Payload format

Variable-length tokens have a payload section that contains the encrypted key material. Prior to HCR77A1, these tokens used a variable-length payload which consisted of the encrypted key and padding. HCR77A1 introduces fixed-length payloads for AES keys which will obscure the length of the encrypted key in the payload section

Any new key types will have the fixed-length payload format. Existing AES key types (CIPHER, IMPORTER and EXPORTER) and HMAC key types will default to use the variable-length payloads unless keywords indicate the use of the fixed-length payloads. This ensures compatibility with older releases of ICSF and hardware where fixed-length payloads are not supported.

The following options are available for AES CIPHER, IMPORTER and EXPORTER keys:

New tokens can be created with fixed-length or variable-length payloads by providing new keywords to Key Token Build2 or Key Generate2.
Existing tokens can be translated to fixed-length or variable-length payload format by providing new keywords to Key Translate2. To convert to a variable-length payload, the Key Translate2 - Translate fixed to variable payload access control point must be enabled.
Clear keys can be encrypted into tokens with the fixed-length or variable-length payload format by providing new keywords to Secure Key Import2.

The CKDS Reencipher utility and the Key Part Import2, Key Test2, Restrict Key Attribute, Symmetric Key Export, and Symmetric Key Import2 callable services will maintain the payload format of the source key token.

Fixed-length payload support requires an IBM zEnterprise EC12, zEnterprise BC12, or later with a CCA Cryptographic coprocessor that is a CEX3C or later with Licensed Internal Code (LIC) of September 2013 or later.