Summary of callable service support by hardware configuration
The callable services available to your applications depend on the configuration of your server and cryptographic features. The configuration of the cryptographic features depends on U.S. Export Regulations. For information on the configurations available in your country, contact your IBM marketing representative.
General services
Table 1 contains a summary of the services that do not use
cryptography and have no hardware requirement.
| Service name | Function |
|---|---|
| Character/Nibble Conversion (CSNBXBC and CSNBXCB) | Converts a binary string to a character string or vice versa. |
| Code Conversion (CSNBXEA and CSNBXAE) | Converts EBCDIC data to ASCII data or vice versa. |
| ICSF Query Algorithms (CSFIQA) | Provides information on cryptographic and hashing algorithms. |
| ICSF Query Facility (CSFIQF) | Provides ICSF status information and retrieves information on the CCA and EP11 coprocessors. |
| ICSF Query Facility 2 (CSFIQF2) | Provides information on the cryptographic environment as currently known by ICSF. |
| SAF ACEE Selection (CSFACEE) | Allows the caller to provide the ENVR to use for SAF checks. |
| X9.9 Data Editing (CSNB9ED) | Edits an ASCII text string according to the editing rules of ANSI X9.9-4. |
CCA services
CCA callable services might have a hardware requirement depending on the cryptographic processing.
Table 2 contains a summary of the CCA services that do not use
cryptography and have no hardware requirement.
| Service name | Function |
|---|---|
| Control Vector Generate (CSNBCVG) | Builds a control vector from keywords that are specified as input to the service. |
| Key Data Set List (CSFKDSL) | Generates a list of CKDS, PKDS, or TKDS labels that match a search criteria. |
| Key Data Set Metadata Read (CSFKDMR) | Reads the metadata of a CKDS, PKDS, or TKDS record. |
| Key Data Set Metadata Write (CSFKDMW) | Changes the metadata of a set of CKDS, PKDS, or TKDS records. The in-store copy is updated with the DASD copy. |
| Key Token Build (CSNBKTB) | Builds an internal or external symmetric key token from the supplied parameters. |
| Key Token Build2 (CSNBKTB2) | Builds an internal or external symmetric key token from the supplied parameters. |
| One–Way Hash Generate (CSNBOWH and CSNBOWH1) | Generates a one-way hash on specified text for the RIPEMD-160 or MD5 algorithm. |
| PKA Key Token Build (CSNDPKB) | Creates an external PKA key token containing a clear, private, or public key or a skeleton token. |
| PKA Public Key Extract (CSNDPKX) | Extracts a PKA public key from a supplied PKA internal or external private key token. |
| TR-31 Optional Data Build (CSNBT31O) | Constructs the optional block data structure for a TR-31 key block. |
| TR-31 Optional Data Read (CSNBT31R) | Obtains lists of the optional block identifiers and optional block lengths, and obtains the data for a particular optional block. |
| TR-31 Parse (CSNBT31P) | Retrieves standard header information from a TR-31 key block without importing the key. |
Table 3 contains a summary of the CCA services that are used for
key store processing. These services do not use a cryptographic coprocessor, but in order to process
secure keys in the key stores, an active coprocessor is required.
| Service name | Function |
|---|---|
| CKDS Key Record Create (CSNBKRC) | Adds a key record that contains a key token set to binary zeros to both the in-storage and DASD copies of the CKDS. |
| CKDS Key Record Create2 (CSNBKRC2) | Adds a key record that contains a key token to both the in-storage and DASD copies of the CKDS. |
| CKDS Key Record Delete (CSNBKRD) | Deletes a key record from both the in-storage and DASD copies of the CKDS. |
| CKDS Key Record Read (CSNBKRR) | Copies an internal key token from the in-storage copy of the CKDS to application storage. |
| CKDS Key Record Read2 (CSNBKRR2) | Copies an internal key token from the in-storage copy of the CKDS to application storage. |
| CKDS Key Record Write (CSNBKRW) | Writes an internal key token to the CKDS record specified in the key label parameter. Updates both the in-storage and DASD copies of the CKDS currently in use. |
| CKDS Key Record Write2 (CSNBKRW2) | Writes an internal key token to the CKDS record specified in the key label parameter. Updates both the in-storage and DASD copies of the CKDS currently in use. |
| Key Data Set Record Retrieve (CSFRRT) | Reads a record from the CKDS, PKDS, or TKDS. |
| Key Data Set Update (CSFKDU) | Updates a record in the CKDS, PKDS, or TKDS. |
| PKDS Key Record Create (CSNBKRC) | Writes a new record to the PKDS. |
| PKDS Key Record Delete (CSNBKRD) | Deletes an existing record from the PKDS. |
| PKDS Key Record Read (CSNBKRR) | Reads a record from the PKDS and returns the key token of the record. |
| PKDS Key Record Write (CSNBKRW) | Writes over an existing record in the PKDS. |
The Coordinated KDS Administration (CSFCRC) service uses the cryptographic coprocessors for
processing and is available on all servers.
| Service name | Function |
|---|---|
| Coordinated KDS Administration (CSFCRC) | Performs a KDS refresh or KDS reencipher and change master key operation while allowing applications to update the KDS. In a sysplex environment, this callable service performs a coordinated sysplex-wide refresh or change master key operation from a single ICSF instance. |
Table 5 contains a summary of the CCA services that use the CP
Assist for Cryptographic Functions (CPACF) instructions.
| Service name | Function |
|---|---|
| Decode (CSNBDCO) | Decodes an 8-byte string of data by using the electronic code book mode of the DES. |
| Digital Signature Generate (CSNDDSG) | Generates an ECDSA signature for clear or protected key ECC Prime P-256, Prime P-384, and Prime P-521. Generates an EdDSA signature for clear or protected key ECC Ed25519 and Ed244. |
| Digital Signature Verify (CSNDDSV) | Verifies an ECDSA signature for ECC Prime P-256, Prime P-384, and Prime P-521. Verifies an EdDSA signature for ECC Ed25519 and Ed244 |
| Encode (CSNBECO) | Encodes an 8-byte string of data by using the electronic code book mode of the DES. |
| Field Level Decipher (CSNBFLD) | Decrypts database fields, preserving the format of the fields by using the VISA Format Preserving Encryption algorithm. |
| Field Level Encipher (CSNBFLE) | Encrypts database fields, preserving the format of the fields by using the VISA Format Preserving Encryption algorithm. |
| HMAC Generate (CSNBHMG and CSNBHMG1) | Generates a keyed-hashed message authentication code (MAC) for an application supplied text string with a clear key. |
| HMAC Verify (CSNBHMV and CSNBHMV1) | Verifies a keyed-hashed message authentication code (MAC) for an application supplied text string with a clear key. |
| MAC Generate2 (CSNBMGN2 and CSNBMGN3) | Generates a keyed-hashed message authentication code (MAC) for an application supplied text string with a clear key. |
| MAC Verify2 (CSNBMVR2 and CSNBMVR3) | Verifies a keyed-hashed message authentication code (MAC) for an application supplied text string with a clear key. |
| MDC Generate (CSNBMDG and CSNBMDG1) | Generates a 128-bit modification detection code (MDC) for a text string that the application program supplies. |
| One–Way Hash Generate (CSNBOWH and CSNBOWH1) for SHA1, SHA2, and SHA3 algorithms | Generates a one-way hash on specified text by using the SHA-1, SHA2, or SHA-3 algorithm. |
| Symmetric Key Decipher (CSNBSYD and CSNBSYD1) | Deciphers data in an address space or a data space. This service is available on machines with triple-DES feature codes. |
| Symmetric Key Encipher (CSNBSYE and CSNBSYE1) | Enciphers data in an address space or a data space. This service is available on machines with triple-DES feature codes. |
| Symmetric MAC Generate (CSNBSMG and CSNBSMG1) | Uses the symmetric MAC generate callable service to generate a 96-bit or 128-bit message authentication code (MAC) for an application-supplied text string using an AES key. |
| Symmetric MAC Verify (CSNBSMV and CSNBSMV1) | Uses the symmetric MAC generate callable service to verify a 96-bit or 128-bit message authentication code (MAC) for an application-supplied text string using an AES key. |
The Random Number Generate (CSNBRNG) and Random Number Generate Long (CSNBRNGL) services use a
CCA coprocessor, if available, or the CPACF instruction when there are no active CCA coprocessors
available.
| Service name | Function |
|---|---|
| Random Number Generate (CSNBRNG) and Random Number Generate Long (CSNBRNGL) | Generates an 8-byte random number or a user-specified length random number. The output can be specified in three forms of parity: RANDOM, ODD, and EVEN. |
The following CCA services use a cryptographic accelerator, if available. Accelerators perform
clear key RSA operations.
- Digital Signature Verify (CSNDDSV).
- PKA Decrypt (CSNDPKD) with MRP, PKCSOAEP, and ZERO-PAD formatting.
- PKA Encrypt (CSNDPKE) with PKCSOAEP and ZERO-PAD formatting.
Table 7 contains a summary of the services that require a CCA
coprocessor for processing. The letters represent various configurations.
- Letter A
- IBM z13 and IBM z13s with CP Assist for Cryptographic Functions DES/TDES Enablement and CEX5C.
- Letter B
- IBM z14 and IBM z14 ZR1 with CP Assist for Cryptographic Functions DES/TDES Enablement and CEX5C and CEX6C.
- Letter C
- IBM z15 with CP Assist for Cryptographic Functions DES/TDES Enablement and CEX5C, CEX6C, and CEX7C.
- Letter G
- IBM z16 with CP Assist for Cryptographic Functions DES/TDES Enablement and CEX6C, CEX7C, and CEX8C.
| Service Name | Function | A | B | C | G |
|---|---|---|---|---|---|
| Authentication Parameter Generate | Generates an authentication parameter (AP) and returns it encrypted under a supplied encrypting key. | X | X | X | X |
| Ciphertext Translate2 | Translates the user-supplied ciphertext from one key to another key. | X | X | X | X |
| Clear Key Import | Imports a clear DATA key, enciphers it under the master key, and places the result into an internal key token. | X | X | X | X |
| Clear PIN Encrypt | Formats a PIN into a PIN block format (IBM 3621, IBM3624, ISO-0, ISO-1, ISO-2, IBM 4704 encrypting PINPAD, VISA 2, VISA 3, VISA 4, ECI 2, ECI 3) and encrypts the results. | X | X | X | X |
| Clear PIN Generate | Generates a clear personal identification number (PIN), a PIN
verification value (PVV), or an offset by using one of these algorithms:
|
X | X | X | X |
| Clear PIN Generate Alternate | Generates a clear VISA PIN validation value (PVV) from an input encrypted PIN block. | X | X | X | X |
| Control Vector Translate | Changes the control vector that is used to encipher an external key. | X | X | X | X |
| Cryptographic Variable Encipher | Encrypts plaintext by using the Cipher Block Chaining (CBC) method. | X | X | X | X |
| CVV Key Combine | Combines two single-length CCA internal key tokens into 1 double-length CCA key token containing a CVVKEY-A key type. | X | X | X | X |
| Data key Export | Converts a DATA key from operational form into exportable form. | X | X | X | X |
| Data key Import | Imports an encrypted single-length or double-length DES data key and creates or updates a target internal key token with the master key-enciphered source key. | X | X | X | X |
| Decipher | Deciphers data by using the cipher block chaining mode of the DES. | X | X | X | X |
| Derive ICC MK | Derives ICC master keys from issuer master keys. | X | X | X | X |
| Derive Session Key | Derives session keys from either issuer master keys or ICC master keys. | X | X | X | X |
| Digital Signature Generate | Generates a digital signature by using a supplied hash and a private key. | X | X | X | X |
| Digital Signature Verify | Verifies a digital signature by using the same supplied hash that was used to generate the signature and the public key that corresponds to the private key used to generate the signature. | X | X | X | X |
| Diversified Key Generate | Generates a key based on the key-generating key, the processing method, and the parameter supplied. The control vector of the key-generating key also determines the type of target key that can be generated. | X | X | X | X |
| Diversified Key Generate2 | Generates an AES key based on a function of a key-generating key, the process rule, and data that you supply. | X | X | X | X |
| Diversify Directed Key | Generates or derive keys using with the DK Direct Key Diversification key scheme. | X | X | X | X |
| DK Deterministic PIN Generate | Generates a PIN and PIN reference value (PRW) by using an AES PIN calculation key. | X | X | X | X |
| DK Migrate PIN | Generates the PIN reference value (PRW) for a specified user account. | X | X | X | X |
| DK PAN Modify in Transaction | Generates a new PIN reference value (PRW) for an existing PIN when a merger has occurred and the account information has changed. | X | X | X | X |
| DK PAN Translate | Creates an encrypted PIN block with the same PIN and a different PAN. | X | X | X | X |
| DK PIN Change | Allows a customer to change their PIN to a value of their choosing. | X | X | X | X |
| DK PIN Verify | Verifies an ISO-1 format PIN. | X | X | X | X |
| DK PRW Card Number Update | Generates a PIN reference value (PRW) when a replacement card is being issued. | X | X | X | X |
| DK PRW Card Number Update2 | Generates a PIN reference value (PRW) when a replacement card is being issued. | X | X | X | X |
| DK PRW CMAC Generate | Generates a message authentication code (MAC) over specific values that are involved in an account number change transaction. | X | X | X | X |
| DK Random PIN Generate | Generates a PIN and a PIN reference value by using the random process. | X | X | X | X |
| DK Random PIN Generate2 | Generates a PIN and a PIN reference value by using the random process. | X | X | X | X |
| DK Regenerate PRW | Generates a new PIN reference value for a changed account number. | X | X | X | X |
| ECC Diffie-Hellman | Creates symmetric key material from a pair of ECC keys by using the Elliptic Curve Diffie-Hellman protocol and the static unified model key agreement scheme or "Z" data (the "secret" material output from D-H process). | X | X | X | X |
| EMV Scripting Service | Simplifies EMV scripting. Scripts can be encrypted for confidentiality, MAC'd for integrity, or both. | X | X | X | X |
| EMV Transaction Service | Simplifies ARQC verification and ARPC generation. | X | X | X | X |
| EMV Verification Functions | Provides EMV functions that are used by MasterCard. | X | X | X | X |
| Encipher | Enciphers data by using the cipher block chaining mode of the DES. | X | X | X | X |
| Encrypted PIN Generate | Generates and formats a PIN and encrypts the PIN block. | X | X | X | X |
| Encrypted PIN Translate | Reenciphers a PIN block from one PIN-encrypting key to another and optionally, changes the PIN block format. | X | X | X | X |
| Encrypted PIN Translate2 | Reenciphers a PIN block from one PIN-encrypting key to another and optionally, changes the PIN block format. | X | X | X | X |
| Encrypted PIN Verify | Verifies a supplied PIN by using one of these algorithms:
|
X | X | X | X |
| Encrypted PIN Verify2 | Compares a supplied PIN against a reference PIN in encrypted PIN blocks. | X | X | ||
| Format Preserving Algorithms Decipher | Decrypts payment card data using FFX algorithms. | X | X | ||
| Format Preserving Algorithms Encipher | Encrypts payment card data using FFX algorithms. | X | X | ||
| Format Preserving Algorithms Translate | Translates payment card data from encryption under one key to encryption under another key using FFX algorithms. | X | X | ||
| FPE Decipher | Decrypts payment card data using Visa Data Secure Platform (Visa DSP) processing. | X | X | X | X |
| FPE Encipher | Encrypts payment card data using Visa Data Secure Platform (Visa DSP) processing. | X | X | X | X |
| FPE Translate | Translates payment card data from encryption under one key to encryption under another key using Visa Data Secure Platform (Visa DSP) processing. | X | X | X | X |
| Generate Issuer MK | Generates issuer master keys and stores the keys in the CKDS. | X | X | X | X |
| HMAC Generate | Generates a keyed-hashed message authentication code (MAC) for a text string that the application program supplies. The MAC is computed by using the FIPS-198 algorithm. | X | X | X | X |
| HMAC Verify | Verifies a keyed-hashed message authentication code (MAC) for a text string that the application program supplies. The MAC is computed by using the FIPS-198 algorithm. | X | X | X | X |
| ICSF Multi-Purpose Service | Validates the keys in the active CKDS or PKDS. | X | X | X | X |
| Key Export | Converts any key from operational form into exportable form. | X | X | X | X |
| Key Generate | Generates a 64-bit or 128-bit odd parity key, or a pair of keys, and returns them in encrypted forms. | X | X | X | X |
| Key Generate2 | Generates a variable length key or a pair of keys, and returns them in encrypted forms. | X | X | X | X |
| Key Import | Converts any key from importable form into operational form. | X | X | X | X |
| Key Part Import | Combines the clear key parts of an AKEK and returns the combined key value in an internal key token or an update to the CKDS. | X | X | X | X |
| Key Part Import2 | Combines the clear key parts of any key type and returns the combined key value in an internal key token or an update to the CKDS. | X | X | X | X |
| Key Test2 | Generates or verifies a secure verification pattern for keys in the clear, encrypted under the master key, or encrypted under a key-encrypting key. | X | X | X | X |
|
Key Test
Key Test Extended |
Generates or verifies a secure verification pattern for keys. CSNBKYT requires the tested key to be in the clear or encrypted under the master key. CSNBKYTX also allows the tested key to be encrypted under a key-encrypting key. | X | X | X | X |
| Key Translate | Uses one key-encrypting key to decipher an input key and then enciphers this using another key-encrypting key. | X | X | X | X |
| Key Translate2 | Uses one key-encrypting key to decipher an input key and then enciphers this key by using another key-encrypting key within the secure environment. | X | X | X | X |
| MAC Generate2 | Generates a keyed hash message authentication code (HMAC) or a ciphered message authentication code (CMAC) for the message string that is provided as input. | X | X | X | X |
| MAC Generation | Generates a 4-, 6-, or 8-byte message authentication code (MAC) for a text string that the application program supplies. The MAC can be computed by using either the ANSI X9.9-1 algorithm, the ANSI X9.19 optional double-MAC algorithm, or the EMV padding rules. | X | X | X | X |
| MAC Verification | Verifies a 4-byte, 6-byte, or 8-byte message authentication code (MAC) for a text string that the application program supplies. The MAC is computed by using either the ANSI X9.9-1 algorithm, the ANSI X 9.19 optional double-MAC algorithm, or the EMV padding rules and is compared with a user-supplied MAC. | X | X | X | X |
| MAC Verify2 | Verifies a keyed hash message authentication code (HMAC) or a ciphered message authentication code (CMAC) for the message text that is provided as input. | X | X | X | X |
| MDC Generation | Generates a 128-bit modification detection code (MDC) for a text string that the application program supplies. | X | X | X | X |
| Multiple Clear Key Import | Imports a clear DATA key of one, two, or three parts, enciphers it under the master key, and places the result into an internal key token. | X | X | X | X |
| Multiple Secure Key Import | Enciphers a clear key under the master key or an IMPORTER KEK, and places the result into an internal or external key token as any key type. Permits the import of double-length DATA, MAC, and MACVER keys and triple-length DATA keys. | X | X | X | X |
| PCI Interface | Trusted Key Entry (TKE) workstation interface to the CCA and EP11 coprocessors. | X | X | X | X |
| PIN Change/Unblock | Supports PIN change algorithms that are specified in the VISA Integrated Circuit Card Specifications. | X | X | X | X |
| PKA Decrypt | Decrypts an RSA-encrypted key value and returns it to the application in the clear. | X | X | X | X |
| PKA Encrypt | Encrypts a PKCS 1.2 or ZERO-PAD formatted clear key value under an RSA public key to support Secure Sockets Layer (SSL) applications. | X | X | X | X |
| PKA Key Generate | Generates RSA and ECC keys. | X | X | X | X |
| PKA Key Import | Imports a PKA key token. | X | X | X | X |
| PKA Key Token Change | Changes PKA key tokens (RSA, DSS, and ECC) or trusted block key tokens from encipherment under the cryptographic coprocessor's old RSA master key or ECC master key to encipherment under the current cryptographic coprocessor's RSA master key or ECC master key. | X | X | X | X |
| PKA Key Translate | Translates a source CCA RSA key token into a target external smart card key token. | X | X | X | X |
| Prohibit Export | Modifies an operational key so that it cannot be exported. | X | X | X | X |
| Prohibit Export Extended | Changes the external token of a key in exportable form so that it can be imported at the receiver node, but not exported from that node. | X | X | X | X |
| Public Infrastructure Certificate | Generates a certificate signing request (CSR). | X | X | X | |
| Recover PIN From Offset | Calculates an encrypted customer-entered PIN from a PIN generating key, account information, and an offset, returning the PIN properly formatted and encrypted under a PIN encryption key. | X | X | X | X |
| Remote Key Export | Generates DES keys for local use and for distribution to an ATM or other remote device. | X | X | X | X |
| Restrict Key Attribute | Modifies an operational key so that it cannot be exported. | X | X | X | X |
| Retained Key Delete | Deletes a key that has been retained within a CCA coprocessors. | X | X | X | X |
| Retained Key List | Lists the key labels of keys that have been retained within the CCA coprocessors. | X | X | X | X |
| Secure Key Import | Enciphers a clear key under the master key or an IMPORTER KEK, and places the result into an internal or external key token as any key type. | X | X | X | X |
| Secure Key Import2 | Enciphers a variable-length clear HMAC or AES key under the master key and places the result into an internal key token. | X | X | X | X |
| Secure Messaging for Keys | Encrypts a text block, including a clear key value decrypted from an internal or external DES token. | X | X | X | X |
| Secure Messaging for PINs | Encrypts a text block, including a clear PIN block recovered from an encrypted PIN block. | X | X | X | X |
| SET Block Compose | Decomposes the RSA-OAEP block and the DES-encrypted data block in support of the SET protocol. | X | X | X | X |
| SET Block Decompose | Composes the RSA-OAEP block and the DES-encrypted data block in support of the SET protocol. | X | X | X | X |
| Symmetric Algorithm Decipher | Deciphers data with the AES algorithm in an address space or a data space using the cipher block chaining or electronic code book modes. | X | X | X | X |
| Symmetric Algorithm Encipher | Enciphers data with the AES algorithm in an address space or a data space using the cipher block chaining or electronic code book modes. | X | X | X | X |
| Symmetric Key Export | Transfers an application-supplied symmetric key from encryption under the host master key to encryption under an application-supplied RSA public key or AES EXPORTER key. The application-supplied key must be an internal key token or the label in the CKDS of a DES DATA, AES DATA, or variable-length symmetric key token. | X | X | X | X |
| Symmetric Key Export with Data | Exports a symmetric key encrypted using an RSA key, which is inserted in a PKCS#1 block type 2, with some extra data supplied by the application. | X | X | X | X |
| Symmetric Key Generate | Generates a symmetric (DATA) key and returns it in two forms: encrypted under the DES master key and encrypted under a PKA public key. | X | X | X | X |
| Symmetric Key Import | Imports a symmetric (DATA) key that is enciphered under an RSA public key and enciphers it under the DES master key. | X | X | X | X |
| Symmetric Key Import2 | Imports an HMAC or AES key that is enciphered under an RSA public key or AES EXPORTER key and returns the key in operational form, enciphered under the master key. | X | X | X | X |
| TR-31 Create | Generates an AES, DES, or HMAC key or key pair in X9.143 key blocks. | X | |||
| TR-31 Import | Converts a TR-31 key block to a CCA token. | X | X | X | X |
| TR-31 Translate | Converts a CCA token to TR-31 format for export to another party. | X | X | X | X |
| TR-34 Bind-Begin | Used for operations that take place at the Key Distribution Host (KDH) during TR-34 Protocol Bind related operations. | X | X | X | |
| TR-34 Bind-Complete | Used for operations that take place at the Key Receiving Device (KRD) during TR-34 Protocol Bind related operations. | X | X | X | |
| TR-34 Key Distribution | Used for operations that take place at the Key Distribution Host (KDH) during TR-34 Protocol Key Transport related operations. | X | X | X | |
| TR-34 Key Receive | Used for operations that take place at the Key Receiving Device (KRD) during TR-34 Protocol Key Transport related operations. | X | X | X | |
| Transaction Validation | Supports the generation and validation of American Express card security codes. | X | X | X | X |
| Trusted Block Create | Creates a trusted block under dual control that is in external form, encrypted under an IMP-PKA transport key. | X | X | X | X |
| Unique Key Derive | Derives the following key types:
|
X | X | X | X |
| VISA CVV Generate | Generates a Card Verification Value (CVV) or Card Verification Code (CVC). | X | X | X | X |
| VISA CVV Verify | Verifies a Card Verification Value (CVV) or Card Verification Code (CVC). | X | X | X | X |
PKCS #11 services
PKCS #11 services are services in support of the PKCS #11 API. These services provide some of the functions for the PKCS #11 API and can be called directly.
The ICSF implementation of the PKCS #11 API does not require cryptographic hardware for clear key cryptography. The CP Assist for Cryptographic Functions and CCA coprocessors are used, if available, but are not required.
For secure key cryptography, an active PKCS #11 coprocessor is required. PKCS #11 coprocessors are supported on zEnterprise EC12 and BC12 and later systems with CP Assist for Cryptographic Functions DES/TDES Enablement.
Dilithium key cryptography support is available on IBM z15 or later.
The following PKCS #11 services use a cryptographic accelerator, if available. Accelerators
perform clear, RSA, and Diffie Hellman (DH) operations.
- PKCS #11 Derive key using DH
- PKCS #11 Private Key Sign
- PKCS #11 Public Key Verify
- PKCS #11 Unwrap Key
Table 8 contains a summary of the PKCS #11 callable
services.
Table 9 contains a summary of the services that do not use
cryptography and have no hardware requirement.
| Service name | Function |
|---|---|
| PKCS #11 Derive Key | Generates a new secret key object from an existing key object. |
| PKCS #11 Derive Multiple Keys | Generates multiple secret key objects and protocol-dependent keying material from an existing secret key object. |
| PKCS #11 Generate HMAC | Generates a hashed message authentication code (MAC). |
| PKCS #11 Generate Key Pair | Generates an RSA, DSA, Elliptic Curve, Diffie-Hellman, or Dilithium key pair. |
| PKCS #11 Generate Secret Key | Generates a secret key or set of domain parameters. |
| PKCS #11 Get Attribute Value | Lists the attributes of an object. |
| PKCS #11 One-Way Hash, Sign, or Verify | Generates a one-way hash on specified text, sign specified text, or verify a signature on specified text. |
| PKCS #11 Private Key Sign | Decrypts or signs data by using an RSA private key that uses zero-pad or PKCS #1 1.5 and 2.1 formatting, signs data by using a DSA private key, signs data by using an Elliptic Curve private key in combination with DSA, or signs data by using a Dilithium private key. |
| PKCS #11 Pseudo-Random Function | Generates pseudo-random output of arbitrary length. |
| PKCS #11 Public Key Verify | Encrypts or verifies data by using an RSA public key that uses zero-pad or PKCS #1 1.5 and 2.1 formatting, verifies a signature by using a DSA public key, verifies a signature by using an Elliptic Curve public key in combination with DSA, or verifies a signature by using a Dilithium public key. |
| PKCS #11 Secret Key Decrypt | Deciphers data by using a symmetric key. |
| PKCS #11 Secret Key Encrypt | Enciphers data by using a symmetric key. |
| PKCS #11 Secret Key Reencrypt | Decrypts and re-encrypts data using secure secret keys. |
| PKCS #11 Set Attribute Value | Updates the attributes of an object. |
| PKCS #11 Token Record Create | Initializes or reinitializes a z/OS PKCS #11 token, creates or copies a token object in the token data set, or creates or copies a session object for the current PKCS #11 session. |
| PKCS #11 Token Record Delete | Deletes a z/OS PKCS #11 token, token object or session object. |
| PKCS #11 Token Record List | Obtains a list of z/OS PKCS #11 tokens or a list of token and session objects for a token. |
| PKCS #11 Unwrap Key | Unwraps and creates a key object by using another key. |
| PKCS #11 Verify HMAC | Verifies a hash message authentication code (MAC). |
| PKCS #11 Wrap Key | Wraps a key with another key. |
| Service name | Function |
|---|---|
| Key Data Set List (CSFKDSL) | Generates a list of TKDS objects that match a search criteria. |
| Key Data Set Metadata Read (CSFKDMR) | Reads the metadata of a TKDS record. |
| Key Data Set Metadata Write (CSFKDMW) | Changes the metadata of a set of TKDS records. The in-store copy and the DASD copy are updated. |