DES key wrapping

ICSF wraps the key value in a DES key token using one of two possible methods:

The original method of DES key wrapping has been used by ICSF since its initial release. Using this original key wrapping method, the key value in DES tokens are encrypted using triple DES encryption, and key parts are encrypted separately.
The enhanced method of symmetric key wrapping, introduced in HCR7780, is designed to be ANSI X9.24 compliant. Using the enhanced method, the key value for keys is bundled with other token data and encrypted using triple DES encryption and cipher block chaining mode. The enhanced method is available on z196, z144, and later servers with a CEX3 or later coprocessor with the November 2010 or later licensed internal code.

Using the DEFAULTWRAP keyword in the installation options data set, you can specify the default wrapping method that ICSF will use for internal key tokens and external key tokens. The default wrapping method for internal key tokens and the default wrapping method for external key tokens are independent to each other and are specified separately. If the installation options data set does not contain the DEFAULTWRAP keyword, the original method of symmetric key wrapping will be the default key wrapping method for both internal and external key tokens. See z/OS Cryptographic Services ICSF System Programmer's Guide for information on the installation options data set and the DEFAULTWRAP keyword.

If you are sharing a CKDS with a release of ICSF that does not support the enhanced wrapping method (HCR7770 and earlier), you should use the original wrapping method until all systems sharing the CKDS support the enhanced wrapping method.

A CKDS conversion utility, CSFCNV2, enables you to convert all tokens in the CKDS to use either the original or the enhanced wrapping method. See Rewrapping DES key token values in the CKDS using the utility program CSFCNV2 for more information.