Algorithm (one keyword, optional) |
AES | The key being generated is a secure
AES key. | AES |
DES | The key being generated is a DES
key. This is the default. | DES |
Key formatting method (one keyword required) |
PKA92 | Specifies the key-encrypting key
is to be encrypted under a PKA96 RSA public key according to the PKA92
formatting structure. | DES |
PKCSOAEP | Specifies using the method found
in RSA DSI PKCS #1V2 OAEP. The default hash method is
SHA-1. Use the SHA-256 keyword for the SHA-256
hash method. | AES or DES |
PKCS-1.2 | Specifies the method found in RSA
DSI PKCS #1 block type 02. | AES or DES |
ZERO-PAD | The clear key is right-justified
in the field provided, and the field is padded to the left with zeros
up to the size of the RSA encryption block (which is the modulus length). | AES or DES |
Key Length (optional - for use with PKA92) |
SINGLE-R | For key-encrypting keys, this specifies
that the left half and right half of the generated key will have identical
values. This makes the key operate identically to a single-length
key with the same value. Without this keyword, the left and right
halves of the key-encrypting key will each be generated randomly and
independently. | DES |
Key Length (optional - for use with PKCSOAEP,
PKCS-1.2, or ZERO-PAD) |
SINGLE, KEYLN8 | Specifies that the generated key
should be 8 bytes in length. | DES |
DOUBLE | Specifies that the generated key
should be 16 bytes in length. | DES |
KEYLN16 | Specifies that the generated key
should be 16 bytes in length. | AES or DES |
KEYLN24 | Specifies that the generated key
should be 24 bytes in length. | AES or DES |
KEYLN32 | Specifies that the generated key
should be 32 bytes in length. | AES |
Encipherment method for the local enciphered copy
of the key (optional - for use with PKCSOAEP, PKCS-1.2, or ZERO-PAD |
OP | Enciphers the key with the master
key. The DES master key is used with DES keys and the AES master key
is used with AES keys. | AES or DES |
EX | Enciphers the key with the EXPORTER
key that is provided through the key_encrypting_key_identifier parameter. | DES |
IM | Enciphers the key with the IMPORTER
key-encrypting key specified with the key_encrypting_key_identifier parameter. | DES |
Key Wrapping
Method (optional) |
USECONFG | Specifies that the system default configuration
should be used to determine the wrapping method. This is the default
keyword.
The system default key wrapping method can be specified
using the DEFAULTWRAP parameter in the installation options data set.
See the z/OS Cryptographic Services ICSF System Programmer’s Guide. | AES and DES |
WRAP-ENH | Use enhanced key wrapping method, which is compliant
with the ANSI X9.24 standard. | DES |
WRAP-ECB | Use original key wrapping method, which uses
ECB wrapping for DES key tokens and CBC wrapping for AES key tokens. | AES or DES |
Translation
Control (optional) |
ENH-ONLY | Restrict rewrapping of the target_key_identifier token.
Once the token has been wrapped with the enhanced method, it cannot
be rewrapped using the original method. | DES |
Hash Method
(optional - only valid with PKCSOAEP) |
SHA-1 | Specifies to use the SHA-1 hash method to calculate
the OAEP message hash. This is the default. | AES or DES |
SHA-256 | Specifies to use the SHA-256 hash method to
calculate the OAEP message hash. | AES or DES |