When running in FIPS compatability mode or FIPS no enforcement mode, a PKCS #11 application can, when creating a key, specify that generation and subsequent use of the key must adhere to FIPS 140-2 restrictions. An application specifies this by setting the Boolean attribute CKA_IBM_FIPS140 to TRUE when creating the key. If an application does this, the FIPS 140-2 restrictions (as outlined in Table 3) will be enforced for the key regardless of any specifications made at the token level using FIPSEXEMPT.token-label resource profiles.
If the FIPSMODE(YES, FAIL(fail-option)) installation option is specified, indicating FIPS 140-2 compliance is required by all applications, setting the Boolean attribute CKA_IBM_FIPS140 to TRUE is merely redundant and does not result in an error.