- return_code
-
Direction: Output | Type: Integer |
The return code specifies the general result of the callable
service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.
- reason_code
-
Direction: Output | Type: Integer |
The reason code specifies the result of the callable service
that is returned to the application program. Each return code has
different reason codes assigned to it that indicates specific processing
problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.
- exit_data_length
-
Direction: Input/Output | Type: Integer |
The length of the data that is passed to the installation
exit. The length can be from X'00000000' to X'7FFFFFFF' (2
gigabytes). The data is identified in the exit_data parameter.
- exit_data
-
Direction: Input/Output | Type: String |
The data that is passed to the installation exit.
- rule_array_count
-
Direction: Input | Type: Integer |
The number of keywords you supplied in the rule_array parameter.
The value can be 0 to 4. If you specify 0, the callable service does
not perform either notarization or offset.
- rule_array
-
Direction: Input | Type: String |
Zero to four keywords that provide control information
to the callable service. See the list of keywords in Table 284.
The keywords must be in 8 to 32 bytes of contiguous storage. Left-justify
each keyword in its own 8-byte location and pad on the right with
blanks. You must specify this parameter even if you specify no keyword.
Table 284. Keywords for ANSI X9.17 Key Export Rule ArrayKeyword | Meaning |
---|
Notarization and Offset Rule (optional with no
defaults) |
CPLT-NOT | Complete ANSI X9.17 notarization
using the value obtained from the outbound_KEK_count parameter.
The transport key that the transport_key_identifier specifies
must be partially notarized. |
NOTARIZE | Perform notarization processing using
the values obtained from the origin_identifier, destination_identifier,
and outbound_KEK_count parameters. |
OFFSET | Perform ANSI X9.17 key offset processing
using the origin counter value obtained from the outbound_KEK_count parameter. |
Parity Rule (optional) |
ENFORCE | Stop processing if any source keys
do not have odd parity. This is the default value. |
IGNORE | Ignore the parity of the source key. |
Source Key Rule (optional) |
CCA-EXP | Export a CCA EXPORTER KEK. Requires
NOCV keys to be enabled. |
CCA-IMP | Export a CCA IMPORTER KEK. Requires
NOCV keys to be enabled. |
1-KD | Export one DATA key. This is the
default parameter. |
1-KD+KK | Export one DATA key and a single-length
AKEK. |
1-KD+*KK | Export one DATA key and a double-length
AKEK. |
2-KD | Export two DATA keys. |
2-KD+KK | Export two DATA keys and a single-length
AKEK. |
2-KD+*KK | Export two DATA keys and a double-length
AKEK. |
Data Key Offset Value (optional) |
CKT | Valid only when a key-encrypting
key is being exported along with a DATA key. If this keyword is specified,
any DATA keys being exported are encrypted under the key-encrypting
key using an offset value of 0. If this keyword is not specified (this
is the default), any DATA keys being exported are encrypted under
the key-encrypting key using an offset value of 1. The CKT keyword
is not valid with CCA-IMP or CCA-EXP keywords. |
- origin_identifier
-
Direction: Input | Type: String |
This parameter is valid if the NOTARIZE keyword is specified.
It specifies an area that contains a 16-byte string that contains
the origin identifier that is defined in the ANSI X9.17 standard.
The string must be ASCII characters, left-justified, and padded on
the right by space characters. This parameter must be a minimum of
four, non-space characters. ICSF ignores this parameter if you specify
the OFFSET or CPLT-NOT keyword in the rule_array parameter.
- destination_identifier
-
Direction: Input | Type: String |
This parameter is valid if the NOTARIZE keyword is specified.
It specifies an area that contains a 16-byte string. The 16-byte string
contains the destination identifier that is defined in the ANSI X9.17
standard. The string must be ASCII characters, left-justified, and
padded on the right by space characters. This parameter must be a
minimum of four, non-space characters. ICSF ignores this parameter
if you specify the OFFSET or CPLT-NOT keyword in the rule_array parameter.
- source_data_key_1_identifier
-
Direction: Input/Output | Type: String |
A 64-byte area that contains an internal token, or the
label of a CKDS entry that contains a DATA key. ICSF ignores this
field if you specify CCA-EXP or CCA-IMP in the rule_array parameter.
- source_data_key_2_identifier
-
Direction: Input/Output | Type: String |
A 64-byte area that contains an internal token, or the
label of a CKDS entry that contains a DATA key. This parameter is
valid only if you specify 2-KD, 2-KD+KK, or 2-KD+*KK as the source
key rule keyword on the rule_array parameter. ICSF ignores
this parameter if you specify other source key rule keywords, or if
you specify CCA-EXP or CCA-IMP in the rule_array parameter.
- source_key_encrypting_key_identifier
-
Direction: Input/Output | Type: String |
A 64-byte area that contains an internal token, or the
label of a CKDS entry that contains either an AKEK, a CCA IMPORTER,
or a CCA EXPORTER key. If this parameter contains an AKEK, you must
specify 1-KD+KK, 2-KD+KK, 1-KD+*KK, or 2-KD+*KK for the source key
rule on the rule_array parameter. If this parameter contains
a CCA IMPORTER or CCA EXPORTER key, you must specify CCA-IMP or CCA-EXP,
respectively, for the source key rule on the rule_array parameter. ICSF ignores
this field if you specify any other source key rule keywords.
- transport_key_identifier
-
Direction: Input/Output | Type: String |
A 64-byte area that contains either an internal token or
a label that refers to an internal token for an AKEK.
- outbound_KEK_count
-
Direction: Input | Type: String |
An 8-byte area that contains an ASCII count that is used
in the notarization process. The count is an ASCII character string,
left-justified, and padded on the right by ASCII space characters. ICSF interprets
a single ASCII space character as a zero counter. The maximum value
is 99999999.
- target_data_key_1
-
Direction: Output | Type: String |
A 16-byte area where the exported data key 1 is returned.
The enciphered key is an ASCII-encoded hexadecimal string.
- target_data_key_2
-
Direction: Output | Type: String |
A 16-byte area where the exported data key 2 is returned.
The enciphered key is an ASCII-encoded hexadecimal string. This key
is returned if 2-KD, 2-KD+KK, or 2-KD+*KK is specified in the rule_array parameter.
- target_key_encrypting_key
-
Direction: Output | Type: String |
If the rule_array parameter specifies 1-KD+KK,
2-KD+KK, 1-KD+*KK, or 2-KD+*KK, this parameter specifies a 32-byte
area that contains the exported AKEK. If the rule_array parameter
specifies CCA-IMP or CCA-EXP, this parameter specifies a 32-byte area
that contains the exported key-encrypting key (KEK). The enciphered
key is an ASCII-encoded hexadecimal string. If the rule_array parameter
specifies 1-KD+KK or 2-KD+KK, the 16-byte ASCII-encoded output is
left-justified in the field and the rest of the field remains unchanged.
- MAC_key_token
-
Direction: Output | Type: String |
A 64-byte area that contains an internal token for a MAC
key that is intended for use in the MAC generation or MAC verification
process. This field is the EXCLUSIVE OR of the two supplied DATA keys
when the source key rule in the rule_array parameter specifies
2-KD, 2-KD+KK, or 2-KD+*KK. When the source key rule specifies 1-KD,
the DATA key is converted to a MAC key and returned as an internal
token in this field.