installed in the machine. This includes only coprocessors that have CCA software loaded (including those with CCA UDX software). Non-CCA coprocessors are not included in this number. 2 DES hardware level A numeric character string containing an integer value identifying the version of DES hardware on the coprocessor. 3 RSA hardware level A numeric character string containing an integer value identifying the version of RSA hardware on the coprocessor. 4 POST version A character string identifying the version of the coprocessor's Power-On Self Test (POST) firmware. The first four characters define the POST0 version and the last four characters define the POST1 version.
5 Coprocessor operating system name A character string identifying the operating system firmware on the coprocessor. 6 Coprocessor operating system version A character string identifying the version of the coprocessor's operating system firmware. 7 Coprocessor part number A character string containing the 8 character part number identifying the version of the coprocessor. 8 Coprocessor EC level A character string containing the 8 character engineering change (EC) level for this version of the coprocessor. 9 Miniboot version A character string identifying the version of the coprocessor's miniboot firmware. This firmware controls the loading of programs into the coprocessor. The first four characters define the MiniBoot0 version and the last four characters define the MiniBoot1 version.
10 CPU speed A numeric character string containing the operating speed of the microprocessor chip, in megahertz. 11 Adapter ID (see also element number 15) A unique identifier manufactured into the coprocessor. The coprocessor adapter ID is an 8-byte binary value. 12 Flash memory size A numeric character string containing the size of the flash EPROM memory on the coprocessor, in 64 KB increments. 13 DRAM memory size A numeric character string containing the size of the dynamic RAM (DRAM) memory on the coprocessor, in kilobytes. 14 Battery-backed memory size A numeric character string containing the size of the battery-backed RAM on the coprocessor, in kilobytes. 15 Serial number A character string containing the unique serial number of the coprocessor. The serial number is factory installed. Output rule_array for option STATCCA 1 NMK status The state of the new master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a partially complete key.
- 3
- The register contains a key.
2 CMK status The state of the current master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a key.
3 OMK status The state of the old master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a key.
4 CCA application version A character string that identifies the version of the CCA application program running in the coprocessor. If the first character of the CCA application version field is a number, such as
4or greater, then this card is a CEX3C or higher. For example, a4in the first character indicates a CEX3C or CEX4C. A5in the first character indicates a CEX5C. A6in the first character indicates a CEX6C.The results of this query come directly from the card itself. If the host device driver is not up to date, it could incorrectly identify a wrong CEX*C. Therefore, looking at this field resolves all questions.
Important: Starting with version 8.4, the CCA host library is shared across IBM Z and non-Z environments. Read the information provided in Compatibility considerations.5 CCA application build date A character string containing the build date for the CCA application program running in the coprocessor. 6 User role A character string containing the role identifier which defines the host application user's current authority. Output rule_array for option STATCCAE 1 Symmetric NMK status The state of the symmetric new master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a partially complete key.
- 3
- The register contains a key.
2 Symmetric CMK status The state of the symmetric current master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a key.
3 Symmetric OMK status The state of the symmetric old master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a key.
4 CCA application version A character string that identifies the version of the CCA application program that is running in the coprocessor. Important: Starting with version 8.4, the CCA host library is shared across IBM Z and non-Z environments. Read the information provided in Compatibility considerations.5 CCA application build date A character string containing the build date for the CCA application program that is running in the coprocessor. 6 User role A character string containing the role identifier which defines the host application user's current authority. 7 Asymmetric NMK status The state of the asymmetric new master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a partially complete key.
- 3
- The register contains a key.
8 Asymmetric CMK status The state of the asymmetric current master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a key.
9 Asymmetric OMK status The state of the asymmetric old master-key register: - Value
- Description
- 1
- The register is clear.
- 2
- The register contains a key.
Output rule_array for option STATCRD2 1 Number of installed adapters A numeric character string containing the number of active coprocessors installed in the machine. This includes only coprocessors that have CCA software loaded (including those with CCA UDX software). Non-CCA coprocessors are not included in this number. 2 DES hardware level A numeric character string containing an integer value identifying the version of DES hardware on the coprocessor. 3 RSA hardware level A numeric character string containing an integer value identifying the version of RSA hardware on the coprocessor. 4 POST version A character string identifying the version of the coprocessor's Power-On Self Test (POST) firmware. The first four characters define the POST0 version and the last four characters define the POST1 version.
5 Coprocessor operating system name A character string identifying the operating system firmware on the coprocessor. 6 Coprocessor operating system version A character string identifying the version of the coprocessor's operating system firmware. 7 Coprocessor part number A character string containing the 8 character part number identifying the version of the coprocessor. 8 Coprocessor EC level A character string containing the 8 character engineering change (EC) level for this version of the coprocessor. 9 Miniboot version A character string identifying the version of the coprocessor's miniboot firmware. This firmware controls the loading of programs into the coprocessor. The first four characters define the MiniBoot0 version and the last four characters define the MiniBoot1 version.
10 CPU speed A numeric character string containing the operating speed of the microprocessor chip, in megahertz. 11 Adapter ID (see also element number 15) A unique identifier manufactured into the coprocessor. The coprocessor adapter ID is an 8-byte binary value. 12 Flash memory size A numeric character string containing the size of the flash EPROM memory on the coprocessor, in 64 KB increments. 13 DRAM memory size A numeric character string containing the size of the dynamic RAM (DRAM) memory on the coprocessor, in kilobytes. 14 Battery-backed memory size A numeric character string containing the size of the battery-backed RAM on the coprocessor, in kilobytes. 15 Serial number A character string containing the unique serial number of the coprocessor. The serial number is factory installed. 16 POST2 version A character string identifying the version of the coprocessor's POST2 firmware. The first four characters define the POST2 version, and the last four characters are reserved and valued to space characters. Output rule_array for option STATDIAG 1 Battery state A numeric character string containing a value which indicates whether the battery on the coprocessor needs to be replaced: - Value
- Description
- 1
- The battery is good.
- 2
- The battery should be replaced.
2 Intrusion latch state A numeric character string containing a value which indicates whether the intrusion latch on the coprocessor is set or cleared: - Value
- Description
- 1
- The latch is cleared.
- 2
- The latch is set.
3 Error log status A numeric character string containing a value which indicates whether there is data in the coprocessor CCA error log: - Value
- Description
- 1
- The error log is empty.
- 2
- The error log contains abnormal termination data, but is not yet full.
- 3
- The error log is full and cannot hold any more data.
4 Mesh intrusion A numeric character string containing a value to indicate whether the coprocessor has detected tampering with the protective mesh that surrounds the secure module. This indicates a probable attempt to physically penetrate the module: - Value
- Description
- 1
- No intrusion has been detected.
- 2
- An intrusion attempt has been detected.
5 Low voltage detected A numeric character string containing a value to indicate whether a power-supply voltage was below the minimum acceptable level. This might indicate an attempt to attack the security module: - Value
- Description
- 1
- Only acceptable voltages have been detected.
- 2
- A voltage has been detected below the low-voltage tamper threshold.
6 High voltage detected A numeric character string containing a value indicates whether a power-supply voltage was greater than the maximum acceptable level. This might indicate an attempt to attack the security module: - Value
- Description
- 1
- Only acceptable voltages have been detected.
- 2
- A voltage has been detected greater than the high-voltage tamper threshold.
7 Temperature range exceeded A numeric character string containing a value to indicate whether the temperature in the secure module was outside of the acceptable limits. This might indicate an attempt to attack the security module: - Value
- Description
- 1
- The temperature is acceptable.
- 2
- The temperature has been detected outside of an acceptable limit.
8 Radiation detected A numeric character string containing a value to indicate whether radiation was detected inside the secure module. This might indicate an attempt to attack the security module: - Value
- Description
- 1
- No radiation has been detected.
- 2
- Radiation has been detected.
9, 11, 13, 15, 17 Last 5 commands run These five rule_array elements contain the last five commands that were run by the coprocessor CCA application. They are in chronological order, with the most recent command in element 9. Each element contains the security API command code in the first four characters and the subcommand code in the last four characters. See Table 1. 10, 12, 14, 16, 18 Last 5 return codes These five rule_array elements contain the security API return codes and reason codes corresponding to the five commands in rule_array elements 9, 11, 13, 15, and 17. Each element contains the return code in the first four characters and the reason code in the last four characters. Output rule_array for option STATEID 1, 2 EID The two elements, when concatenated, provide the 16-byte Environment Identifier (EID) value. Output rule_array for option STATEXPT, when a function control vector (FCV) is loaded. Returns space characters in each of the six rule array elements if an FCV is not loaded. 1 Base CCA services availability A numeric character string containing a value to indicate whether base CCA services are available: - Value
- Description
- 0
- Base CCA services are not available.
- 1
- Base CCA services are available.
3 56-bit DES availability A numeric character string containing a value to indicate whether 56-bit DES encryption is available: - Value
- Description
- 0
- 56-bit DES encryption is not available.
- 1
- 56-bit DES encryption is available.
4 Triple-DES availability A numeric character string containing a value to indicate whether Triple-DES encryption is available: - Value
- Description
- 0
- Triple-DES encryption is not available.
- 1
- Triple-DES encryption is available.
5 SET services availability A numeric character string containing a value to indicate whether SET (secure electronic transaction) services are available: - Value
- Description
- 0
- SET services are not available.
- 1
- SET services are available.
Note: The SET services are not supported in the Linux on IBM Z environment.6 Maximum modulus for symmetric key encryption A numeric character string containing the maximum modulus size enabled for the encryption of symmetric keys. This defines the longest public-key modulus that can be used for key management of symmetric-algorithm keys. Output rule_array for option STATICSA This keyword also has verb data returned in the verb_data field. See Verb data returned for CSUACFQ keywords.
1 Card serial number Eight ASCII characters for the adapter serial number 2 DES new master-key register state An ASCII number showing the state of the DES new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
3 DES current master-key register state An ASCII number showing the state of the DES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
4 DES old master-key register state An ASCII number showing the state of the DES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
5 PKA new master-key register state An ASCII number showing the state of the PKA new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
6 PKA current master-key register state An ASCII number showing the state of the PKA current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
7 PKA old master-key register state An ASCII number showing the state of the PKA old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
8 AES new master-key register state An ASCII number showing the state of the AES new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
9 AES current master-key register state An ASCII number showing the state of the AES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
10 AES old master-key register state An ASCII number showing the state of the AES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
Output rule_array for option STATICSB This keyword also has verb data returned in the verb_data field. See Verb data returned for CSUACFQ keywords.
1 Card serial number Eight ASCII characters for the adapter serial number 2 DES new master-key register state An ASCII number showing the state of the DES new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
3 DES current master-key register state An ASCII number showing the state of the DES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
4 DES old master-key register state An ASCII number showing the state of the DES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
5 PKA new master-key register state An ASCII number showing the state of the PKA new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
6 PKA current master-key register state An ASCII number showing the state of the PKA current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
7 PKA old master-key register state An ASCII number showing the state of the PKA old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
8 AES new master-key register state An ASCII number showing the state of the AES new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
9 AES current master-key register state An ASCII number showing the state of the AES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
10 AES old master-key register state An ASCII number showing the state of the AES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
11 APKA new master-key register state An ASCII number showing the state of the APKA new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
12 APKA current master-key register state An ASCII number showing the state of the APKA current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
13 APKA old master-key register state An ASCII number showing the state of the APKA old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
Output rule_array for option STATICSE This keyword also has verb data returned in the verb_data field. See Verb data returned for CSUACFQ keywords.
1 Card serial number Eight ASCII characters for the adapter serial number 2 DES new master-key register state An ASCII number showing the state of the DES new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
3 DES current master-key register state An ASCII number showing the state of the DES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
4 DES old master-key register state An ASCII number showing the state of the DES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
5 PKA new master-key register state An ASCII number showing the state of the PKA new master-key register: - Value
- Description
- 1
- Empty
- 2
- Patially full
- 3
- Full
6 PKA current master-key register state An ASCII number showing the state of the PKA current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
7 PKA old master-key register state An ASCII number showing the state of the PKA old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
Output rule_array for option STATICSF 1 Card serial number Eight ASCII characters for the adapter serial number 2 DES new master-key register state An ASCII number showing the state of the DES new master-ky register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
3 DES current master-key register state An ASCII number showing the state of the DES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
4 DES old master-key register state An ASCII number showing the state of the DES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
5 PKA new master-key register state An ASCII number showing the state of the PKA new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
6 PKA current master-key register state An ASCII number showing the state of the PKA current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
7 PKA old master-key register state An ASCII number showing the state of the PKA old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
Output rule_array for option STATICSX This keyword also has verb data returned in the verb_data field. See Verb data returned for CSUACFQ keywords.
1 Card serial number Eight ASCII characters for the adapter serial number 2 DES new master-key register state An ASCII number showing the state of the DES new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
3 DES current master-key register state An ASCII number showing the state of the DES current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
4 DES old master-key register state An ASCII number showing the state of the DES old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
5 PKA new master-key register state An ASCII number showing the state of the PKA new master-key register: - Value
- Description
- 1
- Empty
- 2
- Partially full
- 3
- Full
6 PKA current master-key register state An ASCII number showing the state of the PKA current master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
7 PKA old master-key register state An ASCII number showing the state of the PKA old master-key register: - Value
- Description
- 1
- Invalid
- 2
- Valid
Output rule_array for option STATMOFN Elements 1 and 2 are treated as a 16-byte string, as are elements 3 and 4, with the high-order 15 bytes containing meaningful information and the 16th byte containing a space character. Each byte provides status information about the ith share, 1 ≤ i ≤ 15, of master-key information.
1, 2 Master-key shares generation The 15 individual bytes are set to one of these character values: - Value
- Description
- 0
- Cannot be generated
- 1
- Can be generated
- 2
- Has been generated but not distributed
- 3
- Generated and distributed once
- 4
- Generated and distributed more than once
3, 4 Master-key shares reception The 15 individual bytes are set to one of these character values: - Value
- Description
- 0
- Cannot be received
- 1
- Can be received
- 3
- Has been received
- 4
- Has been received more than once
5 m The minimum number of shares required to instantiate a master key through the master-key-shares process. The value is returned in two characters, valued from 01 – 15, followed by six space characters. 6 n The maximum number of distinct shares involved in the master-key shares process. The value is returned in two characters, valued from 01 - 15, followed by six space characters. Output rule_array for option TIMEDATE 1 Date The current date is returned as a character string of the form YYYYMMDD, where: - YYYY
- Represents the year.
- MM
- Represents the month (01 - 12).
- DD
- Represents the day of the month (01 - 31).
2 Time The current UTC time of day is returned as a character string of the form HHMMSS, where: - HH
- Represents the hour (0 - 23).
- MM
- Represents the minute (0 - 59).
- SS
- Represents second (0 - 59).
3 Day of the week The day of the week is returned as a number between 1 (Sunday) and 7 (Saturday). Output rule_array for option TKESTATE 1 TKE access enabled Indicates whether a TKE can be used to administer this CEX*C. Values are: - TKEPERM
- Allowed
- TKEDENY
- Not allowed
Output rule_array for option WRAPMTHD 1 Internal tokens Default wrapping method for internal tokens. - Value
- Description
- 0
- Keys are be wrapped with the original method.
- 1
- Keys are wrapped with the enhanced X9.24 method.
- 2
- Reserved.
- 3
- Keys are wrapped with the enhanced wrapping method version 3 (see also Key wrapping).
2 External tokens Default wrapping method for external tokens. - Value
- Description
- 0
- Keys are wrapped with the original method.
- 1
- Keys are wrapped with the enhanced X9.24 method.
- 2
- Reserved.
- 3
- Keys are wrapped with the enhanced wrapping method version 3 (see also Key wrapping).
- verb_data_length
-
The verb_data_length parameter is a pointer to an integer variable containing the number of bytes of data in the verb-data variable.Direction: Input/Output Type: Integer - verb_data
-
Direction: Input/Output Type: String A pointer to a string variable containing output data that is returned for some of the keywords specified in the rule_array variable. This output is described in a separate section for each keyword in Verb data returned for CSUACFQ keywords.