Restrictions
The restrictions for CSNBMVR.
It might seem intuitive that a DATAM key should also be usable for the MAC Generate verb, and a DATAMV key for the MAC Verify verb, with the CPACF exploitation layer. However, this would violate the security restrictions imposed by the user when the user creates a key of type DATAM or DATAMV. A DES key that has been translated for use with the CPACF (see CPACF support) can be used with CPACF DES encrypt and decrypt operations, an operation that is by definition not allowed for a DATAM or DATAMV key type. Also note that by definition both through z/OS® CCA-ICSF and in this S390 Linux™CCA access layer, a DATA key of 16 bytes or 24 bytes in length is restricted from use with the X9.19OPT and EMVMACD rule_array keyword specified MAC algorithms. The only available MAC algorithm for a 16-byte or 24-byte DATA key is the TDES-MAC algorithm.
Also note that the CPACF exploitation layer is activated only for MAC Generate or MAC Verify calls that specify the ONLY rule_array keyword for segmenting control (this is the default segmenting control if no segmenting control rule_array keyword is specified). The reason for this is that the intermediate MAC context for normal CEX*C calls to MAC Generate and MAC Verify is protected by the adapter Master Key. Because the same security cannot be provided for intermediate results from the host-based CPACF exploitation layer (they are returned in the clear by the CPACF) the FIRST, MIDDLE, and LAST segmenting control keywords will direct operations to the CEX*C.
TR-31 tokens can only be used with this verb starting with CCA 8.1.