Follow the steps in this procedure to use keys with CPACF,
protected key.
Procedure
-
An eligible CCA verb call (see
lists in Access control points that affect CPACF protected key operations) specifying a key token or
key identifier for a key token that is a normal internal CCA key token, called key-e here, comes into
the CCA library.
-
The CCA library verifies that a
CEX*C is available for key
translation. If not, then the standard no-available-device error is
returned.
-
The CCA library tries to find an
already translated version (key-t) that matches the key-e passed into the CCA library.
- The user application (CCA library
in this case) must cache translated key-t objects in RAM, using the key-e tokens as references.
- If a key-t is not found for the key-e used:
The CCA library translates the
key-e to a key-t for use with the CPACF using CCA secure services, then caches the key
pair.
- At this point, either a fresh key-t has been obtained,
or a key-t was found in RAM cache for the operation.
-
The CCA library directs the
operation to the CPACF using the key-t.
Results
The panel.exe --list-cpacf command displays all the supported
CPACF functions. This is especially useful on a z/VM® system, to make sure that the protected key
functions are available. For details, see The panel.exe utility.