Required commands

The required commands for CSNBKTR2.

This verb requires the Key Translate2 - Allow use of REFORMAT command (offset X'014B') to be enabled in the active role if the REFORMAT re-encipherment keyword is used.

Otherwise, the verb requires the Key Translate2 command (offset X'0149') to be enabled.

To use the translation control keyword WRAP-ECB or WRAP-ENH when the default key-wrapping method setting does not match the keyword, the Key Translate2 - Allow wrapping override keywords command (offset X'014A') must be enabled.

If the WRAP-ECB translation-control keyword is specified and the key in the input key token is wrapped by the enhanced wrapping method (WRAP-ENH), the verb requires the CKDS Conversion2 - Convert from enhanced to original command (offset X'0147') to be enabled. An active role with offset X'0149' enabled can also use the Key Token Change verb to translate a key from the enhanced key-wrapping method to the less-secure legacy method.

The Key Translate2 - Disallow AES ver 5 to ver 4 conversion command (offset X'032A') prevents CIPHER keys, which are in variable-length AES key tokens (newer version X'05') and wrapped under the AES master-key, from being reformatted into DATA keys, which are in fixed-length AES key tokens (older version X'04') and wrapped under the less-secure DES master-key. This command overrides the Key Translate2 - Allow use of REFORMAT command (offset X'014B').

In releases before Release 5.4 and Release 6.2, triple-length TDES keys are not supported, thus limiting an outbound TDES key to double length. Beginning with Release 5.4, Triple-length TDES keys are supported, and an outbound TDES key can be double-length or triple-length. This makes it possible for data that is encrypted using a triple-length key to be translated to data encrypted using a weaker double-length key. Such a translation reduces the security of the data and causes a security exposure, and CCA normally restricts such a translation from occurring. To override this restriction, the Cipher Text Translate2 - Allow translate to weaker DES command (offset X’01C3’) must be enabled in the active role.

Note: This command affects multiple verbs. See Access control points and verbs.
Also, beginning with Release 5.4 and Release 6.2, it is possible to do a translation using an output key that is weaker than the input key. To disallow this, set the command shown in Table 1:
Table 1. Disallow translation to a weaker key
Algorithm of input KEK key Algorithm of output KEK key Command offset (Release 5.4 or later) Command to disallow translation using a weaker key
AES DES X'01C5' Disallow translation from AES wrapping to DES wrapping
AES AES X'01C6' Disallow translation from AES wrapping to weaker AES wrapping
DES DES X'01C7' Disallow translation from DES wrapping to weaker DES wrapping
Note: This command affects multiple verbs. See Access control points and verbs.