IBM-specific attributes

Edit online

Read about IBM®-specific attributes that apply to objects but do not adhere to certain mechanisms or purposes.

CKA_IBM_ATTRBOUND: Set this attribute for attribute-bound keys to enable these keys for being wrapped and unwrapped using the CKM_IBM_ATTRIBUTEBOUND_WRAP mechanism.
CKA_IBM_OPAQUE: Use this attribute for importing and exporting plain CCA key objects into or from sensitive openCryptoki key objects. Applications should normally not update this attribute. See also Usage notes for CCA library functions or Managing a concurrent master key change - pkcshsm_mk_change utility.
CKA_IBM_OPAQUE_OLD: This attribute is used by the concurrent master key change process to keep a backup of the old secure keys. In case something goes wrong, you can restore the old secure keys from that attribute. Applications should normally not update this attribute. See also Managing a concurrent master key change - pkcshsm_mk_change utility.
CKA_IBM_OPAQUE_PKEY: If the option PKEY_MODE is enabled in the EP11 token configuration file or in the CCA token configuration file, a protected key is generated for the applicable key object and is added to the secure key object with this IBM-specific key attribute at first use of the key. A new protected key is generated each time if required, for example, it an LPAR has been deactivated and reactivated and its firmware master key has changed. Applications should normally not update this attribute.
CKA_IBM_OPAQUE_REENC: This attribute is used by the concurrent master key change process to store the re-enciphered secure keys while a master key change process is ongoing. Applications should normally not update this attribute. See also Managing a concurrent master key change - pkcshsm_mk_change utility.
CKA_IBM_PROTKEY_EXTRACTABLE: This key attribute is internally set to CK_TRUE, if for CCA tokens or for EP11 tokens the configuration option PKEY_MODE is enabled and the key has CKA_EXTRACTABLE set to FALSE. This makes the key eligible for being transformed into a protected key for better performance, if applicable (see also Defining an EP11 token configuration file).
CKA_IBM_PROTKEY_NEVER_EXTRACTABLE: Marks objects that are never importable as protected key. Does conflict with CKA_IBM_PROTKEY_EXTRACTABLE and behaves the same as CKA_NEVER_EXTRACTABLE.
CKA_IBM_STD_COMPLIANCE1: Compliance attribute. For EP11 tokens only and for all types of EP11 keys. Compliance settings correspond to standards-mandated sets of CPs. They are read-only, and are updated when CPs are updated, or a domain changes state. See also Enterprise PKCS#11 (EP11) Library structure.
CKA_IBM_USE_AS_DATA: Set this attribute for keys where raw key bytes may be used as data of some cryptographic operation, such as hashing (DigestKey()) or key derivation (DeriveKey()). This restriction further controls key-based operations which do not involve key migration, therefore, are not controlled by EXTRACTABLE or transport-related control points.
CKA_IBM_DILITHIUM_<ttt>: For all Dilithium-related attributes, see CKM_IBM_DILITHIUM.
CKA_IBM_KYBER_<ttt>: For all Kyber-related attributes, see CKM_IBM_KYBER.
CKA_IBM_CCA_AES_KEY_MODE: Use this attribute to set the AES key mode for a key creation or key derivation operation. See Supported CCA key types and Using ECDH to derive AES keys.