Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Usage Notes z/OS Cryptographic Services ICSF Application Programmer's Guide SA22-7522-16 |
|||||||||||||||||||||
SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS. When the service is processed on the CCF, ICSF examines the data encryption algorithm bits on the exporter key-encrypting key and DATA key for consistency. It does not export a CDMF key under a DES-marked key-encrypting key or a DES key under a CDMF-marked key-encrypting key. ICSF does not propagate the data encryption marking on the operational key to the external token. Token marking for DES/CDMF on DATA and key-encrypting keys is ignored on a PCICC, PCIXCC, CEX2C, or CEX3C. The following table shows the access control points in the ICSF role that control the function of this service.
To use a NOCV key-encrypting key with the data key export service, the NOCV KEK usage for export-related functions access control point must be enabled in addition to one or both of the access control points listed. This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.
|
Copyright IBM Corporation 1990, 2014
|