SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

When the service is processed on the CCF, ICSF examines the data encryption algorithm bits on the exporter key-encrypting key and DATA key for consistency. It does not export a CDMF key under a DES-marked key-encrypting key or a DES key under a CDMF-marked key-encrypting key. ICSF does not propagate the data encryption marking on the operational key to the external token.

Token marking for DES/CDMF on DATA and key-encrypting keys is ignored on a PCICC, PCIXCC, CEX2C, or CEX3C.

The following table shows the access control points in the ICSF role that control the function of this service.

To use a NOCV key-encrypting key with the data key export service, the NOCV KEK usage for export-related functions access control point must be enabled in addition to one or both of the access control points listed.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 16. Data key export required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature
	PCI Cryptographic Coprocessor	ICSF routes the request to a PCI Cryptographic Coprocessor if the control vector of the exporter_key_identifier cannot be processed on the Cryptographic Coprocessor Feature.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor