The Symmetric Key Encipher and Symmetric Key Decipher callable services exploit CP Assist for Cryptographic Functions (CPACF) for improved performance. These services accept AES and DES clear key values and clear key tokens for the key identifier. These services have been enhanced to support encrypted AES and DES key tokens. This support requires the Crypto Express3 Feature. The encrypted keys tokens must be stored in the CKDS and have a CSFKEYS profile with the ICSF segment.
Rewrapping the encrypted key using the CPACF wrapping key is necessary in order to use an encrypted key as input to the Symmetric Key Encipher or Symmetric Key Decipher callable services. You should be aware, however, that although the rewrapping operation ensures that no key is visible in application or system storage, the operation also requires the key to exist in the clear outside of the tamper-resistant hardware boundary. If your installation requires that a particular encrypted key must never exist outside of the tamper-resistant hardware boundary, do not use the SYMCPACFWRAP(YES) specification in a CSFKEYS profile that covers the key.
RALTER CSFKEYS DES.CHAOS.CAT ICSF(SYMCPACFWRAP(YES))
SETROPTS RACLIST(CSFKEYS) REFRESH