Key token

A key token is a variable length (maximum allowed size is 3500 bytes) field composed of key value and control information. PKA keys can be either public or private RSA or ECC keys. Each key token can be either an internal key token (the first byte of the key identifier is X'1F'), an external key token (the first byte of the key identifier is X'1E'), or a null private key token (the first byte of the key identifier is X'00'). For the format of each token type, refer to Key token formats.

An internal key token is a token that can be used only on the ICSF system that created it (or another ICSF system with the same PKA master key). It contains a key that is encrypted under the PKA master key.

An application obtains an internal key token by using one of the callable services such as those listed. The callable services are described in detail in Managing PKA cryptographic keys.

PKA Key Generate
PKA Key Import

The PKA Key Token Change callable service can reencipher private internal tokens from encryption under the old master key (either RSA or ECC) to encryption under the current master key.

For debugging information, see Key token formats for the format of an internal key token.

If the first byte of the key identifier is X'1E', the key identifier is interpreted as an external key token. An external PKA key token contains key (possibly encrypted) and control information. By using the external key token, you can exchange keys between systems.

An application obtains the external key token by using one of the callable services such as those listed. They are described in detail in Managing PKA cryptographic keys.

PKA Public Key Extract
PKA Key Token Build
PKA Key Generate

For debugging information, see Key token formats for the format of an external key token.

If the first byte of the key identifier is X'00', the key identifier is interpreted as a null key token.

For debugging information, see Key token formats for the format of a null key token.