z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicates specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: Input/OutputType: Integer

The length of the data that is passed to the installation exit. The length can be from X'00000000' to X'7FFFFFFF' (2 gigabytes). The data is identified in the exit_data parameter.

exit_data
Direction: Input/OutputType: String

The data that is passed to the installation exit.

rule_array_count
Direction: InputType: Integer

The number of keywords you supplied in the rule_array parameter. The value can be 0 to 4. If you specify 0, the callable service does not perform either notarization or offset.

rule_array
Direction: InputType: String

Zero to four keywords that provide control information to the callable service. See the list of keywords in Table 284. The keywords must be in 8 to 32 bytes of contiguous storage. Left-justify each keyword in its own 8-byte location and pad on the right with blanks. You must specify this parameter even if you specify no keyword.

Table 284. Keywords for ANSI X9.17 Key Export Rule Array
KeywordMeaning
Notarization and Offset Rule (optional with no defaults)
CPLT-NOTComplete ANSI X9.17 notarization using the value obtained from the outbound_KEK_count parameter. The transport key that the transport_key_identifier specifies must be partially notarized.
NOTARIZEPerform notarization processing using the values obtained from the origin_identifier, destination_identifier, and outbound_KEK_count parameters.
OFFSETPerform ANSI X9.17 key offset processing using the origin counter value obtained from the outbound_KEK_count parameter.
Parity Rule (optional)
ENFORCEStop processing if any source keys do not have odd parity. This is the default value.
IGNOREIgnore the parity of the source key.
Source Key Rule (optional)
CCA-EXPExport a CCA EXPORTER KEK. Requires NOCV keys to be enabled.
CCA-IMPExport a CCA IMPORTER KEK. Requires NOCV keys to be enabled.
1-KDExport one DATA key. This is the default parameter.
1-KD+KKExport one DATA key and a single-length AKEK.
1-KD+*KKExport one DATA key and a double-length AKEK.
2-KDExport two DATA keys.
2-KD+KKExport two DATA keys and a single-length AKEK.
2-KD+*KKExport two DATA keys and a double-length AKEK.
Data Key Offset Value (optional)
CKTValid only when a key-encrypting key is being exported along with a DATA key. If this keyword is specified, any DATA keys being exported are encrypted under the key-encrypting key using an offset value of 0. If this keyword is not specified (this is the default), any DATA keys being exported are encrypted under the key-encrypting key using an offset value of 1. The CKT keyword is not valid with CCA-IMP or CCA-EXP keywords.
origin_identifier
Direction: InputType: String

This parameter is valid if the NOTARIZE keyword is specified. It specifies an area that contains a 16-byte string that contains the origin identifier that is defined in the ANSI X9.17 standard. The string must be ASCII characters, left-justified, and padded on the right by space characters. This parameter must be a minimum of four, non-space characters. ICSF ignores this parameter if you specify the OFFSET or CPLT-NOT keyword in the rule_array parameter.

destination_identifier
Direction: InputType: String

This parameter is valid if the NOTARIZE keyword is specified. It specifies an area that contains a 16-byte string. The 16-byte string contains the destination identifier that is defined in the ANSI X9.17 standard. The string must be ASCII characters, left-justified, and padded on the right by space characters. This parameter must be a minimum of four, non-space characters. ICSF ignores this parameter if you specify the OFFSET or CPLT-NOT keyword in the rule_array parameter.

source_data_key_1_identifier
Direction: Input/OutputType: String

A 64-byte area that contains an internal token, or the label of a CKDS entry that contains a DATA key. ICSF ignores this field if you specify CCA-EXP or CCA-IMP in the rule_array parameter.

source_data_key_2_identifier
Direction: Input/OutputType: String

A 64-byte area that contains an internal token, or the label of a CKDS entry that contains a DATA key. This parameter is valid only if you specify 2-KD, 2-KD+KK, or 2-KD+*KK as the source key rule keyword on the rule_array parameter. ICSF ignores this parameter if you specify other source key rule keywords, or if you specify CCA-EXP or CCA-IMP in the rule_array parameter.

source_key_encrypting_key_identifier
Direction: Input/OutputType: String

A 64-byte area that contains an internal token, or the label of a CKDS entry that contains either an AKEK, a CCA IMPORTER, or a CCA EXPORTER key. If this parameter contains an AKEK, you must specify 1-KD+KK, 2-KD+KK, 1-KD+*KK, or 2-KD+*KK for the source key rule on the rule_array parameter. If this parameter contains a CCA IMPORTER or CCA EXPORTER key, you must specify CCA-IMP or CCA-EXP, respectively, for the source key rule on the rule_array parameter. ICSF ignores this field if you specify any other source key rule keywords.

transport_key_identifier
Direction: Input/OutputType: String

A 64-byte area that contains either an internal token or a label that refers to an internal token for an AKEK.

outbound_KEK_count
Direction: InputType: String

An 8-byte area that contains an ASCII count that is used in the notarization process. The count is an ASCII character string, left-justified, and padded on the right by ASCII space characters. ICSF interprets a single ASCII space character as a zero counter. The maximum value is 99999999.

target_data_key_1
Direction: OutputType: String

A 16-byte area where the exported data key 1 is returned. The enciphered key is an ASCII-encoded hexadecimal string.

target_data_key_2
Direction: OutputType: String

A 16-byte area where the exported data key 2 is returned. The enciphered key is an ASCII-encoded hexadecimal string. This key is returned if 2-KD, 2-KD+KK, or 2-KD+*KK is specified in the rule_array parameter.

target_key_encrypting_key
Direction: OutputType: String

If the rule_array parameter specifies 1-KD+KK, 2-KD+KK, 1-KD+*KK, or 2-KD+*KK, this parameter specifies a 32-byte area that contains the exported AKEK. If the rule_array parameter specifies CCA-IMP or CCA-EXP, this parameter specifies a 32-byte area that contains the exported key-encrypting key (KEK). The enciphered key is an ASCII-encoded hexadecimal string. If the rule_array parameter specifies 1-KD+KK or 2-KD+KK, the 16-byte ASCII-encoded output is left-justified in the field and the rest of the field remains unchanged.

MAC_key_token
Direction: OutputType: String

A 64-byte area that contains an internal token for a MAC key that is intended for use in the MAC generation or MAC verification process. This field is the EXCLUSIVE OR of the two supplied DATA keys when the source key rule in the rule_array parameter specifies 2-KD, 2-KD+KK, or 2-KD+*KK. When the source key rule specifies 1-KD, the DATA key is converted to a MAC key and returned as an internal token in this field.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014