Access control points and verbs

Edit online

Verbs use access control points (ACPs). ACPs are also referred to as commands.

Important: By default, you should disable commands that allow an action and enable commands that disallow an action. Enabling or disabling ACPs requires knowledge about the underlying action, so that you are aware why to set the ACP on or off.

For instructions on how to enable and disable these ACPs using the TKE workstation, see z/OS Cryptographic Services.

For systems that do not use the optional TKE workstation, most ACPs (current and new) are enabled in the default role with the appropriate licensed internal code on the CEX*C.

Note:
  1. Each domain in the CEX*C (with hardware enforced access permissions) starts out with its own default role with the default ACP values as shown. However, it is possible to use the TKE to change ACP values in the default role or to define other roles.
  2. With the panel.exe, you can show the settings of all or specific ACPs ( see Using panel.exe to show the active role and ACPs).

As described in Access control data structures, you can assign a role to a user. The user's permissions (permitted or disallowed operations) are attached to each role in the form of an access control point (ACP) list. Thus, the assigned role determines the commands (or ACPs) available to that user.

Full coverage of TKE use for configuration is outside the scope of this document. For details, see z/OS Cryptographic Services.

Table 1 lists the CCA ACPs. The name of each ACP is given as it appears on the panels of the TKE user interface. Note that the group names are also given to aid locating the ACPs. The table includes the following columns:
ACP number
The hexadecimal offset, or ACP code, for the command. Offsets between X'0000' and X'FFFF' that are not listed in this table are reserved.
Name of ACP from TKE interface
The name of the ACP as it appears on the TKE interface
Verb name
The names of the verbs that require that ACP to be enabled; for example, the Encipher (CSNBENC) verb fails without permission to use the Encipher - DES ACP.

The superscripts used in column Verb name have the following meanings:

1
This verb performs more than one function, as determined by the keyword in the rule_array parameter of the verb call. Not all functions of the verb require the command in this row.
2
This verb does not always require the command in this row. Use as determined by the control vector for the key and the action being performed.
Entry point
The entry-point name of the verb.
Initial setting
Whether the ACP is ON or OFF by default.
Usage
Usage recommendations for the ACP. The following codes are used in the Usage column of this table:
ID
Initial default.
O
Usage of this command is optional; enable it as required for authorized usage.
R
Enabling this command is recommended.
NR
Enabling this command is not recommended.
NRP
Enabling this command is not recommended for production.
SC
Usage of this command requires special consideration.
SEL
Usage of this command is normally restricted to one or more selected roles.
SUP
This command is normally restricted to one or more supervisory roles.

See the Restrictions, Required commands, or Usage notes sections at the end of each verb description for access control information.

Table 1. Access Control Points and corresponding CCA verbs

Access Control Points and corresponding CCA verbs
ACP number (hex) Name of ACP from TKE interface Verb name Entry point Initial setting Usage
0001 GROUP: ISPF Services
Note: This group name refers to ISPF, a z/OS® feature. Although ISPF is not relevant to Linux® on IBM® Z, it is listed here as shown on the TKE panels to avoid confusion.
X'0018' DES Master Key - Load first key part Master Key Process1 CSNBMKP ON SC, SEL
X'0019' DES Master Key - Combine key parts Master Key Process1 CSNBMKP ON SC, SEL
X'001A' DES Master Key - Set master key Master Key Process1 CSNBMKP ON SC, SEL
X'001E' Reencipher CKDS
Note: The TKE name for this ACP refers to z/OS key storage (CKDS). However z/OS key storage is not impacted. This ACP refers to a service for Linux, see verb for details.
 Key Token Change CSNBKTC ON O
X'0032' DES Master Key - Clear new master key register Master Key Process1 CSNBMKP ON O, SUP
X'0053' RSA Master Key - Load first key part Master Key Process1 CSNBMKP ON SC, SEL
X'0054' RSA Master Key - Combine key parts Master Key Process1 CSNBMKP ON SC, SEL
X'0057' RSA Master Key - Set master key Master Key Process1 CSNBMKP ON SC, SEL
X'0060' RSA Master Key - Clear new master key register Master Key Process1 CSNBMKP ON SC, SEL
X'00F0' Reencipher CKDS2 Key Token Change2 CSNBKTC2 ON O, SC
X'0124' AES Master Key - Clear new master key register Master Key Process1 CSNBMKP ON O, SUP
X'0125' AES Master Key - Load first key part Master Key Process1 CSNBMKP ON O, SUP
X'0126' AES Master Key - Combine key parts Master Key Process1 CSNBMKP ON O, SUP
X'0128' AES Master Key - Set master key Master Key Process1 CSNBMKP ON O, SUP
X'0146' CKDS Conversion2 - Allow wrapping override keywords Key Token Change CSNBKTC ON O
X'0147' CKDS Conversion2 - Convert from enhanced to original Key Token Change CSNBKTC ON O
X'0148' PCF CKDS Conversion - Allow wrapping override keywords PCF/CUSP Key Conversion - indirect verb
Note: This ACP is no longer available (removed before CCA 5.1).
 - indirect verb/indirect usage - ON N/A
X'014C' CKDS Conversion2 - Allow use of REFORMAT Key Token Change CSNBKTC ON O
X'0240' Authorize UDX - no verb - - no verb - ON O
X'0241' Reencipher PKDS PKA Key Token Change CSNDKTC ON O, R
X'0303' PCF CKDS conversion utility PCF/CUSP Key Conversion - indirect verb - indirect verb/indirect usage - ON R
X'031F' ECC Master Key - Clear new master key register Master Key Process CSNBMKP ON O
X'0320' ECC Master Key - Load first key part Master Key Process CSNBMKP ON O
X'0321' ECC Master Key - Combine key parts Master Key Process CSNBMKP ON O
X'0322' ECC Master Key - Set master key Master Key Process CSNBMKP ON O
X'0330' DES master key - 24-byte key Master Key Process
Note: This ACP forces the SYM and ASYM master keys to be full 24 byte DES keys.
 CSNBMKP OFF O
0002 GROUP: Coprocessor Configuration
X'0026' Disable 56-bit length DES keys All CCA DES-verbs that accept or generate 56-bit length DES keys. OFF SC
X'0027' Disable 56-bit effective length DES keys All CCA DES-verbs that accept or generate 56-bit effective length DES keys including loading master keys. OFF SC
X'002B' Disable RSA keys with less than 1024-bit modulus length All CCA RSA-verbs that accept or generate RSA keys with less than 1024-bit modulus length. OFF SC
X'002C' Disable RSA keys with less than 2048-bit modulus length All CCA RSA-verbs that accept or generate RSA keys with less than 2048-bit modulus length. OFF SC
X'004D' Disable ECC keys weaker than 224-bit (P192, BP160, BP192) All CCA ECC-verbs that accept or generate ECC keys weaker than 224-bit. OFF SC
X'007D' Allow multi-use certificates

Public Infrastructure Certificate
Public Infrastructure Manage

Note: This ACP is no longer available (removed with CCA 6.3).

CSNDPIC
CSNDPIM

 OFF N/A
X'0116' Access Control Manager - Read role CSUAACM Access Control Maintenance
Note: This ACP is also required for TKE services.
 ON O
X'0139' Symmetric token wrapping - internal enhanced method
Note: This ACP is required for a TKE service.
 ON O
X'013A' Symmetric token wrapping - internal original method
Note: This ACP is required for a TKE service.
 ON O
X'013B' Symmetric token wrapping - external enhanced method
Note: This ACP is required for a TKE service.
 ON O
X'013C' Symmetric token wrapping - external original method
Note: This ACP is required for a TKE service.
 ON O
X'0143' Symmetric token wrapping - internal enhanced method version 3
Note: This ACP is required for a TKE service.
 ON O
X'0145' Symmetric token wrapping - external enhanced method version 3
Note: This ACP is required for a TKE service.
 ON O
X'01C5' Disallow translation from AES wrapping to DES wrapping Key Translate2 CSNBKTR2 OFF O, R
X'01C6' Disallow translation from AES wrapping to weaker AES wrapping Key Translate2 CSNBKTR2 OFF O, R
X'01C7' Disallow translation from DES wrapping to weaker DES wrapping Key Translate2 CSNBKTR2 OFF O, R
X'02EB' Allow weak wrapping of compliance-tagged keys by DES MK All callable services that use PCI-HSM 2016 compliant-tagged DES key tokens. OFF SC
X'0328' Prohibit weak wrapping - Transport keys

EC Diffie-Hellman1
Key Generate21
PKA Key Generate1
Symmetric Key Export1

CSNDEDH
CSNBKGN2
CSNDPKG
CSNDSYX

 OFF O, R
X'032C' Warn when weak wrap - Transport keys

EC Diffie-Hellman1
Key Generate21
Symmetric Key Export1
Symmetric Key Import21

CSNDEDH
CSNBKGN2
CSNDSYX
CSNDSYI2J

 OFF O, R
X'032D' Disallow 24-byte DATA wrapped with 16-byte Key PKA Key Generate CSNDPKG OFF O
X'032F' Disallow PIN block format ISO-1

Clear PIN Encrypt
Clear PIN Generate Alternate
Encrypted PIN Generate
Encrypted PIN Translate
Encrypted PIN Translate2
Encrypted PIN Translate Enhanced
Encrypted PIN Verify
Encrypted PIN Verify2
PIN Change/Unblock
Recover PIN from Offset
Secure Messaging for PINs
DK Migrate PIN
DK PAN Modify in Transaction
DK PIN Change
DK PIN Verify

CSNBCPE
CSNBCPA
CSNBEPG
CSNBPTR
CSNBPTR2
CSNBPTRE
 
CSNBPVR
CSNBPVR2
CSNBPCU
CSNBPFO
CSNBSPN
CSNBDMP
CSNBDPMT
CSNBDPC
CSNBDPV

 OFF O
X'0331' PKA Key Generate - Allow weak DES wrap of RSA PKA Key Generate CSNDPKG OFF O, R
X'0332' Warn when weak wrap - Master keys

Clear Key Import
Data Key Import
Diversified Key Generate
EC Diffie-Hellman
Key Generate
Key Generate2
Key Import
Key Part Import
Key Part Import2
Key Token Change
Key Token Change2
Master Key Process
Multiple Clear Key Import
PKA Key Generate
PKA Key Import
PKA Key Token Change
Prohibit Export
Restrict Key Attribute
Symmetric Key Generate
Symmetric Key Import
Symmetric Key Import2
TR31 Key Import
Unique Key Derive

CSNBCKI
CSNBDKM
CSNBDKG
CSNDEDH
CSNBKGN
CSNBKGN2
CSNBKIM
CSNBKPI
CSNBKPI2
CSNBKTC
CSNBKTC2
CSNBMKP
CSNBCKM
CSNDPKG
CSNDPKI
CSNDKTC
CSNBPEX
CSNBRKA
CSNDSYG
CSNDSYI
CSNDSYI2
CSNBT31I
CSNBUKD

 OFF O, R
X'0333' Prohibit weak wrapping - Master keys Same as ACP X'0332' Same as ACP X'0332' OFF O, R
0003 GROUP: API Cryptographic Services
X'000E' Encipher - DES Encipher CSNBENC ON O
X'000F' Decipher - DES Decipher CSNBDEC ON O
X'0010' MAC Generate MAC Generate CSNBMGN ON O
X'0011' MAC Verify MAC Verify CSNBMVR ON O
X'0012' Key Import Key Import CSNBKIM ON O
X'0013' Key Export Key Export CSNBKEX ON O
X'001B' Key Part Import - first key part Key Part Import1 CSNBKPI ON SC, SEL
X'001C' Key Part Import - middle and last Key Part Import1 CSNBKPI ON SC, SEL
X'001D' Compute Verification Pattern

Key Storage Initialization
Key Test
Key Test2
Key Test Extended

Note: Besides these listed verbs, this ACP also affects all verbs which touch key storage and/or use key labels.

CSNBKSI
CSNBKYT
CSNBKYT2
CSNBKYTX

 ON R
X'001F' Key Translate Key Translate CSNBKTR ON O
X'0021' Key Test2 - AES, ENC-ZERO Key Test21 CSNBKYT2 ON O
X'0022' Key Test2 - AES, CMACZERO Key Test21 CSNBKYT2 ON O
X'0023' Key Test2 - DES, CMACZERO Key Test21 CSNBKYT2 ON O
X'0024' DK Random PIN Generate2 DK Random PIN Generate2 CSNBDRG2 OFF O
X'0025' DK PRW Card Number Update2 DK PRW Card Number Update2 CSNBDCU2 OFF O
X'0034' Log Query: System Log Query CSUALGQ OFF O
X'0035' Log Query: CCA Log Query CSUALGQ OFF O
X'0036' Log Query: Set Log Level -4- Log Query CSUALGQ OFF O
X'0037' Log Query: Set Log Level -8- Log Query CSUALGQ OFF O
X'003A' Public Key Import: Disallow Clear Key Import PKA Key Import CSNDPKI OFF O, SC
X'003B' Key Test2 - AES, KEY-LEN Key Test2 CSNBKYT2 ON O
X'003C' Key Test2 - DES, KEY-LEN Key Test2 CSNBKYT2 ON O
X'003D' TR-34 - Allow expired CRL

TR-34 Bind-Begin
TR-34 Bind-Complete
TR-34 Key Distribution
TR-34 Key Receive

CSNDT34B
CSNDT34C
CSNDT34D
CSNDT34R

 ON O, SC
X'003E' TR-34 - Allow expired KRD Certificate

TR-34 Bind-Begin
TR-34 Bind-Complete
TR-34 Key Distribution

CSNDT34B
CSNDT34C
CSNDT34D

 ON O, SC
X'0040' Diversified Key Generate - CLR8-ENC Diversified Key Generate2 CSNBDKG ON O, SEL
X'0041' Diversified Key Generate - TDES-ENC Diversified Key Generate2 CSNBDKG ON O, SEL
X'0042' Diversified Key Generate - TDES-DEC Diversified Key Generate2 CSNBDKG ON O, SEL
X'0043' Diversified Key Generate - SESS-XOR Diversified Key Generate2 CSNBDKG ON O, SEL
X'0044' Diversified Key Generate - Single length or same halves Diversified Key Generate2 CSNBDKG ON SC, SEL
X'0045' Diversified Key Generate - TDES-XOR Diversified Key Generate2 CSNBDKG ON O, SEL
X'0046' Diversified Key Generate - TDESEMV2/TDESEMV4 Diversified Key Generate2 CSNBDKG ON O, SEL
X'0048' Log Query: Set secure log range Log Query CSUALGQ
Note: This ACP is required for a TKE service.
 OFF SC, SUP
X'0049' Log Query: Secure log clear range inactive Log Query
Note: This ACP is required for a TKE service.
 CSUALGQ OFF SC, SUP
X'004A' Log Query: Secure log clear range activate Log Query
Note: This ACP is required for a TKE service.
 CSUALGQ OFF SC, SUP
X'004B' Log Query: Secure log clear all inactive Log Query
Note: This ACP is required for a TKE service.
 CSUALGQ OFF SC, SUP
X'004C' Log Query: Secure log clear all activate Log Query
Note: This ACP is required for a TKE service.
 CSUALGQ OFF SC, SUP
X'0055' ISO PIN blocks do not check PIN digits

Clear PIN Generate Alternate
Encrypted PIN Translate
Encrypted PIN Translate2
Encrypted PIN Translate Enhanced
Encrypted PIN Verify
Encrypted PIN Verify2
PIN Change/Unblock
Secure Messaging for PINs
DK Migrate PIN
DK PAN Modify in Transaction
DK PIN Change
DK PIN Verify

CSNBCPA
CSNBPTR
CSNBPTR2
CSNBPTRE
 
CSNBPVR
CSNBPVR2
CSNBPCU
CSNBSPN
CSNBDMP
CSNBDPMT
CSNBDPC
CSNBDPV

 ON R
X'006E' T31X - Disallow Partial DES Key Export with CV in IBMC01 OB TR31 Translate CSNBT31X OFF SC
X'006F' T31I Disallow Partial DES Key Import with CV in IBMC01 OB TR31 Key Import CSNBT31I OFF SC
X'0070' Public Infrastructure Certificate Public Infrastructure Certificate CSNDPIC ON O
X'0071' PIC Signature Algorithm SHA+RSA Public Infrastructure Certificate CSNDPIC OFF O
X'0072' PIC Signature Algorithm ECDSA Public Infrastructure Certificate CSNDPIC OFF O
X'0073' PIC Signature Algorithm RSASSA_PSS Public Infrastructure Certificate CSNDPIC OFF O
X'0076' PIC Signature Algorithm SHA-1 Public Infrastructure Certificate CSNDPIC OFF O
X'0077' PIC Signature Algorithm SHA-224 Public Infrastructure Certificate CSNDPIC OFF O
X'0078' PIC Signature Algorithm SHA-256 Public Infrastructure Certificate CSNDPIC OFF O
X'0079' PIC Signature Algorithm SHA-384 Public Infrastructure Certificate CSNDPIC OFF O
X'007A' PIC Signature Algorithm SHA-512 Public Infrastructure Certificate CSNDPIC OFF O
X'007B' PIC: Create x509 certificate Public Infrastructure Certificate CSNDPIC OFF O
X'007C' Public Infrastructure Certificate - PK10SNRQ Public Infrastructure Certificate CSNDPIC ON O
X'0080' Diversify Directed Key Diversify Directed Key CSNBDDK OFF O
X'0081' Diversify Directed Key - Allow KDFFM DERIVE Diversify Directed Key CSNBDDK OFF O
X'0082' Diversify Directed Key - Allow KDFFM GENERATE Diversify Directed Key CSNBDDK OFF O
X'0083' PKA Encrypt - Allow ML-KEM, CRYSTALS-Kyber keys PKA Encrypt CSNDPKE ON O
X'0084' PKA Decrypt - Allow ML-KEM, CRYSTALS-Kyber keys PKA Decrypt CSNDPKD ON O
X'0085' Disallow ISO-2 PIN block generate

Clear PIN Encrypt
Clear PIN Generate Alternate
Encrypted PIN Generate
Recover PIN from Offset

CSNBCPE
CSNBCPA
CSNBEPG
CSNBPFO

 OFF O
X'0086' Disallow ISO-2 PIN block verify

Encrypted PIN Verify2
Encrypted PIN Verify

CSNBPVR2
CSNBPVR

 OFF O
X'0087' Disallow ISO-2 PIN block translate

Encrypted PIN Translate2
Encrypted PIN Translate
Encrypted PIN Translate Enhanced
PIN Change/Unblock
Secure Messaging for PINs

CSNBPTR2
CSNBPTR
CSNBPTRE
 
CSNBPCU
CSNBSPN

 OFF O
X'008A' MDC Generate MDC Generate CSNBMDG OFF R
X'008C' Key Generate - Key set Key Generate2 CSNBKGN ON O
X'008E' Key Generate - OP

Key Generate2
Random Number Generate

CSNBKGN
CSNBRNG

 ON R
X'0090' Symmetric Key Token Change - RTCMK Key Token Change CSNBKTC ON R
X'00A0' Clear PIN Generate - 3624 Clear PIN Generate CSNBPGN ON O
X'00A1' Clear PIN Generate - GBP Clear PIN Generate CSNBPGN ON O
X'00A2' Clear PIN Generate - VISA PVV Clear PIN Generate CSNBPGN ON O
X'00A3' Clear PIN Generate - Interbank Clear PIN Generate CSNBPGN ON O
X'00A4' Clear PIN Generate Alternate - 3624 Offset Clear PIN Generate Alternate1 CSNBCPA ON O
X'00AB' Encrypted PIN Verify - 3624 Encrypted PIN Verify1 CSNBPVR ON O
X'00AC' Encrypted PIN Verify - GBP Encrypted PIN Verify1 CSNBPVR ON O
X'00AD' Encrypted PIN Verify - VISA PVV Encrypted PIN Verify1 CSNBPVR ON O
X'00AE' Encrypted PIN Verify - Interbank Encrypted PIN Verify1 CSNBPVR ON O
X'00AF' Clear PIN Encrypt Clear PIN Encrypt CSNBCPE ON O
X'00B0' Encrypted PIN Generate - 3624 Encrypted PIN Generate1 CSNBEPG ON O
X'00B1' Encrypted PIN Generate - GBP Encrypted PIN Generate1 CSNBEPG ON O
X'00B2' Encrypted PIN Generate - Interbank Encrypted PIN Generate1 CSNBEPG ON O
X'00B3' Encrypted PIN Translate - Translate Encrypted PIN Translate1 CSNBPTR ON O
X'00B7' Encrypted PIN Translate - Reformat Encrypted PIN Translate1 CSNBPTR ON O
X'00BB' Clear PIN Generate Alternate - VISA PVV Clear PIN Generate Alternate1 CSNBCPA ON O
X'00BC' PIN Change/Unblock - change EMV PIN with OPINENC PIN Change/Unblock1 CSNBPCU ON O
X'00BD' PIN Change/Unblock - change EMV PIN with IPINENC PIN Change/Unblock1 CSNBPCU ON O
X'00C3' Clear Key Import/Multiple Clear Key Import - DES

Clear Key Import
Multiple Clear Key Import

CSNBCKI
CSNBCKM

 ON SC
X'00C4' Secure Key Import - DES,OP
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z®) on z/OS.
 ON O
X'00CD' Prohibit Export Prohibit Export CSNBPEX ON O
X'00CF' Restrict PIN Messages N/A N/A OFF O
X'00D0' Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS Key Generate2 CSNBKGN2 OFF O
X'00D1' Allow CSNBDKG2 to derive keys from AES DKYGENKY keys with MMSAUTH1 attribute Diversified Key Generate2 CSNBDKG2 OFF O
X'00D2 Allow CSNBMMS service with KDFFM-DK Multi-MAC Scheme CSNBMMS ON O
X'00D3 Disallow CSNBKGN2 from generating AES MAC keys with PTR2AUTH Key Generate2 CSNBKGN2 OFF
X'00D4 Allow CSNDSYG to generate AES CIPHER or MAC keys Symmetric Key Generate CSNDSYG ON SC
X'00D6' Control Vector Translate Control Vector Translate CSNBCVT ON SC
X'00D7' Key Generate - Key set extended Key Generate2 CSNBKGN ON SC, SUP
X'00DA' Cryptographic Variable Encipher Cryptographic Variable Encipher CSNBCVE ON NRP, O, SUP
X'00DB' Key Generate - SINGLE-R

Key Generate2
Remote Key Export2

CSNBKGN
CSNDRKX

 ON NR, SC
X'00DC' Secure Key Import - DES,IM
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'00DF' VISA CVV Generate CVV Generate CSNBCSG ON O
X'00E0' VISA CVV Verify CVV Verify CSNBCSV ON O
X'00E1' DUKPT - PIN Verify, PIN Translate


Encrypted PIN Translate1
Encrypted PIN Translate2
Encrypted PIN Translate Enhanced
Encrypted PIN Verify1
Encrypted PIN Verify2
FPE Decipher
FPE Encipher
FPE Translate

CSNBPTR
CSNBPTR2
CSNBPTRE
CSNBPVR
CSNBPVR2
CSNBFPED
CSNBFPEE
CSNBFPET

 ON O
X'00E4' HMAC Generate - SHA-1 HMAC Generate CSNBHMG ON O
X'00E5' HMAC Generate - SHA-224 HMAC Generate CSNBHMG ON O
X'00E6' HMAC Generate - SHA-256 HMAC Generate CSNBHMG ON O
X'00E7' HMAC Generate - SHA-384 HMAC Generate CSNBHMG ON O
X'00E8' HMAC Generate - SHA-512 HMAC Generate CSNBHMG ON O
X'00E9' Restrict Key Attribute - Export Control Restrict Key Attribute CSNBRKA ON O
X'00EA' Key Generate2 - OP Key Generate2 CSNBKGN2 ON O
X'00EB' Key Generate2 - Key set Key Generate2 CSNBKGN2 ON O
X'00EC' Key Generate2 - Key set extended Key Generate2 CSNBKGN2 ON O
X'00EF' Allow ECC Private Key Export - CSNDPKT service ECC-AES1 PKA Key Translate CSNDPKT OFF O
X'00F1' Symmetric Key Token Change2 - RTCMK Key Token Change2 CSNBKTC2 ON O
X'00F2' Secure Key Import2 - OP
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'00F3' Secure Key Import2 - IM
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'00F4' Symmetric Key Import2 - HMAC,PKOAEP2 Symmetric Key Import2 CSNDSYI2 ON O
X'00F5' Symmetric Key Export - HMAC,PKOAEP2 Symmetric Key Export CSNDSYX ON O
X'00F7' HMAC Verify - SHA-1 HMAC Verify CSNBHMV ON O
X'00F8' HMAC Verify - SHA-224 HMAC Verify CSNBHMV ON O
X'00F9' HMAC Verify - SHA-256 HMAC Verify CSNBHMV ON O
X'00FA' HMAC Verify - SHA-384 HMAC Verify CSNBHMV ON O
X'00FB' HMAC Verify - SHA-512 HMAC Verify CSNBHMV ON O
X'00FC' Symmetric Key Export - AES,PKOAEP2 Symmetric Key Export1 CSNDSYX ON O
X'00FD' Symmetric Key Import2 - AES,PKOAEP2 Symmetric Key Import21 CSNDSYI2 ON O
X'00FE' PKA Key Translate - Translate internal key token PKA Key Translate CSNDPKT ON O
X'00FF' PKA Key Translate - Translate external key token PKA Key Translate CSNDPKT ON O
X'0100' Digital Signature Generate Digital Signature Generate CSNDDSG ON O, SC
X'0101' Digital Signature Verify Digital Signature Verify CSNDDSV ON O
X'0102' PKA Key Token Change RTCMK PKA Key Token Change CSNDKTC ON O
X'0103' PKA Key Generate PKA Key Generate1 CSNDPKG ON O, SUP
X'0104' PKA Key Import PKA Key Import CSNDPKI ON O, SUP
X'0105' Symmetric Key Export - DES, PKCS-1.2 Symmetric Key Export CSNDSYX ON SC
X'0106' Symmetric Key Import - DES, PKCS-1.2 Symmetric Key Import1 CSNDSYI ON O
X'0109' Data Key Import Data Key Import CSNBDKM ON O
X'010A' Data Key Export Data Key Export CSNBDKX ON O
X'010B' SET Block Compose
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'010C' SET Block Decompose
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'010D' Symmetric Key Generate - DES, PKA92 Symmetric Key Generate1 CSNDSYG ON SC
X'011E' PKA Encrypt PKA Encrypt CSNDPKE ON O, SEL
X'011F' PKA Decrypt PKA Decrypt CSNDPKD ON SC, SEL
X'0121' SET Block Decompose - PIN Extension IPINENC
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'0122' SET Block Decompose - PIN Extension OPINENC
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'0129' Multiple Clear Key Import/Multiple Secure Key Import - AES Multiple Clear Key Import CSNBCKM ON SC
X'012A' Symmetric Algorithm Encipher - secure AES keys Symmetric Algorithm Encipher1 CSNBSAE ON O
X'012B' Symmetric Algorithm Decipher - secure AES keys Symmetric Algorithm Decipher1 CSNBSAD ON O
X'012C' Symmetric Key Generate - AES, PKCSOAEP, PKCS-1.2 Symmetric Key Generate CSNDSYG ON SC
X'012D' Symmetric Key Generate - AES, ZERO-PAD Symmetric Key Generate CSNDSYG ON SC
X'012E' Symmetric Key Import - AES, PKCSOAEP, PKCS-1.2 Symmetric Key Import CSNDSYI ON O
X'012F' Symmetric Key Import - AES, ZERO-PAD Symmetric Key Import CSNDSYI ON O
X'0130' Symmetric Key Export - AES, PKCSOAEP, PKCS-1.2 Symmetric Key Export CSNDSYX ON SC
X'0131' Symmetric Key Export - AES, ZERO-PAD Symmetric Key Export CSNDSYX ON SC
X'013D' Diversified Key Generate - Allow wrapping override keywords Diversified Key Generate CSNBDKG ON O
X'013E' Symmetric Key Generate - Allow wrapping override keywords Symmetric Key Generate CSNDSYG ON O
X'013F' Remote Key Export - include RKX in default wrap config Remote Key Export CSNDRKX OFF SC
X'0140' Key Part Import - Allow wrapping override keywords Key Part Import CSNBKPI ON O
X'0141' Multiple Clear Key Import - Allow wrapping override keywords Multiple Clear Key Import CSNBCKM ON O
X'0142' Multiple Secure Key Import - Allow wrapping override keywords This ACP is for verbs CSNBSKI / CSNBSKM but these are not supported on Linux on IBM Z, but are supported on z/OS. ON O
X'0144' Symmetric Key Import - Allow wrapping override keywords Symmetric Key Import CSNDSYI ON O
X'0149' Key Translate2 Key Translate2 CSNBKTR2 ON O
X'014A' Key Translate2 - Allow wrapping override keywords Key Translate2 CSNBKTR2 ON O
X'014B' Key Translate2 - Allow use of REFORMAT Key Translate2 CSNBKTR2 ON
X'014D' T31X - Permit version A TR-31 key blocks TR31 Translate1 CSNBT31X ON O
X'014E' T31X - Permit version B TR-31 key blocks TR31 Translate1 CSNBT31X ON O
X'014F' T31X - Permit version C TR-31 key blocks TR31 Translate1 CSNBT31X ON O
X'0150' TR31 Import - Permit version A TR-31 key blocks TR31 Key Import1 CSNBT31I ON O
X'0151' TR31 Import - Permit version B TR-31 key blocks TR31 Key Import1 CSNBT31I ON O
X'0152' TR31 Import - Permit version C TR-31 key blocks TR31 Key Import1 CSNBT31I ON O
X'0153' TR31 Import - Permit override of default wrapping method TR31 Key Import1 CSNBT31I ON O, SC
X'0154' Restrict Key Attribute - Permit setting the TR-31 export bit Restrict Key Attribute1 CSNBRKA ON O
X'0155' CVV Key Combine CVV Key Combine CSNBCKC ON O
X'0156' CVV Key Combine - Allow wrapping override keywords CVV Key Combine1 CSNBCKC ON O, SC
X'0157' CVV Key Combine - Permit mixed key types CVV Key Combine1 CSNBCKC ON O, SC
X'0158' T31X - Permit any CCA key if INCL-CV is specified TR31 Translate1 CSNBT31X ON O, SC
X'015A' TR31 Import - Permit C0 to MAC/MACVER:CVVKEY-A TR31 Key Import1 CSNBT31I OFF O, SC
X'015B' TR31 Import - Permit C0 to MAC/MACVER:AMEX-CSC TR31 Key Import1 CSNBT31I OFF O, SC
X'015C' TR31 Import - Permit K0:E to EXPORTER/OKEYXLAT TR31 Key Import1 CSNBT31I OFF O, SC
X'015D' TR31 Import - Permit K0:D to IMPORTER/IKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'015E' TR31 Import - Permit K0:B to EXPORTER/OKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'015F' TR31 Import - Permit K0:B to IMPORTER/IKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'0160' TR31 Import - Permit K1:E to EXPORTER/OKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'0161' TR31 Import - Permit K1:D to IMPORTER/IKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'0162' TR31 Import - Permit K1:B to EXPORTER/OKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'0163' TR31 Import - Permit K1:B to IMPORTER/IKEYXLAT TR31 Key Import1 CSNBT31I OFF O
X'0164' TR31 Import - Permit M0/M1/M3 to MAC/MACVER:ANY-MAC TR31 Key Import1 CSNBT31I ON O
X'0165' TR31 Import - Permit P0:E to OPINENC TR31 Key Import1 CSNBT31I ON O
X'0166' TR31 Import - Permit P0:D to IPINENC TR31 Key Import1 CSNBT31I ON O
X'0167' TR31 Import - Permit V0 to PINGEN:NO-SPEC TR31 Key Import1 CSNBT31I OFF O
X'0168' TR31 Import - Permit V0 to PINVER:NO-SPEC TR31 Key Import1 CSNBT31I OFF O
X'0169' TR31 Import - Permit V1 to PINGEN:IBM-PIN/IBM-PINO TR31 Key Import1 CSNBT31I ON O
X'016A' TR31 Import - Permit V1 to PINVER:IBM-PIN/IBM-PINO TR31 Key Import1 CSNBT31I ON O
X'016B' TR31 Import - Permit V2 to PINGEN:VISA-PVV TR31 Key Import1 CSNBT31I ON O
X'016C' TR31 Import - Permit V2 to PINVER:VISA-PVV TR31 Key Import1 CSNBT31I ON O
X'016D' TR31 Import - Permit E0 to DKYGENKY:DKYL0+DMAC TR31 Key Import1 CSNBT31I OFF O
X'016E' TR31 Import - Permit E0 to DKYGENKY:DKYL0+DMVTR31 Import - Permit E0 to DKYGENKY:DKYL0+DMV TR31 Key Import1 CSNBT31I OFF O
X'016F' TR31 Import - Permit E0 to DKYGENKY:DKYL1+DMAC TR31 Key Import1 CSNBT31I OFF O
X'0170' TR31 Import - Permit E0 to DKYGENKY:DKYL1+DMV TR31 Key Import1 CSNBT31I OFF O
X'0171' TR31 Import - Permit E1 to DKYGENKY:DKYL0+DMPIN TR31 Key Import1 CSNBT31I OFF O
X'0172' TR31 Import - Permit E1 to DKYGENKY:DKYL0+DDATA TR31 Key Import1 CSNBT31I OFF O
X'0173' TR31 Import - Permit E1 to DKYGENKY:DKYL1+DMPIN TR31 Key Import1 CSNBT31I OFF O
X'0174' TR31 Import - Permit E1 to DKYGENKY:DKYL1+DDATA TR31 Key Import1 CSNBT31I OFF O
X'0175' TR31 Import - Permit E2 to DKYGENKY:DKYL0+DMAC TR31 Key Import1 CSNBT31I OFF O
X'0176' TR31 Import - Permit E2 to DKYGENKY:DKYL1+DMAC TR31 Key Import1 CSNBT31I OFF O
X'0177' TR31 Import - Permit E3 to ENCIPHER TR31 Key Import1 CSNBT31I OFF O
X'0178' TR31 Import - Permit E4 to DKYGENKY:DKYL0+DDATA TR31 Key Import1 CSNBT31I ON O
X'0179' TR31 Import - Permit E5 to DKYGENKY:DKYL0+DMAC TR31 Key Import1 CSNBT31I OFF O
X'017A' TR31 Import - Permit E5 to DKYGENKY:DKYL0+DDATA TR31 Key Import1 CSNBT31I OFF O
X'017B' TR31 Import - Permit E5 to DKYGENKY:DKYL0+DEXP TR31 Key Import1 CSNBT31I OFF O
X'017C' TR31 Import - Permit V0/V1/V2:N to PINGEN/PINVER TR31 Key Import1 CSNBT31I OFF O, SC
X'017D' TR31 Import - Permit HMAC MAC TR31 Key Import CSNBT31I ON O, SC
X'017E' T31I - Permit B0:X to AES DKYGENKY:DUKPT BDK TR31 Key Import CSNBT31I ON O
X'0180' T31X - Permit DES KEYGENKY: DUKPT to B0:N/X TR31 Translate1 CSNBT31X ON O
X'0181' T31X - Permit DES MAC/MACVER:AMEX-CSC to C0:G/C/V TR31 Translate1 CSNBT31X OFF O
X'0182' T31X - Permit DES MAC/MACVER: CVV-KEYA to C0:G/C/V TR31 Translate1 CSNBT31X OFF O
X'0183' T31X - Permit DES MAC/MACVER:ANY-MAC to C0:G/C/V TR31 Translate1 CSNBT31X ON O
X'0184' T31X - Permit DES DATA to C0:G/C/V TR31 Translate1 CSNBT31X ON O
X'0185' T31X - Permit DES ENCIPHER/DECIPHER/CIPHER to D0:E/D/B TR31 Translate1 CSNBT31X ON O
X'0186' T31X - Permit DES DATA to D0:E/D/B TR31 Translate1 CSNBT31X ON O
X'0187' T31X - Permit DES EXPORTER/OKEYXLAT to K0:E TR31 Translate1 CSNBT31X ON O
X'0188' T31X - Permit DES IMPORTER/IKEYXLAT to K0:D TR31 Translate1 CSNBT31X OFF O
X'0189' T31X - Permit DES EXPORTER/OKEYXLAT to K1/K4:E TR31 Translate1 CSNBT31X OFF O
X'018A' T31X - Permit DES IMPORTER/IKEYXLAT to K1/K4:D TR31 Translate1 CSNBT31X OFF O
X'018B' T31X - Permit DES MAC/DATA/DATAM to M0:G/C TR31 Translate1 CSNBT31X OFF O
X'018C' T31X - Permit DES MACVER/DATAMV to M0:V TR31 Translate1 CSNBT31X ON O
X'018D' T31X - Permit DES MAC/DATA/DATAM to M1:G/C TR31 Translate1 CSNBT31X ON O
X'018E' T31X - Permit DES MACVER/DATAMV to M1:V TR31 Translate1 CSNBT31X ON O
X'018F' T31X - Permit DES MAC/DATA/DATAM to M3:G/C TR31 Translate1 CSNBT31X ON O
X'0190' T31X - Permit DES MACVER/DATAMV to M3:V TR31 Translate1 CSNBT31X ON O
X'0191' T31X - Permit DES OPINENC to P0:E TR31 Translate1 CSNBT31X ON O
X'0192' T31X - Permit DES IPINENC to P0:D TR31 Translate1 CSNBT31X ON O
X'0193' T31X - Permit DES PINVER:NO-SPEC to V0 TR31 Translate1 CSNBT31X OFF O
X'0194' T31X - Permit DES PINGEN:NO-SPEC to V0 TR31 Translate1 CSNBT31X OFF O
X'0195' T31X - Permit DES PINVER:NO-SPEC/IBM-PIN/IBM-PINO to V1 TR31 Translate1 CSNBT31X ON O
X'0196' T31X - Permit DES PINGEN:NO-SPEC/IBM-PIN/IBM-PINO to V1 TR31 Translate1 CSNBT31X ON O
X'0197' T31X - Permit DES PINVER:NO-SPEC/VISA-PVV to V2 TR31 Translate1 CSNBT31X ON O
X'0198' T31X - Permit DES PINGEN:NO-SPEC/VISA-PVV to V2 TR31 Translate1 CSNBT31X ON O
X'0199' T31X - Permit DES DKYGENKY:DKYL0 + DMAC to E0:N/X TR31 Translate1 CSNBT31X OFF O
X'019A' T31X - Permit DES DKYGENKY:DKYL0 + DMV to E0:N/X TR31 Translate1 CSNBT31X OFF O
X'019B' T31X - Permit DES DKYGENKY:DKYL0 + DALL to E0:N/X TR31 Translate1 CSNBT31X OFF O
X'019C' T31X - Permit DES DKYGENKY:DKYL1 + DMAC to E0:N/X TR31 Translate1 CSNBT31X OFF O
X'019D' T31X - Permit DES DKYGENKY:DKYL1+DMV to E0:N/X TR31 Translate1 CSNBT31X OFF O
X'019E' T31X - Permit DES DKYGENKY:DKYL1+DALL to E0:N/X TR31 Translate1 CSNBT31X OFF O
X'019F' T31X - Permit DES DKYGENKY:DKYL0+DDATA to E1:N/X TR31 Translate1 CSNBT31X OFF O
X'01A0' T31X - Permit DES DKYGENKY:DKYL0+DMPIN to E1:N/X TR31 Translate1 CSNBT31X OFF O
X'01A1' T31X - Permit DES DKYGENKY:DKYL0+DALL to E1:N/X TR31 Translate1 CSNBT31X OFF O
X'01A2' T31X - Permit DES DKYGENKY:DKYL1+DDATA to E1:N/X TR31 Translate1 CSNBT31X OFF O
X'01A3' T31X - Permit DES DKYGENKY:DKYL1+DMPIN to E1:N/X TR31 Translate1 CSNBT31X OFF O
X'01A4' T31X - Permit DES DKYGENKY:DKYL1+DALL to E1:N/X TR31 Translate1 CSNBT31X OFF O
X'01A5' T31X - Permit DES DKYGENKY:DKYL0+DMAC to E2:N/X TR31 Translate1 CSNBT31X OFF O
X'01A6' T31X - Permit DES DKYGENKY:DKYL0+DALL to E2:N/X TR31 Translate1 CSNBT31X OFF O
X'01A7' T31X - Permit DES DKYGENKY:DKYL1+DMAC to E2:N/X TR31 Translate1 CSNBT31X OFF O
X'01A8' T31X - Permit DES DKYGENKY:DKYL1+DALL to E2:N/X TR31 Translate1 CSNBT31X OFF O
X'01A9' T31X - Permit DES DATA/MAC/CIPHER/ENCIPHER to E3:N/G/E/X TR31 Translate1 CSNBT31X OFF O
X'01AA' T31X - Permit DES DKYGENKY:DKYL0+DDATA to E4:N/X TR31 Translate1 CSNBT31X ON O
X'01AB' T31X - Permit DES DKYGENKY:DKYL0+DALL to E4:N/X TR31 Translate1 CSNBT31X ON O
X'01AC' T31X - Permit DES DKYGENKY:DKYL0+DEXP to E5:N/X TR31 Translate1 CSNBT31X OFF O
X'01AD' T31X - Permit DES DKYGENKY:DKYL0+DMAC to E5:N/X TR31 Translate1 CSNBT31X OFF O
X'01AE' T31X - Permit DES DKYGENKY:DKYL0+DDATA to E5:N/X TR31 Translate1 CSNBT31X OFF O
X'01AF' T31X - Permit DES DKYGENKY:DKYL0+DALL to E5:N/X TR31 Translate1 CSNBT31X ON O
X'01B0' T31X - Permit DES PINGEN to V0:N and DES PINVER to V1/V2:N TR31 Translate1 CSNBT31X OFF O, SC
X'01B1' Public Infrastructure Manage Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM ON O
X'01B2' PIM: Load Root Certificate Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01B3' PIM: Activate Root Certificate Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01B4' PIM: Renew Certificate Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM ON O
X'01B5' PIM: Change Certificate Label Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM ON O
X'01B6' PIM: Delete Certificate Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01B7' PIM: Signature Algorithm SHA+RSA Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01B8' PIM: Signature Algorithm ECDSA Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01B9' PIM: Signature Algorithm RSASSA_PSS Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01BA' PIM: Signature Algorithm SHA-1 Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01BB' PIM: Signature Algorithm SHA-224 Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01BC' PIM: Signature Algorithm SHA-256 Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01BD' PIM: Signature Algorithm SHA-384 Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01BE' PIM: Signature Algorithm SHA-512 Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01BF' PIM: Load Sub-CA Certificate Public Infrastructure Manage
Note: ACP required for a TKE service.
 CSNDPIM OFF O
X'01C0' Cipher Text Translate2 Cipher Text Translate2 CSNBCTT2 ON O
X'01C1' Cipher Text Translate2 - Allow translate from AES to TDES Cipher Text Translate2 CSNBCTT2 ON SC
X'01C2' Cipher Text Translate2 - Allow translate to weaker AES Cipher Text Translate2 CSNBCTT2 ON SC
X'01C3' Cipher Text Translate2 - Allow translate to weaker DES Cipher Text Translate2 CSNBCTT2 ON SC
X'01C4' Cipher Text Translate2 - Allow only cipher text translate types Cipher Text Translate2 CSNBCTT2 OFF O
X'01C8' Unique Key Derive Unique Key Derive CSNBUKD ON O
X'01C9' Unique Key Derive - Allow PIN-DATA processing Unique Key Derive CSNBUKD OFF NR
X'01CA' Unique Key Derive - Override default wrapping Unique Key Derive CSNBUKD ON O
X'01CB' Key Test - Warn when keyword inconsistent with key length Key Test Extended CSNBKYTX OFF O
X'01CC' Access Control Tracking - Enable Access Control Tracking CSUAACT OFF O
X'01CD' Symmetric Algorithm Encipher - Galois/Counter mode AES Symmetric Algorithm Encipher CSNBSAE ON O
X'01CE' Symmetric Algorithm Decipher - Galois/Counter mode AES Symmetric Algorithm Decipher CSNBSAD ON O
X'01CF' T31X - Permit AES DKYGENKY:DUKPT BDK to B0:X TR31 Translate1 CSNBT31X ON O
X'01D0' T31X - Permit AES CIPHER to D0:E/D/B TR31 Translate CSNBT31X ON O
X'01D1' T31X - Permit AES MAC: CMAC to M6:G/C/V TR31 Translate CSNBT31X ON O
X'01D2' T31X - Permit AES PINPROT to P0:E/D TR31 Translate CSNBT31X ON O
X'01D3' T31X - Permit AES EXPORTER to K0:E TR31 Translate CSNBT31X ON O
X'01D4' T31X - Permit AES EXPORTER to K1:E TR31 Translate CSNBT31X ON O
X'01D5' T31X - Permit AES EXPORTER to K4:E TR31 Translate CSNBT31X ON O
X'01D6' T31X - Permit AES IMPORTER to K0:D TR31 Translate CSNBT31X ON O
X'01D7' T31X - Permit AES IMPORTER to K1:D TR31 Translate CSNBT31X ON O
X'01D8' T31X - Permit AES IMPORTER to K4:D TR31 Translate CSNBT31X ON O
X'01D9' T31X - Permit AES DKYGENKY:D-ALL/DMAC to E0:X TR31 Translate CSNBT31X ON O
X'01DA' T31X - Permit AES DKYGENKY:D-ALL/DCIPHER to E1:X TR31 Translate CSNBT31X ON O
X'01DB' T31X - Permit AES DKYGENKY:D-ALL/D-MAC to E2:X TR31 Translate CSNBT31X ON O
X'01DC' T31X - Permit AES CIPHER to E3/E/B,DKYGENKY:D-ALL/DCIP to E3:X TR31 Translate CSNBT31X ON O
X'01DD' T31X - Permit AES DKYGENKY:D-ALL/D-CIPHER to E4:X TR31 Translate CSNBT31X ON O
X'01DE' T31X - Permit AES DKYGENKY:D-MAC to E5:X TR31 Translate CSNBT31X ON O
X'01DF' TR-34 Key Receive - Allow wrapping override keywords TR-34 Key Receive CSNDT34R ON O
X'01E0' T31I - Permit D0:E/D/B to AES CIPHER:ENC/DEC/ENC+DEC TR31 Key Import CSNBT31I ON O
X'01E1' T31I - Permit M6:G/C/V to AES MAC:CMAC+GENONLY/GEN/VER TR31 Key Import CSNBT31I ON O
X'01E2' T31I - Permit P0:E/D to AES PINPROT:ENC/DEC+CBC+ISO-4 TR31 Key Import CSNBT31I ON O
X'01E3' T31I - Permit K0:E to AES EXPORTER TR31 Key Import CSNBT31I ON O
X'01E4' T31I - Permit K0:D to AES IMPORTER TR31 Key Import CSNBT31I ON O
X'01E5' T31I - Permit K1/K4:E to AES EXPORTER:EXPTT31D+VARDRV-D TR31 Key Import CSNBT31I ON O
X'01E6' T31I - Permit AES K1/K4:D to AES IMPORTER:IMPTT31D+VARDRV-D TR31 Key Import CSNBT31I ON O
X'01E7' T31I - Permit E0:X to AES DKYGENKY:DKYL0/L1/L2+D-MAC+GEN+CMAC TR31 Key Import CSNBT31I ON O
X'01E8' T31I - Permit E1:X to AES DKYGENKY:DKYL0/L1/L2+D-SECMSG+SMPIN TR31 Key Import CSNBT31I ON O
X'01E9' T31I - Permit E2:X to AES DKYGENKY:DKYL0/L1/L2+D-MAC+GEN+CMAC TR31 Key Import CSNBT31I ON O
X'01EA' T31I - Permit E3:X to AES DKYGENKY:D-CIPHER+ENC+DEC+CBC TR31 Key Import CSNBT31I ON O
X'01EB' T31I - Permit E3:E/B to AES CIPHER:ENCRYPT/ENC+DEC TR31 Key Import CSNBT31I ON O
X'01EC' T31I - Permit E4:X to AES DKYGENKY:DKYL0/L1/L2+D-CIPHER+ENC+DEC TR31 Key Import CSNBT31I ON O
X'01ED' T31I - Permit E5:X to AES DKYGENKY:DKYL0/L1/L2/D-MAC+GEN+CMAC TR31 Key Import CSNBT31I ON O
X'01EE' PKA Key Translate - allow COMP-TAG PKA Key Translate CSNDPKT ON O
X'01EF' PKA Key Translate - allow COMP-CHK PKA Key Translate CSNDPKT ON O
X'01F0' TR-34 Bind-Begin TR-34 Bind-Begin CSNDT34B ON O
X'01F1' TR-34 Bind-Begin - allow BINDCR TR-34 Bind-Begin CSNDT34B ON O
X'01F2' TR-34 Bind-Begin - allow UNBINDCR TR-34 Bind-Begin CSNDT34B ON O
X'01F3' TR-34 Bind-Begin - allow REBINDCR TR-34 Bind-Begin CSNDT34B ON O
X'01F4' TR-34 Begin-Complete TR-34 Bind-Complete CSNDT34C ON O
X'01F5' TR-34 Begin-Complete - allow BINDKRDC TR-34 Bind-Complete CSNDT34C ON O
X'01F6' TR-34 Begin-Complete - allow BINDRV TR-34 Bind-Complete CSNDT34C ON O
X'01F7' TR-34 Begin-Complete - allow UNBINDRV TR-34 Bind-Complete CSNDT34C ON O
X'01F8' TR-34 Begin-Complete - allow REBINDRV TR-34 Bind-Complete CSNDT34C ON O
X'01F9' TR-34 Key Distribution TR-34 Key Distribution CSNDT34D ON O
X'01FA' TR-34 Key Distribution - allow 2PASSCRE TR-34 Key Distribution CSNDT34D ON O
X'01FB' TR-34 Key Distribution - allow 1PASSCRE TR-34 Key Distribution CSNDT34D ON O
X'01FC' TR-34 Key Receive TR-34 Key Receive CSNDT34R ON O
X'01FD' TR-34 Key Receive - allow 2PASSRCV TR-34 Key Receive CSNDT34R ON O
X'01FE' TR-34 Key Receive - allow 1PASSRCV TR-34 Key Receive CSNDT34R ON O
X'01FF' Permit X.509 without PKI root validation

TR-34 Bind-Begin
TR-34 Bind-Complete
TR-34 Key Distribution
TR-34 Key Receive

CSNDT34B
CSNDT34C
CSNDT34D
CSNDT34R

 ON O
X'0203' Retained Key Delete Retained Key Delete CSNDRKD ON O, SEL
X'0204' PKA Key Generate - Clone PKA Key Generate1 CSNDPKG ON O
X'0205' PKA Key Generate - Clear RSA Key PKA Key Generate1 CSNDPKG ON O, SUP
X'0206' PKA Encrypt - Disallow PKCS-1.2 PKA Encrypt CSNDPKE OFF O
X'0207' PKA Encrypt - Disallow ZEROPAD PKA Encrypt CSNDPKE OFF O
X'0208' PKA Encrypt - Disallow MRP PKA Encrypt CSNDPKE OFF O
X'0209' PKA Encrypt - Disallow PKCSOAEP PKA Encrypt CSNDPKE OFF O
X'020A' PKA Decrypt - Disallow PKCS-1.2 PKA Decrypt CSNDPKD OFF O
X'020B' PKA Decrypt - Disallow ZEROPAD PKA Decrypt CSNDPKD OFF O
X'020C' PKA Decrypt - Disallow PKCSOAEP PKA Decrypt CSNDPKD OFF O
X'020D' T31X - Permit HMAC MAC to M7:G/V/C TR31 Translate1 CSNBT31X ON O
X'020E' PKA Key Generate - Clear ML-KEM, CRYSTALS-Kyber keys PKA Key Generate CSNDPKG ON O
X'020F' PKA Key Translate - Allow QSA private key export PKA Key Translate CSNDPKT OFF O
X'0230' Retained Key List Retained Key List CSNDRKL ON O
X'0235' Symmetric Key Import - DES, PKA92 KEK Symmetric Key Import1 CSNDSYI ON O
X'023C' Symmetric Key Generate - DES, ZERO-PAD Symmetric Key Generate1 CSNDSYG ON O, SC
X'023D' Symmetric Key Import - DES, ZERO-PAD Symmetric Key Import1 CSNDSYI ON O, SC
X'023E' Symmetric Key Export - DES, ZERO-PAD Symmetric Key Export1 CSNDSYX ON O, SC
X'023F' Symmetric Key Generate - DES, PKCS-1.2 Symmetric Key Generate1 CSNDSYG ON O, SC
X'0242' TR-34 Key Distribution - permit DES EXPORTER to K0 or K1 TR-34 Key Distribution CSNDT34D ON O, R
X'0243' TR-34 Key Distribution - permit DES IMPORTER to K0 or K1 TR-34 Key Distribution CSNDT34D ON O, R
X'0244' TR-34 Key Distribution - permit AES EXPORTER to K0 TR-34 Key Distribution CSNDT34D ON O, R
X'0245' TR-34 Key Distribution - permit AES EXPORTER to K1 TR-34 Key Distribution CSNDT34D ON O, R
X'0246' TR-34 Key Distribution - permit AES IMPORTER to K0 TR-34 Key Distribution CSNDT34D ON O, R
X'0247' TR-34 Key Distribution - permit AES IMPORTER to K1 TR-34 Key Distribution CSNDT34D ON O, R
X'0248' TR-34 Key Receive - permit DES EXPORTER TR-34 Key Receive CSNDT34R ON O, R
X'0249' TR-34 Key Receive - permit DES IMPORTER TR-34 Key Receive CSNDT34R ON O, R
X'024A' TR-34 Key Receive - permit AES EXPORTER TR-34 Key Receive CSNDT34R ON O, R
X'024B' TR-34 Key Receive - permit AES IMPORTER TR-34 Key Receive CSNDT34R ON O, R
X'024C' TR-34 Key Receive - permit AES EXPORTER with EXPTT31D TR-34 Key Receive CSNDT34R ON O, R
X'024D' TR-34 Key Receive - permit AES IMPORTER with IMPTT31D TR-34 Key Receive CSNDT34R ON O, R
X'0259' Clear Pending Change Buffer
Note: This ACP is included for TKE reference only.
 OFF O
X'0261' TKE Authorization for domain 0
Note: This ACP is included for TKE reference only.
 OFF O
X'0262' TKE Authorization for domain 1
Note: This ACP is included for TKE reference only.
 OFF O
X'0263' TKE Authorization for domain 2
Note: This ACP is included for TKE reference only.
 OFF O
X'0264' TKE Authorization for domain 3
Note: This ACP is included for TKE reference only.
 OFF O
X'0265' TKE Authorization for domain 4
Note: This ACP is included for TKE reference only.
 OFF O
X'0266' TKE Authorization for domain 5
Note: This ACP is included for TKE reference only.
 OFF O
X'0267' TKE Authorization for domain 6
Note: This ACP is included for TKE reference only.
 OFF O
X'0268' TKE Authorization for domain 7
Note: This ACP is included for TKE reference only.
 OFF O
X'0269' TKE Authorization for domain 8
Note: This ACP is included for TKE reference only.
 OFF O
X'026A' TKE Authorization for domain 9
Note: This ACP is included for TKE reference only.
 OFF O
X'026B' TKE Authorization for domain 10
Note: This ACP is included for TKE reference only.
 OFF O
X'026C' TKE Authorization for domain 11
Note: This ACP is included for TKE reference only.
 OFF O
X'026D' TKE Authorization for domain 12
Note: This ACP is included for TKE reference only.
 OFF O
X'026E' TKE Authorization for domain 13
Note: This ACP is included for TKE reference only.
 OFF O
X'026F' TKE Authorization for domain 14
Note: This ACP is included for TKE reference only.
 OFF O
X'0270' TKE Authorization for domain 15
Note: This ACP is included for TKE reference only.
 OFF O
X'0273' Secure Messaging for Keys Secure Messaging for Keys CSNBSKY ON O
X'0274' Secure Messaging for PINs Secure Messaging for PINs CSNBSPN ON O
X'0275' DATAM Key Management Control

Diversified Key Generate
Data Key Import
Data Key Export
Key Export
Key Generate
Key Import

CSNBDKG
CSNBDKM
CSNBDKX
CSNBKEX
CSNBKGN
CSNBKIM

 ON O
X'0276' Key Export - Unrestricted Key Export CSNBKEX ON O, SC
X'0277' Data Key Export - Unrestricted Data Key Export CSNBDKX ON O, SC
X'0278' Key Part Import - ADD-PART Key Part Import1 CSNBKPI ON SC, SEL
X'0279' Key Part Import - COMPLETE Key Part Import1 CSNBKPI ON SC, SEL
X'027A' Key Part Import - Unrestricted Key Part Import CSNBKPI ON O, SC
X'027B' Key Import - Unrestricted Key Import CSNBKIM ON O, SC
X'027C' Data Key Import - Unrestricted Data Key Import CSNBDKM ON O, SC
X'027D' PKA Key Generate - Permit Regeneration Data PKA Key Generate1 CSNDPKG ON O, NRP, SC
X'027E' PKA Key Generate - Permit Regeneration Data Retain PKA Key Generate1 CSNDPKG ON O, NRP, SC
X'027F' PKA Key Generate - Clear ML-DSA, CRYSTALS-Dilithium keys PKA Key Generate CSNDPKG ON O
X'0290' Diversified Key Generate - DKYGENKY - DALL

Diversified Key Generate2
PIN Change/Unblock2

CSNBDKG
CSNBPCU

 OFF O, SC
X'0291' Transaction Validation - Generate Transaction Validation1 CSNBTRV ON O, SEL
X'0292' Transaction Validation - Verify CSC-3 Transaction Validation1 CSNBTRV ON O
X'0293' Transaction Validation - Verify CSC-4 Transaction Validation1 CSNBTRV ON O
X'0294' Transaction Validation - Verify CSC-5 Transaction Validation1 CSNBTRV ON O
X'0295' High-performance secure DES keys Enables CPACF key translation for DES keys. N/A ON O
X'0296' High-performance secure AES keys Enables CPACF key translation for AES keys. N/A ON O
X'0297' Key Part Import2 - Load first key part, require 3 key parts Key Part Import2 CSNBKPI2 ON O
X'0298' Key Part Import2 - Load first key part, require 2 key parts Key Part Import2 CSNBKPI2 ON O
X'0299' Key Part Import2 - Load first key part, require 1 key parts Key Part Import2 CSNBKPI2 ON O
X'029A' Key Part Import2 - Add second of 3 or more key parts Key Part Import2 CSNBKPI2 ON O
X'029B' Key Part Import2 - Add last required key part Key Part Import2 CSNBKPI2 ON O
X'029C' Key Part Import2 - Add optional key part Key Part Import2 CSNBKPI2 ON O
X'029D' Key Part Import2 - Complete key Key Part Import2 CSNBKPI2 ON SEL
X'029E' Operational Key Load - Variable-Length Tokens Key Part Import2 CSNBKPI2 ON O
X'02AB' CCA Device Certificate Delete, Auth (Smart Card) N/A: For TKE use only. N/A OFF SC
X'02AC' TKE CA Certificate Exp Delete (Smart Card) N/A: For TKE use only. N/A OFF SC
X'02AD' TR-34 Key Receive - permit AES IMPORTER with IMPTT31D TR31 Translate CSNBT31X OFF O, R
X'02AE' T31X Permit IMPORTER to K0/K1:B TR31 Translate CSNBT31X OFF O, R
X'02B0' Recover PIN From Offset Recover PIN from Offset CSNBPFO ON O
X'02B1' Authentication Parameter Generate Authentication Parameter Generate CSNBAPG ON O
X'02B2' Authentication Parameter Generate - Clear Authentication Parameter Generate1 CSNBAPG ON O
X'02B3' Symmetric Key Export - AESKWCV Symmetric Key Export CSNDSYX ON O
X'02B4' Symmetric Key Import2 - AESKWCV Symmetric Key Import2 CSNDSYI2 ON O
X'02B5' Symmetric Key Export with Data Symmetric Key Export with Data CSNDSXD ON O
X'02B6' Symmetric Key Export with Data - Special Symmetric Key Export with Data CSNDSXD ON O
X'02B8' Diversifed Key Generate - TDES-CBC Diversified Key Generate CSNBDKG2 ON O
X'02B9' Symmetric Key Import2 - Allow wrapping override keywords Symmetric Key Import21 CSNDSYI2 ON O
X'02BA' Remote Key Export - Allow wrapping override keywords Remote Key Export1 CSNDRKX OFF O
X'02BB' Key Generate2 - DK PIN key set Key Generate21 CSNBKGN2 OFF O
X'02BC' Key Generate2 - DK PIN print key Key Generate21 CSNBKGN2 OFF O
X'02BD' Key Generate2 - DK PIN admin1 key set PINPROT Key Generate21 CSNBKGN2 OFF O
X'02BE' Key Generate2 - DK PIN admin1 key set MAC Key Generate21 CSNBKGN2 OFF O
X'02BF' Key Generate2 - DK PIN admin2 key set MAC Key Generate21 CSNBKGN2 OFF O
X'02C0' DK Random PIN Generate DK Random PIN Generate CSNBDRPG OFF O
X'02C1' DK PIN Verify DK PIN Verify CSNBDPV OFF O
X'02C2' DK PIN Change DK PIN Change CSNBDPC OFF O
X'02C3' DK PRW Card Number Update DK PRW Card Number Update CSNBDPNU OFF O
X'02C4' DK PRW CMAC Generate DK PRW CMAC Generate CSNBDPCG OFF O
X'02C5' DK PAN Modify in Transaction DK PAN Modify in Transaction CSNBDPMT OFF O
X'02C6' DK Deterministic PIN Generate DK Deterministic Generate CSNBDDPG OFF O
X'02C7' DK PAN Translate DK PAN Translate CSNBDPT OFF O
X'02C8' DK Regenerate PRW DK Regenerate PRW CSNBDRP OFF O
X'02CC' DK Regenerate PRW Diversified Key Generate21 CSNBDKG2 ON O
X'02CD' Diversified Key Generate2 - DALL Diversified Key Generate21 CSNBDKG2 OFF O
X'02CE' DK Migrate PIN DK Migrate PIN CSNBDMP OFF O
X'02CF' FPE Encrypt FPE Encipher CSNBFPEE ON ID, R
X'02D0' FPE Decrypt FPE Decipher CSNBFPED ON ID, R
X'02D1' FPE Translate FPE Translate CSNBFPET ON ID, R
X'02D2' Diversified Key Generate2 - MK-OPTC Diversified Key Generate2 CSNBDKG2 ON O
X'02D3' Diversified Key Generate2 - KDFFM-DK Diversified Key Generate2 CSNBDKG2 ON O
X'02D4' Diversified Key Generate2 - Allow length option for KDFFM-DK Diversified Key Generate2 CSNBDKG2 OFF O
X'02D5' Encrypted PIN Translate Enhanced Encrypted PIN Translate Enhanced CSNBPTRE ON O
X'02D6' DM load role
Note: ACP required for a TKE service.
 OFF SUP
X'02D7' DM load profile
Note: ACP required for a TKE service.
 OFF SUP
X'02D8' DM load role cos
Note: ACP required for a TKE service.
 OFF SUP
X'02D9' DM load profile cos
Note: ACP required for a TKE service.
 OFF SUP
X'02DA' DM delete role Access Control Maintenance
Note: ACP required for a TKE service.
 CSUAACM OFF SUP
X'02DB' DM delete profile Access Control Maintenance
Note: ACP required for a TKE service.
 CSUAACM OFF SUP
X'02DC' DM delete role cos Access Control Maintenance
Note: ACP required for a TKE service.
 CSUAACM OFF SUP
X'02DD' DM delete profile cos Access Control Maintenance
Note: ACP required for a TKE service.
 CSUAACM OFF SUP
X'02E0' CFC:COMPIMPR
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E1' CFC:COMPIMPR cos
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E2' CFC:COMP-SET
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E3' CFC:COMP-SET cos
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E4' CFC:COMP-RMV
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E5' CFC:COMP-RMV cos
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E6' CFC:COMP-RMV imprint mode
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E7' CFC:COMPMIGB
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E8' CFC:COMPMIGB cos
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02E9' CFC:COMPMIGE
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02EA' CFC:COMPMIGE cos
Note: This ACP is included for TKE reference only.
 OFF SUP
X'02EC' IGN_RKA_DATAXMAC Reserved for future use. OFF N/A
X'02ED' CMD_RKA_DATAXCIP Reserved for future use. OFF N/A
X'02EE' CMD_PKT_INTUSCHG Reserved for future use. ON N/A
X'02EF' CMD_PKT_EXTUSCHG Reserved for future use. OFF N/A
X'02F0' PUB_X_MACDPUB Reserved for future use. OFF N/A
X'02F1' RSAPRV_X_MACDPUB Reserved for future use. OFF N/A
X'02F2' ECCPRV_X_MACDPUB Reserved for future use. OFF N/A
X'02F3' X509_X_MACDPUB Reserved for future use. OFF N/A
X'02F4' ALLOW_SHA1_X509 Reserved for future use. OFF N/A
X'02F5' Authenticated Key Export - SETSNKEY
Note: This ACP is included for TKE reference only.
 ON O
X'02F6' Authenticated Key Export - DRVTXKEY
Note: This ACP is included for TKE reference only.
 ON O
X'02F7' Authenticated Key Export - EXPTSK
Note: This ACP is included for TKE reference only.
 ON O
X'02F8' Key Translate2 - COMP-TAG Key Translate2 CSNBKTR2 ON O
X'02F9' Key Translate2 - COMP-CHK Key Translate2 CSNBKTR2 ON O
X'0300' NOCV KEK usage for export-related functions

Data Key Export
Key Export
Key Generate
Remote Key Export

CSNBDKX
CSNBKEX
CSNBKGN
CSNDRKX

 ON O
X'0301' Prohibit Export Extended Prohibit Export Extended CSNBPEXX ON O
X'0309' Operational Key Load Key Part Import CSNBKPI ON O
X'030A' NOCV KEK usage for import-related functions

Data Key Import
Key Import
Key Generate
Remote Key Export

CSNBDKM
CSNBKIM
CSNBKGN
CSNDRKX

 ON O
X'030C' DSG - ZERO-PAD unrestricted hash length Digital Signature Generate CSNDDSG OFF O, SC
X'030D' Key Encryption Translate - CBC to ECB
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'030E' Key Encryption Translate - ECB to CBC
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 ON O
X'030F' Trusted Block Create - Create Block in inactive form Trusted Block Create CSNDTBC ON O, SUP
X'0310' Trusted Block Create - Activate an inactive block Trusted Block Create CSNDTBC ON O, SUP
X'0311' PKA Key Import - Import an external trusted block PKA Key Import CSNDPKI ON O, SEL
X'0312' Remote Key Export - Gen or export a non-CCA node key Remote Key Export CSNDRKX ON O, SEL
X'0313' Enhanced PIN Security

Clear PIN Generate Alternate
Clear PIN Encrypt
Encrypted PIN Generate
Encrypted PIN Translate
Encrypted PIN Verify
Encrypted PIN Verify2
PIN Change/Unblock

CSNBCPA
CSNBCPE
CSNBEPG
CSNBPTR
CSNBPVR
CSNBPVR2
CSNBPCU

 OFF O, SC, SEL
X'0318' PKA Key Translate - from CCA RSA to SC Visa Format PKA Key Translate CSNDPKT ON O
X'0319' PKA Key Translate - from CCA RSA to SC ME Format PKA Key Translate CSNDPKT ON O
X'031A' PKA Key Translate - from CCA RSA to SC CRT Format PKA Key Translate CSNDPKT ON O
X'031B' PKA Key Translate - from source EXP KEK to target EXP KEK PKA Key Translate CSNDPKT ON O
X'031C' PKA Key Translate - from source IMP KEK to target EXP KEK PKA Key Translate CSNDPKT ON O
X'031D' PKA Key Translate - from source IMP KEK to target IMP KEK PKA Key Translate CSNDPKT ON O
X'0326' PKA Key Generate - Clear ECC keys PKA Key Generate CSNDPKG ON O
X'0327' Symmetric Key Export - AESKW Symmetric Key Export CSNDSYX ON O, R
X'0329' Symmetric Key Import2 - AESKW Symmetric Key Import21 CSNDSYI2 ON O, R
X'032A' Key Translate2 - Disallow AES ver 5 to ver 4 conversion Key Translate21 CSNBKTR2 OFF O, R
X'032B' Symmetric Key Import2 - disallow weak import Symmetric Key Import21 CSNDSYI2 OFF O, R
X'032E' Trusted Block Create - Disallow triple-length MAC key Trusted Block Create CSNDTBC OFF O
X'0334' Key Translate2 - Translate fixed to variable payload Key Translate2 CSNBKTR2 OFF SC
X'0335' Unique Key Derive - K3IPEK Unique Key Derive CSNBUKD OFF SC
X'0336' MAC Generate2 - AES CMAC MAC Generate2 CSNBMGN2 ON O
X'0337' MAC Verify2 - AES CMAC MAC Verify2 CSNBMVR2 ON O
X'0338' PKA Key Translate - from CCA RSA CRT to EMV DDA format PKA Key Translate1 CSNDPKT ON O
X'0339' PKA Key Translate - from CCA RSA CRT to EMV DDAE format PKA Key Translate1 CSNDPKT ON O
X'033A' PKA Key Translate - from CCA RSA CRT to EMV CRT format PKA Key Translate1 CSNDPKT ON O
X'033B' Digital Signature Verify - PKCS-PSS allow not exact salt length Digital Signature Verify CSNDDSV OFF SC
X'033C' Digital Signature Generate - PKCS-PSS allow small salt Digital Signature Verify CSNDDSV OFF SC
X'033E' CKM_RAKW - Allow RSA2048 to wrap stronger keys (e.g.,AES-128,192,256)

PKA Key Translate
Symmetric Key Export

CSNDPKT
CSNDSYX

 OFF SC
X'0350' ANSI X9.8 PIN - Enforce PIN block restrictions

Clear PIN Generate Alternate
Encrypted PIN Translate
Secure Messaging for PINs

CSNBCPA
CSNBPTR
CSNBSPN

 OFF O, R
X'0351' ANSI X9.8 PIN - Allow modification of PAN

Encrypted PIN Translate
Secure Messaging for PINs

CSNBPTR
CSNBSPN

 OFF O, SC
X'0352' ANSI X9.8 PIN - Allow only ANSI PIN blocks

Encrypted PIN Translate
Secure Messaging for PINs

CSNBPTR
CSNBSPN

 OFF O, SC
X'0353' ANSI X9.8 PIN - Load Decimalization Tables
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0354' ANSI X9.8 PIN - Delete Decimalization Tables
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0355' ANSI X9.8 PIN - Activate Decimalization Tables
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0356' ANSI X9.8 PIN - Use stored decimalization tables only

Clear PIN Generate1
Clear PIN Generate Alternate1
Encrypted PIN Generate1
Encrypted PIN Verify1

CSNBPGN
CSNBCPA
CSNBEPG
CSNBPVR

 OFF O, R
X'035D' ECC Diffie-Hellman - Allow Hybrid QSA Scheme EC Diffie-Hellman CSNDEDH ON O
X'035E' ECC Diffie-Hellman - Allow Koblitz Curve 256 EC Diffie-Hellman CSNDEDH ON O
X'035F' ECC Diffie-Hellman - Allow DRIV02 EC Diffie-Hellman CSNDEDH ON O
X'0360' ECC Diffie-Hellman EC Diffie-Hellman1 CSNDEDH ON O
X'0361' ECC Diffie-Hellman - Allow PASSTHRU EC Diffie-Hellman1 CSNDEDH ON O
X'0362' ECC Diffie-Hellman - Allow key wrap override EC Diffie-Hellman1 CSNDEDH ON O
X'0363' ECC Diffie-Hellman - Allow Prime Curve 192 EC Diffie-Hellman1 CSNDEDH ON O
X'0364' ECC Diffie-Hellman - Allow Prime Curve 224 EC Diffie-Hellman1 CSNDEDH ON O
X'0365' ECC Diffie-Hellman - Allow Prime Curve 256 EC Diffie-Hellman1 CSNDEDH ON O
X'0366' ECC Diffie-Hellman - Allow Prime Curve 384 EC Diffie-Hellman1 CSNDEDH ON O
X'0367' ECC Diffie-Hellman - Allow Prime Curve 521 EC Diffie-Hellman1 CSNDEDH ON O
X'0368' ECC Diffie-Hellman - Allow BP Curve 160 EC Diffie-Hellman1 CSNDEDH ON O
X'0369' ECC Diffie-Hellman - Allow BP Curve 192 EC Diffie-Hellman1 CSNDEDH ON O
X'036A' ECC Diffie-Hellman - Allow BP Curve 224 EC Diffie-Hellman1 CSNDEDH ON O
X'036B' ECC Diffie-Hellman - Allow BP Curve 256 EC Diffie-Hellman1 CSNDEDH ON O
X'036C' ECC Diffie-Hellman - Allow BP Curve 320 EC Diffie-Hellman1 CSNDEDH ON O
X'036D' ECC Diffie-Hellman - Allow BP Curve 384 EC Diffie-Hellman1 CSNDEDH ON O
X'036E' ECC Diffie-Hellman - Allow BP Curve 512 EC Diffie-Hellman1 CSNDEDH ON O
X'036F' ECC Diffie-Hellman - Prohibit weak key generate EC Diffie-Hellman CSNDEDH OFF O
X'0370' CSNBKPIT: Allow load 1st key part for a key with min 3 key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0371' CSNBKPIT: Allow load 1st key part for a key with min 2 key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0372' CSNBKPIT: Allow load 1st key part for a key with min 1 key part
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0373' CSNBKPIT: Allow load 2nd and later key part for a key requiring more key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0374' CSNBKPIT: Allow load last key part for a key
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0375' CSNBKPIT: Allow load an optional key part for a key
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0376' CSNBKPIT: Allow completing a key that has all key parts loaded
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0377' CSNBKPIT: Allow clearing a key part register
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0378' CSNBKPIT: Allow HMAC load 1st key part for a key with min 3 key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0379' CSNBKPIT: Allow HMAC load 1st key part for a key with min 2 key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'037A' CSNBKPIT: Allow HMAC load 1st key part for a key with min 1 key part
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'037B' CSNBKPIT: Allow HMAC load 2nd and later key part for a key requiring more key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'037C' CSNBKPIT: Allow HMAC load last key part for a key
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'037D' CSNBKPIT: Allow HMAC load an optional key part for a key
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'037E' CSNBKPIT: Allow HMAC completing a key that has all key parts loaded
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'037F' CSNBKPIT: Allow HMAC clearing a key part register
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'0382' T31X - Permit Version D TR-31 Key Blocks TR31 Translate CSNBT31X ON O
X'0383' T31X - Permit AES KDKGENKY: KDKTYPEA to 11:X TR31 Translate CSNBT31X OFF O
X'0384' T31X - Permit AES KDKGENKY: KDKTYPEB to 10:X TR31 Translate CSNBT31X OFF O
X'0385' T31X - Permit DKYGENKY:DKYL0+DMPIN to 12 TR31 Translate CSNBT31X OFF O
X'0386' T31I - Permit version D TR-31 key blocks TR31 Key Import CSNBT31I ON O
X'0387' T31I - Permit AES 10 to KDKGENKY:KDKTYPEA TR31 Key Import CSNBT31I OFF O
X'0388' T31I - Permit AES 11 to KDKGENKY:KDKTYPEB TR31 Key Import CSNBT31I OFF O
X'0389' T31I - Permit DES 12 to DKYGENKY:DKYL0:DMPIN to 12 TR31 Key Import CSNBT31I OFF O
X'038A' Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 Translate Encrypted PIN Translate2 CSNBPTR2 ON O
X'038B' Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg Encrypted PIN Translate2 CSNBPTR2 OFF O
X'038C' Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 Reformat Encrypted PIN Translate2 CSNBPTR2 ON O
X'038D' Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 Reformat Encrypted PIN Translate2 CSNBPTR2 ON O
X'038E' Encrypted PIN Translate2 - Permit ISO-0 to ISO-4 Reformat Encrypted PIN Translate2 CSNBPTR2 ON O
X'038F' Encrypted PIN Translate2 - Permit ISO-4 to ISO-0 Reformat Encrypted PIN Translate2 CSNBPTR2 ON O
X'0391' Encrypted PIN Translate2 - REFORMAT Encrypted PIN Translate2 CSNBPTR2 ON O
X'0392' Encrypted PIN Translate2 - TRANSLATE Encrypted PIN Translate2 CSNBPTR2 ON O
X'0393' Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 RFMT1TO4 Encrypted PIN Translate2 CSNBPTR2 OFF O
X'0394' Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 RFMT4TO1 Encrypted PIN Translate2 CSNBPTR2 OFF O
X'0395' Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 PTR2AUTH Encrypted PIN Translate2 CSNBPTR2 OFF O
X'0396' Format Preserving Algorithms Encipher/Decipher - Allow FF1

Format Preserving Algorithms Decipher
Format Preserving Algorithms Encipher
Format Preserving Algorithms Translate

CSNBFFXD
CSNBFFXE
CSNBFFXT

 ON O
X'0397' Format Preserving Algorithms Encipher/Decipher - Allow FF2

Format Preserving Algorithms Decipher
Format Preserving Algorithms Encipher
Format Preserving Algorithms Translate

CSNBFFXD
CSNBFFXE
CSNBFFXT

 ON O
X'0398' Format Preserving Algorithms Encipher/Decipher - Allow FF2.1

Format Preserving Algorithms Decipher
Format Preserving Algorithms Encipher
Format Preserving Algorithms Translate

CSNBFFXD
CSNBFFXE
CSNBFFXT

 ON O
X'0399' Format Preserving Algorithms Encipher Format Preserving Algorithms Encipher CSNBFFXE ON O
X'039A' Format Preserving Algorithms Decipher Format Preserving Algorithms Decipher CSNBFFXD ON O
X'039B' Format Preserving Algorithms Translate Format Preserving Algorithms Translate CSNBFFXT ON O
X'039C' Format Preserving Algorithms Translate - Allow weaker output key Format Preserving Algorithms Translate CSNBFFXT ON O
X'039D' Key Generate2 - Allow GEN of OPOP EPVR/OPIN Key Pair Key Generate2 CSNBKGN2 OFF O
X'039E' T31X - Permit DES OPINENC/IPINENC to P0:B TR31 Translate1 CSNBT31X ON O
X'039F' General ISO PIN Error Security

Encrypted PIN Translate
Encrypted PIN Translate2
DK PIN Change
DK PIN Verify

CSNBPTR
CSNBPTR2
CSNBDPC
CSNBDPV

 OFF SC
X'03A0' Encrypted PIN Translate - Translate PIN Check Mode

Encrypted PIN Translate
Encrypted PIN Translate2

CSNBPTR
CSNBPTR2

 OFF O
X'03B0' Encrypted PIN Verify2 – REFPIN Encrypted PIN Verify2 CSNBPVR2 ON O
X'03B1' Encrypted PIN Verify2 - TRUNCPIN Encrypted PIN Verify2 CSNBPVR2 ON O
X'03B2' Symmetric Algorithm Encipher - Allow A28MACGN and A28MACVR Symmetric Algorithm Encipher CSNBSAE ON O
X'03B3' Symmetric Algorithm Encipher - Allow A28OWFCL Symmetric Algorithm Encipher CSNBSAE ON O
X'03B4' Symmetric Algorithm Encipher - Allow A28OWFEC Symmetric Algorithm Encipher CSNBSAE ON O
X'03B5' Random Number Generate Long - TDES-CBC Random Number Generate Long CSNBRNGL ON O
X'03B6' PKA Key Translate - From CCA RSA to CKM-RAKW format PKA Key Translate CSNDPKT OFF O
X'03B7' PKA Key Translate - From CCA ECC to CKM-RAKW format PKA Key Translate CSNDPKT OFF O
X'03B8' Symmetric Key Export - AES, CKM-RAKW Symmetric Key Export CSNDSYX OFF O
X'03B9' Diversified Key Generate - A28OWFEC Diversified Key Generate CSNBDKG ON O
X'03BA' Diversified Key Generate - A28OWFCL Diversified Key Generate CSNBDKG ON O
X'03BB' Diversified Key Generate - A28XOREC Diversified Key Generate CSNBDKG ON O
X'03BC' KPI2 - Allow TR-31 clear key import Key Part Import2 CSNBKPI2 ON R
X'03C1' T31C - Permit TR-31 AES creation TR31 Key Create CSNBT31C ON R
X'03C2' T31C - Permit TR-31 DES creation TR31 Key Create CSNBT31C ON R
X'03C3' T31C - Permit TR-31 HMAC creation TR31 Key Create CSNBT31C ON R
X'03C4' T31C - Permit TR-31 internal key creation TR31 Key Create CSNBT31C ON R
X'03C5' T31C - Permit TR-31 external key creation TR31 Key Create CSNBT31C ON R
X'03C6' T31C - Permit TR-31 internal/external key pair creation TR31 Key Create CSNBT31C ON R
X'03C7' T31C - Permit TR-31 KB Version A creation TR31 Key Create CSNBT31C ON R
X'03C8' T31C - Permit TR-31 KB Version B creation TR31 Key Create CSNBT31C ON R
X'03C9' T31C - Permit TR-31 KB Version C creation TR31 Key Create CSNBT31C ON R
X'03CA' T31C - Permit TR-31 KB Version D creation TR31 Key Create CSNBT31C ON R
X'03CB' Permit import of an RSA key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object PKA Key Import CSNDPKI OFF O
X'03CC' Permit import of an ECC key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object PKA Key Import CSNDPKI OFF
X'03CD' Permit import of an AES key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object PKA Key Import CSNDPKI OFF
X'03D0' KPIT - Allow TR-31 AES load “FIRST” Minpart1
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D1' KPIT - Allow TR-31 AES load “FIRST” Minpart2+
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D2' KPIT - Allow TR-31 AES Add 2nd and later key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D3' KPIT - Allow TR-31 AES Clearing Key Part Reg
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D4' KPIT - Allow TR-31 DES load “FIRST” Minpart1
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D5' KPIT - Allow TR-31 DES load “FIRST” Minpart2+
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D6' KPIT - Allow TR-31 DES Add 2nd and later key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D7' KPIT - Allow TR-31 DES Clearing Key Part Reg Note
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D8' KPIT - Allow TR-31 HMAC load “FIRST” Minpart1
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03D9' KPIT - Allow TR-31 HMAC load “FIRST” Minpart2+
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03DA' KPIT - Allow TR-31 HMAC Add 2nd and later key parts
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03DB' KPIT - Allow TR-31 HMAC Clearing Key Part Reg
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03DC' KPIT - Allow TR-31 AES Complete
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03DD' KPIT - Allow TR-31 DES Complete
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03DE' KPIT - Allow TR-31 HMAC Complete
Note: This ACP is included for TKE reference only, the service impacted is available only (for IBM Z) on z/OS.
 OFF O
X'03DF' T31X - Permit DES KEYGENKY:DUKPT, AES DKYGENKY:DUKPT to B1 TR31 Translate CSNBT31X ON O
X'03E0' T31X - Permit DES DKYGENKY, AES KDKGENKY to B3 TR31 Translate CSNBT31X ON O
X'03E1' T31X - Permit CIPHER:XLATE to D3 TR31 Translate CSNBT31X ON O
X'03E2 T31X - Permit SECMSG:SMPIN to P0 TR31 Translate CSNBT31X ON O
X'03E3' T31X - Permit SECMSG:SMKEY to K0 TR31 Translate CSNBT31X ON O
X'03E4' T31X - Permit DES DKYGENKY:DKYL0+DMAC to F0:X TR31 Translate CSNBT31X OFF O
X'03E5' T31X - Permit DES DKYGENKY:DKYL0+DMV to F0:X TR31 Translate CSNBT31X OFF O
X'03E6' T31X - Permit DES DKYGENKY: DKYL0+DALL to F0:X TR31 Translate CSNBT31X OFF O
X'03E7' T31X - Permit DES MAC to M6 TR31 Translate CSNBT31X ON O
X'03E8' T31I - Permit B1 to DES KEYGENKY:DUKPT and AES DKYGENKY:DUKPT TR31 Key Import CSNBT31I ON O
X'03E9' T31I - T31I - Permit B3 to DES DKYGENKY and AES KDKGENKY TR31 Key Import CSNBT31I ON O
X'03EA' T31I - Permit D3 to CIPHER:XLATE TR31 Key Import CSNBT31I ON O
X'03EB' T31I - Permit F0:X to DES DKYGENKY:DKYL0+DMAC TR31 Key Import CSNBT31I OFF O
X'03EC' T31I - Permit F0:X to DES DKYGENKY:DKYL0+DMV TR31 Key Import CSNBT31I OFF O
X'03ED' T31I - Permit F1:X to DES DKYGENKY:DKYL0+DMPIN TR31 Key Import CSNBT31I OFF O
X'03EE' T31I - Permit F1:X to DES DKYGENKY:DKYL0+DDATA TR31 Key Import CSNBT31I OFF O
X'03EF' T31I - Permit F2:X to DES DKYGENKY:DKYL0+DMAC TR31 Key Import CSNBT31I OFF O
X'03F0' T31I - Permit M6 to DES MAC TR31 Key Import CSNBT31I ON O
X'03F1' PKA Encrypt - Disallow PKOAEP2 PKA Encrypt CSNDPKE OFF O
X'03F2' PKA Decrypt - Disallow PKOAEP2 PKA Decrypt CSNDPKD OFF O
X'03F3' SKY - Allow K0 for secmsg key identifier Secure Messaging for Keys CSNBSKY ON O
X'03F4' SPN - Allow P0 for secmsg key identifier Secure Messaging for PINs CSNBSPN ON O
X'03F5' T31X - Permit DES DKYGENKY:DKYL0+DDATA to F1:X TR31 Translate CSNBT31X OFF O
X'03F6' T31X - Permit DES DKYGENKY:DKYL0+DMPIN to F1:X TR31 Translate CSNBT31X OFF O
X'03F7' T31X - Permit DES DKYGENKY:DKYL0+DALL to F1:X TR31 Translate CSNBT31X OFF O
X'03F8' T31X - Permit DES DKYGENKY:DKYL0+DMAC to F2:X TR31 Translate CSNBT31X OFF O
X'03F9' T31X - Permit DES DKYGENKY:DKYL0+DALL to F2:X TR31 Translate CSNBT31X OFF O
X'03FA' T31X - Permit DES DATA/MAC/CIPHER/ENCIPHER to F3:N/G/E/X TR31 Translate CSNBT31X OFF O
X'03FB' T31X - Permit DES DKYGENKY:DKYL0+DDATA to F4:X TR31 Translate CSNBT31X ON O
X'03FC' T31X - Permit DES DKYGENKY:DKYL0+DALL to F4:X TR31 Translate CSNBT31X ON O
X'03FD' T31X - Permit AES DKYGENKY:D-ALL/DMAC to F0:X TR31 Translate CSNBT31X ON O
X'03FE' T31X - Permit AES DKYGENKY:DALL/DCIPHER to F1:X TR31 Translate CSNBT31X ON O
X'03FF' T31X - Permit AES DKYGENKY:D-ALL/DMAC to F2:X TR31 Translate CSNBT31X ON O
X'0500' T31X - Permit AES CIPHER, DKYGENKY:DALL/DCIPHER to F3:E/B/X TR31 Translate CSNBT31X ON O
X'0501' T31X - Permit AES DKYGENKY:DALL/DCIPHER to F4:X TR31 Translate CSNBT31X ON O
X'0502' T31I - Permit F3:N/E/D/B/G/X to DES ENCIPHER TR31 Key Import CSNBT31I OFF O
X'0503' T31I - Permit F4:X to DES DKYGENKY:DKYL0+DDATA TR31 Key Import CSNBT31I ON O
X'0504' T31I - Permit F0:X to AES DKYGENKY:DKYL0+DMAC+GENERATE+CMAC TR31 Key Import CSNBT31I ON O
X'0505' T31I - Permit F1:X to AES DKYGENKY:DKYL0+DSECMSG+SMPIN+ANY-USE TR31 Key Import CSNBT31I ON O
X'0506' T31I - Permit F2:X to AES DKYGENKY:DKYL0+D-MAC+GENERATE+CMAC TR31 Key Import CSNBT31I ON O
X'0507' T31I - Permit F3:X to AES DKYGENKY:D-CIPHER+ENCRYPT+DECRYPT+CBC TR31 Key Import CSNBT31I ON O
X'0508' T31I - Permit F3:E/B to AES CIPHER:ENCRYPT/ENCRYPT+DECRYPT TR31 Key Import CSNBT31I ON O
X'0509' T31I - Permit F4:X to AES DKYGENKY:DKYL0+D-CIPHER+ENC+DEC+CBC TR31 Key Import CSNBT31I ON O
X'050A' T31X – Permit AES PINPROT to P0:B TR31 Translate CSNBT31X ON O, SUP

Managing ACPs using a TKE workstation

The TKE workstation allows you to enable or disable access control points for verbs.

For systems that do not use the optional TKE workstation, most access control points (current and new) are enabled in the default role with the appropriate licensed internal code on the CEX*C. For more information about the TKE workstation, see z/OS Cryptographic Services.

For information about required TKE versions for accessing the various CEX*C features, see CEX8C information.

Use of particular cryptographic or key management verb functions with the CEX*C are controlled through access control points. You can see the default settings of an access control point in Table 1 in column Initial setting.
Note:
  1. Access control points DKYGENKY-DALL and DSG ZERO-PAD unrestricted hash length are always disabled in the default role for all customers (TKE and non-TKE). A TKE workstation is required to enable these access control points.
  2. When you modify the setting of an access control point, please be sure to use a procedure according to your organization's security policy. TKE workstation versions earlier than V6.0 do not show the current setting of the access control points. TKE workstation versions 6.0 and higher show the current setting, but neither show the default settings nor a change history of the listed access control points. If you do not remember the change history, note that using the Zeroize function of the card or the domain to reset all access control points to their default values, discards all keys.
  3. The TKE can save a current setting of ACPs under a given name. So if something fails with ACP changes, you can restore the old setting on the TKE.