z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

Use of the Visa-PVV PIN-calculation method will always output four digits rather than padding the output with binary zeros to the length of the PIN.

On CCF systems, to use an IPINENC key, you must install the NOCV-enablement keys in the CKDS.

This table lists the PIN block variant constants (PBVC) to use.

Note:
PBVC is supported for compatibility with prior releases of OS/390 ICSF and existing ICSF applications. If PBVC is specified in the format control parameter of the PIN profile, the Clear PIN Generate Alternate service will not be routed to a PCI Cryptographic Coprocessor for processing. This means that only control vectors and extraction methods valid for the Cryptographic Coprocessor Feature may be used if PBVC formatting is desired. It is recommended that a format control of NONE be used for maximum flexibility.

Restriction: PBVC is supported only on an IBM zSeries 900.

Table 180. PIN Block Variant Constants (PBVCs)
PIN Format NamePIN Block Variant Constant (PBVC)
ECI-2X'00000000000093000000000000009300'
ECI-3X'00000000000095000000000000009500'
ISO-0X'00000000000088000000000000008800'
ISO-1X'0000000000008B000000000000008B00'
VISA-2X'0000000000008D000000000000008D00'
VISA-3X'0000000000008E000000000000008E00'
VISA-4X'00000000000090000000000000009000'
3621X'00000000000084000000000000008400'
3624X'00000000000082000000000000008200'
4704-EPPX'00000000000087000000000000008700'

This table shows the access control points in the ICSF role that control the function of this service.

Table 181. Required access control points for Clear PIN Generate Alternate
Rule array keywordsAccess control point
IBM-PINOClear PIN Generate Alternate - 3624 Offset
VISA-PVVClear PIN Generate Alternate - VISA PVV

If the ANSI X9.8 PIN - Use stored decimalization tables only access control point is enabled in the ICSF role, any decimalization table specified must match one of the active decimalization tables in the coprocessors.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 182. Clear PIN generate alternate required hardware
ServerRequired cryptographic hardwareRestrictions
IBM eServer zSeries 900Cryptographic Coprocessor FeatureIf PBVC is specified for format control, the request will be routed to a Cryptographic Coprocessor Feature.

ICSF routes the request to a PCI Cryptographic Coprocessor if:

  • The PIN_encryption_key_identifier identifies a key which does not have the default PIN encrypting control vector (either IPINENC or OPINENC).
  • IBM-PINO PIN calculation method is specified.
  • Anything is specified other than the default in the PIN extraction method keyword for the given PIN block format in rule_array.
IBM eServer zSeries 990

IBM eServer zSeries 890

PCI X Cryptographic Coprocessor

Crypto Express2 Coprocessor

Format control in the PIN profile parameter must specify NONE.
IBM System z9 EC

IBM System z9 BC

Crypto Express2 CoprocessorFormat control in the PIN profile parameter must specify NONE.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014