Symmetric Key Encipher (CSNBSYE, CSNBSYE1, CSNESYE and CSNESYE1)
and Symmetric Key Decipher (CSNBSYD, CSNBSYD1, CSNESYD and CSNESYD1)
callable services exploit CP Assist for Cryptographic Functions (CPACF)
for improved key management performance.
An encrypted DATA key
stored in the CKDS can be used in these services, but only when SYMCPACFWRAP(YES)
is specified in the ICSF segment of the CSFKEYS class profile that
covers the key. ICSF writes to subtype 28 at the completion of
functions that attempt to wrap an encrypted key under the CPACF wrapping
key. Subtype 28 will indicate if the rewrapping operation is:
- Permitted for this symmetric key
- Not permitted for this symmetric key
SMF records for this subtype will also contain server user and
end user audit sections.
For more information about protected-key CPACF, see z/OS Cryptographic Services ICSF Overview.