IBMJCECCA hardware errors

Hardware error from call CSNDPKB return code 8 reason code 11000

Hardware error from call CSNDDSV returnCode 8 reasonCode 11008

The ICSF Application Programmer's Guide defines this error as The public or private key values are not valid. (For example, the modulus or exponent is zero.) You cannot use the key.

This definition suggests that the key object is itself corrupted or improperly formed, which might be the case. However, this error can also be caused by specifying the wrong key.

For example, suppose you generate an RSA key pair, create a Signature object (sig), and pass the RSA private key to sig.sign(). If you then pass the RSA public key to the sig.verify() method, the expected result is true. If you instead pass the RSA public key from a different RSA key pair to the sig.verify() method, then you are passing a valid key but incorrect key. In this case, the expected result from the sig.verify() method is false. However, you might sometimes instead get an exception with the message Hardware error from call CSNDDSV returnCode 8 reasonCode 11008.

Hardware error from call CSNBSYE RC = 8 RSN = 11000

The ICSF Application Programmer's Guide defines this error as The value specified for length parameter for a key token, key, or text field is not valid. In general, this means that you have requested an algorithm or operation not available on your current hardware platform.

However, if you are doing encryption with an AES cipher in GCM mode, it might mean that you specified an unsupported authentication tag length (TLen) in the GCMParameterSpec you provided to initialize the AES Cipher object. The authentication tag length (TLen) specified in the GCMParameterSpec must be a value accepted by the z/OS® component that will perform the encryption/decryption operation. See the z/OS ICSF Application Programmer's Guide for more information. In particular, see the section on CSNBSYE where you will find the allowed authentication tag lengths in the description of parameter key_parms_length. Note that, although the tag length specified in the GCMParameterSpec is in bits, the valid tag lengths listed in the ICSF Application Programmer's Guide are in bytes. (For example, a GCMParameterSpec TLen value of 112 corresponds to an ICSF tag length of 14.)

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to encrypt data with a SECURE_INTERNAL_TOKEN AES transport key such as an AES EXPORTER key or an AES IMPORTER key. To encrypt data with an AES key, you must use an AES DATA key.

Hardware error from call CSNBSYD RC = 8 RSN = 11000

The ICSF Application Programmer's Guide defines this error as The value specified for length parameter for a key token, key, or text field is not valid.. In general, this means that you have requested an algorithm or operation not available on your current hardware platform.

However, if you are doing decryption with an AES cipher in GCM mode, it might mean that you specified an unsupported authentication tag length (TLen) in the GCMParameterSpec you provided to initialize the AES Cipher object. The authentication tag length (TLen) specified in the GCMParameterSpec must be a value accepted by the z/OS component that will perform the encryption/decryption operation. See the z/OS ICSF Application Programmer's Guide for more information. In particular, see the sections on CSNBSYD where you will find the allowed authentication tag lengths in the description of parameter key_parms_length. Note that, although the tag length specified in the GCMParameterSpec is in bits, the valid tag lengths listed in the ICSF Application Programmer's Guide are in bytes. (For example, a GCMParameterSpec TLen value of 112 corresponds to an ICSF tag length of 14.)

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to decrypt encrypted data with a SECURE_INTERNAL_TOKEN AES transport key such as an AES EXPORTER key or an AES IMPORTER key. To decrypt encrypted data with an AES key, you must use an AES DATA key.

Hardware error from call CSNBENC RC = 8 RSN = 39

The ICSF Application Programmer's Guide defines this error as A control vector violation occurred. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to encrypt data with a triple DES transport key such as a triple DES EXPORTER key or a triple DES IMPORTER key. To encrypt data with a triple DES key, you must use a triple DES DATA key or a triple DES CIPHER key.

Hardware error from call CSNBENC RC = 8 RSN = 47

The ICSF Application Programmer's Guide defines this error as A source key token is unusable because it contains data that is not valid or undefined.

If you are using a DESede/168 key (also known as a triple DES key with 168 bit strength) for encryption, this might mean that it was imported from an ANSI TR-31 Key Block. Although IBMJCECCA correctly exports a DESede/168 key into an ANSI TR-31 Key Block, it is unable to import a DESede/168 key from an ANSI TR-31 Key Block correctly. This is a limitation of the underlying z/OS support.

Hardware error from call CSNBDEC RC = 8 RSN = 39

The ICSF Application Programmer's Guide defines this error as A control vector violation occurred. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to decrypt encrypted data with a triple DES transport key such as a triple DES EXPORTER key or a triple DES IMPORTER key. To decrypt encrypted data with a triple DES key, you must use a triple DES DATA key or a triple DES CIPHER key.

Hardware error from call CSNBDEC RC = 8 RSN = 47

The ICSF Application Programmer's Guide defines this error as A source key token is unusable because it contains data that is not valid or undefined.

If you are using a DESede/168 key (also known as a triple DES key with 168 bit strength) for decryption, this might mean that it was imported from an ANSI TR-31 Key Block. Although IBMJCECCA correctly exports a DESede/168 key into an ANSI TR-31 Key Block, it is unable to import a DESede/168 key from an ANSI TR-31 Key Block correctly. This is a limitation of the underlying z/OS support.

Hardware error from call CSNBSAE RC = 8 RSN = 2154

The ICSF Application Programmer's Guide defines this error as At least one key token passed to this callable service does not have the required key type for the specified function. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to encrypt data with a CKDS AES transport key such as an AES EXPORTER key or an AES IMPORTER key. To encrypt data with an AES key, you must use an AES DATA key.

Hardware error from call CSNBSAD RC = 8 RSN = 2154

The ICSF Application Programmer's Guide defines this error as At least one key token passed to this callable service does not have the required key type for the specified function. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to decrypt encrypted data with a CKDS AES transport key such as an AES EXPORTER key or an AES IMPORTER key. To decrypt encrypted data with an AES key, you must use an AES DATA key.

Hardware error from call CSNDSYX returnCode 8 reasonCode 39, this DES or DESede key cannot be wrapped using a RSA cipher

The ICSF Application Programmer's Guide defines return code 8 and reason code 39 as A control vector violation occurred. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using DES or triple DES CIPHER keys, or if you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to wrap a DES or triple DES CIPHER key or a triple DES transport key with a RSA cipher. These types of DES and triple DES keys can only be wrapped using a DESedeKeyWrap cipher.

Hardware error from call CSNDSYX returnCode 8 reasonCode 2016

The ICSF Application Programmer's Guide defines this error as The rule_array parameter contents are incorrect. One or more of the rules specified are not valid for this service OR some of the rules specified together may not be combined.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to wrap an AES transport key such as an AES EXPORTER key or an AES IMPORTER key with a RSA cipher without using OAEP (Optimal Asymmetric Encryption Padding). An AES transport key must be wrapped using OAEP if a RSA cipher is used for key wrapping.

Hardware error from call CSNBKEX returnCode = 8, reasonCode = 39

The ICSF Application Programmer's Guide defines this error as A control vector violation occurred. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to wrap a CKDS or SECURE_INTERNAL_TOKEN key with a DESedeKeyWrap cipher using a SECURE_INTERNAL_TOKEN key that is not a triple DES EXPORTER key. For key wrapping, the DESedeKeyWrap cipher must be initialized with a triple DES EXPORTER key.

Hardware error from call CSNBKEX returnCode = 8, reasonCode = 10012

The ICSF Application Programmer's Guide defines this error as A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or the PKDS. Either the key could not be found, or a key record with that label and the specific type required by the ICSF callable service could not be found. In general, this means that a CKDS or PKDS key that you are using cannot be found in the CKDS or PKDS.

If you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to wrap a CKDS or SECURE_INTERNAL_TOKEN key with a DESedeKeyWrap cipher using a CKDS key that is not a triple DES EXPORTER key. For key wrapping, the DESedeKeyWrap cipher must be initialized with a triple DES EXPORTER key.

If a transport key is exported using the DESedeKeyWrap cipher and an EXPORTER transport key with NoCvKEK option enabled then when it is imported the IMPORTER transport key must also have the NoCvKEK option enabled or the imported key will not be correctly formed.

Hardware error from call CSNBKIM returnCode = 8, reasonCode = 39

The ICSF Application Programmer's Guide defines this error as A control vector violation occurred. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to unwrap a previously wrapped CKDS or SECURE_INTERNAL_TOKEN key with a DESedeKeyWrap cipher using a SECURE_INTERNAL_TOKEN key that is not a triple DES IMPORTER key. For key unwrapping, the DESedeKeyWrap cipher must be initialized with a triple DES IMPORTER key.

If you are using transport keys (also known as key encrypting keys) and the DESedeKeyWrap cipher to import a key, this might mean that the key was wrapped with an EXPORTER transport key with the NoCvKEK option enabled but the IMPORTER transport key you are now using has the NoCvKEK option disabled. If a key that is not type OP_DATA is exported using an EXPORTER with NoCvKEK enabled then it can only be imported using an IMPORTER with NoCvKEK enabled. If a key is type OP_DATA then it can be exported using an EXPORTER with NoCvKEK disabled and then imported using an IMPORTER transport key with the NoCvKEK enabled.

If you are importing a transport key with the NoCvKEK option, or importing a key when the IMPORTER transport key has the NoCvKEK option, you are required to specify usage of the key being imported. If you specify the incorrect usage you might get this message. For example, you might get this error if you specify that a transport key being imported is an IMPORTER when it is actually an EXPORTER.

Hardware error from call CSNBKIM returnCode = 8, reasonCode = 10012

The ICSF Application Programmer's Guide defines this error as A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or the PKDS. Either the key could not be found, or a key record with that label and the specific type required by the ICSF callable service could not be found. In general, this means that a CKDS or PKDS key that you are using cannot be found in the CKDS or PKDS.

If you are using triple DES transport keys (also known as key encrypting keys), this might mean that you have attempted to unwrap a previously wrapped CKDS or SECURE_INTERNAL_TOKEN key with a DESedeKeyWrap cipher using a CKDS key that is not a triple DES IMPORTER key. For key unwrapping, the DESedeKeyWrap cipher must be initialized with a triple DES IMPORTER key.

If a transport key is exported using the DESedeKeyWrap cipher and an EXPORTER transport key with NoCvKEK option enabled then when it is imported the IMPORTER transport key must also have the NoCvKEK option enabled or the imported key will not be correctly formed.

Hardware error from call CSNBKIM returnCode = 8, reasonCode = 10028

The ICSF Application Programmer's Guide defines this error as Either the left half of the control vector in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector. For example, an exporter key-encrypting key is not valid in the key import callable service.

If you are using transport keys (also known as key encrypting keys) and the DESedeKeyWrap cipher to import a key and you specified usage for the key being imported, this could mean that you specified the incorrect usage. For example, you might get this error if you specify that the key being imported is a DATA key when it is actually a CIPHER key.

Hardware error from call CSNBKIM returnCode = 8, reasonCode = 10036

The ICSF Application Programmer's Guide defines this error as Either the complete control vector (CV) in a key identifier (internal or external) equates to a key type that is not valid for the service you are using, or the value is not that of any ICSF control vector.

If you are using transport keys (also known as key encrypting keys) and the DESedeKeyWrap cipher to import a key, this might mean that the key was wrapped with an EXPORTER transport key with the NoCvKEK option disabled but the IMPORTER transport key you are now using has the NoCvKEK option enabled. If a key that is not type OP_DATA is exported using an EXPORTER with NoCvKEK disabled then it can only be imported using an IMPORTER with NoCvKEK disabled. If a key is type OP_DATA then it can be exported using an EXPORTER with NoCvKEK disabled and then imported using an IMPORTER transport key with the NoCvKEK enabled.

Hardware error from call CSNBKIM returnCode = 8, reasonCode = 10056

The ICSF Application Programmer's Guide defines this error as You called the key import callable service. The importer key-encrypting key is a NOCV importer and you specified TOKEN for the key_type parameter. This combination is not valid.

When importing a key using an IMPORTER transport key (also known as a key encrypting key) with NoCvKEK option, you are required to specify usage of the key being imported. You might get this message if usage is not specified for the imported key.

If you are using transport keys (also known as key encrypting keys) and the DESedeKeyWrap cipher to import a key, this might mean that the key was wrapped with an EXPORTER transport key with the NoCvKEK option disabled but the IMPORTER transport key you are now using has the NoCvKEK option enabled. If a key that is not type OP_DATA is exported using an EXPORTER with NoCvKEK disabled then it can only be imported using an IMPORTER with NoCvKEK disabled. If a key is type OP_DATA then it can be exported using an EXPORTER with NoCvKEK disabled and then imported using an IMPORTER transport key with the NoCvKEK enabled.

Hardware error from call CSNDSYX returnCode = 8, reasonCode = 2154

The ICSF Application Programmer's Guide defines this error as At least one key token passed to this callable service does not have the required key type for the specified function. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to wrap a CKDS or SECURE_INTERNAL_TOKEN key with an AESKeyWrap cipher using an AES IMPORTER key. For key wrapping, the AESKeyWrap cipher must be initialized with an AES EXPORTER key.

Hardware error from call CSNDSYX returnCode = 8, reasonCode = 10040

The ICSF Application Programmer's Guide defines this error as Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to wrap a CKDS or SECURE_INTERNAL_TOKEN key with an AESKeyWrap cipher using a key that is not an AES EXPORTER key. For key wrapping, the AESKeyWrap cipher must be initialized with an AES EXPORTER key.

Hardware error from call CSNDSYI2 returnCode = 8, reasonCode = 2154

The ICSF Application Programmer's Guide defines this error as At least one key token passed to this callable service does not have the required key type for the specified function. In general, this means that the key that you are using is not suitable for the requested operation.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to unwrap a previously wrapped CKDS or SECURE_INTERNAL_TOKEN key with an AESKeyWrap cipher using an AES EXPORTER key. For key unwrapping, the AESKeyWrap cipher must be initialized with an AES IMPORTER key.

Hardware error from call CSNDSYI2 returnCode = 8, reasonCode = 10040

The ICSF Application Programmer's Guide defines this error as Key identifiers contain a version number. The version number in a supplied key identifier (internal or external) is inconsistent with one or more fields in the key identifier, making the key identifier unusable.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you have attempted to unwrap a previously wrapped CKDS or SECURE_INTERNAL_TOKEN key with an AESKeyWrap cipher using a key that is not an AES IMPORTER key. For key unwrapping, the AESKeyWrap cipher must be initialized with an AES IMPORTER key.

Hardware error from call CSNBKRC2 returnCode 12 reasonCode 0

The ICSF Application Programmer's Guide defines this error as CKDS Key Record Create2 was called to add a variable-length key record to a fixed-length CKDS. A variable-length symmetric key token can only be added to a CKDS that supports variable-length records.

If you are using AES transport keys (also known as key encrypting keys), this might mean that you are using a Cryptographic Key Data Set (CKDS) that only supports fixed-length records. A CKDS that supports variable-length records is required for CKDS type AES transport keys. Please refer to the section titled Converting a CKDS from fixed length to variable length record format in the ICSF System Programmer's Guide for more information or contact your system administrator.

Hardware error from call CSNBT31I returnCode 8 reasonCode 90

The ICSF Application Programmer's Guide defines this error as Access is denied for this request. This is due to an access control point in the domain role either being disabled or an access control point being enabled that restricts the use of a parameter such as a rule array keyword.

Hardware error from call CSNBT31I returnCode 8 reasonCode 2016

The ICSF Application Programmer's Guide defines this error as The rule_array parameter contents are incorrect. One or more of the rules specified are not valid for this service OR some of the rules specified together may not be combined.

If you are unwrapping a key using an instance of DESedeTR31KeyWrap, this might mean that the usage specified (or defaulted) for the key being imported is not correct. The default key usage for a key being imported from a TR-31 Key Block is data encryption/decryption. For example, you might see this error if you did not specify key usage and the key is actually a transport key or if you specified the wrong type of transport key (such as EXPORTER when the key is actually an IMPORTER).

Hardware error from call CSNBT31I returnCode 8 reasonCode 2131

The ICSF Application Programmer's Guide defines this error as The MAC validate step failed for a parameter. This may result from tampering, corruption, or attempting to use a different key to validate the MAC from the one used to generate it.

If you are unwrapping a key using an instance of DESedeTR31KeyWrap, this might mean that the IMPORTER transport key (also known as an IMPORTER key encrypting key) is not correct. The IMPORTER transport key must have the same key material as the EXPORTER transport key that was used to create the TR-31 Key Block.

Hardware error from call CSNBT31I returnCode 8 reasonCode 2227

The ICSF Application Programmer's Guide defines this error as The triple-length key cannot be imported because the TR-31 key block does not include a CCA control vector.

Hardware error from call CSNBT31X returnCode 8 reasonCode 39

The ICSF Application Programmer's Guide defines return code 8 and reason code 39 as A control vector violation occurred. In general, this means that the key that you are using is not suitable for the requested operation.

If you are wrapping a key using an instance of DESedeTR31KeyWrap and you specified key usage for the key being exported, this might mean that the key usage you specified does not match the key usage specified when the key was created.

If you are wrapping a key using an instance of DESedeTR31KeyWrap and you did not specify key usage for the key being exported, the exported key usage defaulted to data encryption/decryption. You might get this error if the key being exported is actually a transport key (an IMPORTER or EXPORTER). In this case you must explicitly specify the correct key usage for the key being exported.

Hardware error from call CSNBT31X returnCode 8 reasonCode 90

The ICSF Application Programmer's Guide defines this error as Access is denied for this request. This is due to an access control point in the domain role either being disabled or an access control point being enabled that restricts the use of a parameter such as a rule array keyword.

Hardware error from call CSNBT31X returnCode 8 reasonCode 72

The ICSF Application Programmer's Guide defines this error as The value specified for length parameter for a key token, key, or text field is not valid.

The format defined for a TR-31 key block allows exactly two decimal digits for the number of optional blocks. If padding is needed, CSNBT31X will add one optional data block for padding. In other words, in some cases the maximum number of optional data blocks that can be added by an application is 98. If you add 99 optional data blocks when creating a TR-31 key block then you will see this error if padding is needed.

Hardware error from call CSNBT31O returnCode 8 reasonCode 345

The ICSF Application Programmer's Guide defines this error as Insufficient storage space exists for the data in the data block buffer.

The format defined for a TR-31 key block allows exactly 2 decimal digits for the number of optional blocks. You will see this error if you attempt to add more than 99 optional data blocks when creating a TR-31 key block.

Hardware error from call CSNBT31O returnCode 8 reasonCode 11000

The ICSF Application Programmer's Guide defines this error as The value specified for length parameter for a key token, key, or text field is not valid.

The format defined for a TR-31 key block allows exactly 2 bytes for the length in hexadecimal of an optional block, for a maximum of 255 bytes. Two bytes are used for the optional data block ID, two bytes are used for the block length. Therefore, you will see this error if you attempt to add an optional block with data larger than 251 bytes when creating a TR-31 key block.