Required commands

The CSNBDKG2 required commands.

The Diversified Key Generate2 verb requires the following commands to be enabled in the active role:

Required commands for the Diversified Key Generate2 verb

Rule-array keyword Offset Command
KDFFM-DK X'02D3' Diversified Key Generate2 - KDFFM-DK
KLEN192 and KLEN256 (Release 4.4 or later) X'02D4' Diversified Key Generate2 - Allow length option for KDFFM-DK
MK-OPTC X'02D2' Diversified Key Generate2 - MK-OPTC
SESS-ENC X'02CC' Diversified Key Generate2 - SESS-ENC

An additional command is required when the key usage fields of the key token identified by the generating_key_identifier parameter specify a type of key to diversify of D-ALL (any type of key allowed). In this case, the verb requires the Diversified Key Generate2 - DALL command (offset X'02CD') to be enabled in the active role.

To allow the creation of keys used in the verb Multi-MAC Scheme (CSNBMMS), enable the command Allow CSNBDKG2 to derive keys from AES DKYGENKY keys with MMSAUTH1 attribute (offset X'00D1'). Attribute MMSAUTH2 is not allowed with CSNBDKG2.