Key-record-list datasets and records
There is a different verb for each of the four key storage datasets. There is one for the AES key-store, one for the DES key-store, one for the PKA key-store, and one for the combined key storage (CMB) (which works with all key token types: CCA AES, CCA DES, CCA PKA, and TR-31).
The verbs are as follows:
- For the AES key-store, use the CSNBAKRL verb: see AES Key Record List (CSNBAKRL).
- For the DES key-store, use the CSNBKRL verb: see DES Key Record List (CSNBKRL).
- For the PKA key-store, use the CSNDKRL verb: see PKA Key Record List (CSNDKRL).
- For the CMB key-store, use the CSNBCKRL verb: see Combined Key Record List (CSNBCKRL)
When any of these verbs is called and its related key-store does not yet exist, it creates an internal dataset that contains information about specified key records in key storage.
The path to this dataset is defined in an environment variable, one for each key-store as follows:
- CSUAESLD
- AES key-record-list file path. Default: /opt/IBM/CCA/keys/aeslist/
- CSUDESLD
- DES key-record-list file path. Default: /opt/IBM/CCA/keys/deslist/
- CSUPKALD
- PKA key-record-list file path. Default: /opt/IBM/CCA/keys/pkalist/
- CSUCMBLD
- CMB key-record-list file path. Default: /opt/IBM/CCA/keys/cmblist/
Each data set is named:
kyrltnnn.lst
where nnn is the numeric portion of the name, which starts at 001, increments to 999, and then wraps back to 001. Locate the dataset using the fully-qualified dataset name returned by the verb. The list data set has an accompanying file called kreclist.dat, located in the same directory. This file will contain the index for the next list call. For example, if the key record list has been called nine times, then there will be nine kyrltnnn.lst files (kyrlt001.lst - kyrlt009.lst ) and the kreclist.dat file will contain a single line with the value010 to indicate that the next .lst file will be
kyrlt010.lst. And for your current key record list data, you should look in the
kyrlt009.lst file.
Each list dataset has a header record, followed by zero to n detail records, where n is the number of key records with matching key labels.
| Offset (bytes) | Length (bytes) | Description |
|---|---|---|
| Header record (part 1) | ||
| 000 | 24 | This field contains the installation-configured listing header. The default values are:
|
| 024 | 02 | This field contains space characters for separation. |
| 026 | 19 | This field contains the date and the time when the list was generated. The format is
yyyy-mm-dd hh:tt:ss, where:
|
| 045 | 05 | This field contains space characters for separation. |
| 050 | 06 | This field contains the number of detail records. |
| 056 | 02 | This field contains space characters for separation. |
| 058 | 04 | This field contains the length of each detail record, in character form, and leftaligned. The length is 154. |
| 062 | 04 | This field contains the offset to the first detail record, in character form, and left-aligned. The offset is 154. |
| 066 | 09 | This field is reserved filled with space characters. |
| 075 | 02 | This field contains carriage return/line feed (CR/LF). |
| Header record (part 2) | ||
| 077 | 64 | This field contains the key-label pattern that you used to request the list. |
| 141 | 11 | This field is reserved filled with space characters. |
| 152 | 02 | This field contains a carriage return or line feeds (CR/LF). |
| Detail record (part 1) | ||
| 000 | 01 | This field contains an asterisk (*) if the key-storage record did not have a correct record validation value; this record should be considered to be a potential error. |
| 001 | 02 | This field contains spaces for separation. |
| 003 | 64 | This field contains the key label. |
| 067 | 08 | This field contains the key type, left-aligned and padded on the right with space characters. If a null key token exists in the record or if the key token does not contain the key value, this field is set to NO_KEY. For AES and DES key-storage, if the key token does not contain a control vector, this field is set to NO_CV. If the control vector cannot be decoded to a recognized key type, this field is set to UNKNOWN, and an asterisk (*) is set into the record at offset 0. For PKA key-storage, the possible key types are RSA_PRIV, RSA_PUBL, RSA_CRT or RSA_OPT. If the token type is not recognized, this field is set to ERROR. |
| 075 | 02 | This field contains a carriage return or line feeds (CR/LF). |
| Detail record (part 2) | ||
| 077/00 | 04 | For an internal token, this field contains (the first) two bytes of the master-key verification pattern expressed in hexadecimal. |
| 081/04 | 01 | This field contains space characters for separation. |
| 082/05 | 08 | Reserved, filled with space characters. |
| 090/13 | 02 | This field contains space characters for separation. |
| 092/15 | 19 | This field contains the date and time when the record was created. The format is yyyy-mm-dd
hh:tt:ss, where:
|
| 111/34 | 02 | This field contains space characters for separation. |
| 113/36 | 19 | This field contains the last time and date when the record was updated. The format is
yyyy-mm-dd hh:tt:ss, where:
|
| 132/55 | 01 | This field contains a space character for separation. |
| 133/56 | 08 | This field contains type of token, INTERNAL, EXTERNAL or NO_KEY (null token). Anything else, this field is set of ERROR and an asterisk (*) is set into the record offset 0 field. |
| 141/64 | 11 | Reserved, filled with space characters. |
| 152/75 | 02 | This field contains a carriage return (CR) or line feeds (LF). |