z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: Input/OutputType: Integer

The length of the data that is passed to the installation exit. The length can be from X'00000000' to X'7FFFFFFF' (2 gigabytes). The data is identified in the exit_data parameter.

exit_data
Direction: Input/OutputType: String

The data that is passed to the installation exit.

rule_array_count
Direction: InputType: Integer
The number of keywords you supplied in the rule_array parameter. Valid values are between 1 and 5.
rule_array
Direction: InputType: String

The rule_array parameter is an array of keywords. The keywords must be 8 bytes of contiguous storage with the keyword left-justified in its 8-byte location and padded on the right with blanks. The rule_array keywords are:

Table 22. Keywords for ECC Diffie-Hellman
KeywordMeaning
Key agreement (one required)
DERIV01Use the static unified model key agreement scheme.
PASSTHRUSkip Key derivation step and return raw “Z" material.
Transport Key Type (one optional if output KEK key identifier is present)
OKEK-DESThe output KEK key identifier is a “DES" KEK token.
OKEK-AESThe output KEK key identifier is a “AES" KEK token.
Output Key Type (one optional if output key identifier is present)
KEY-DESThe output key identifier is a “DES" skeleton token.
KEY-AESThe output key identifier is an “AES" skeleton token.
Key Wrapping Method (one optional, only supported when the output type is DES)
USECONFGSpecifies that the configuration setting for the default wrapping method is to be used to wrap the key. This is the default.
WRAP-ENHSpecifies that the new enhanced wrapping method is to be used to wrap the key.
WRAP-ECB Specifies that the original wrapping method is to be used.
Translation Control (one optional, only supported when the output type is DES)
ENH-ONLYSpecify this keyword to indicate that the key once wrapped with the enhanced method cannot be wrapped with the original method. This restricts translation to the original method. If the keyword is not specified translation to the original method will be allowed. This turns on bit 56 (ENH ONLY) in the control vector. This keyword is not valid if processing a zero CV data key.
private_key_identifier_length
Direction: InputType: Integer
The length of the private_key_identifier parameter.
private_key_identifier
Direction: InputType: String
The private_key_identifier must contain an internal or an external token or a label of an internal or external ECC key. The ECC key token must contain a public-private key pair. Clear keys will be accepted.
private_KEK_key_identifier_length
Direction: InputType: Integer
The length of the private_KEK_key_identifier in bytes. The maximum value is 900. If the private_key_identifier contains an internal ECC token this value must be a zero.
private_KEK_key_identifier
Direction: InputType: String
The private_KEK_key_identifier must contain a KEK key token, the label of a KEK key token, or a null token. The KEK key token must be present if the private_key_identifier contains an external ECC token.
public_key_identifier_length
Direction: InputType: Integer
The length of the public_key_identifier.
public_key_identifier
Direction: InputType: String
The public_key_identifier parameter must contain an ECC public token or the label of an ECC Public token. The public_key_identifier specifies the other party's ECC public key which is enabled for key management functions. If the public_key_identifier identifies a token containing a public-private key pair, no attempt to decrypt the private part will be made.
chaining_vector_length
Direction: Input/OutputType: Integer
The chaining_vector_length parameter must be zero.
chaining_vector
Direction: Input/OutputType: String
The chaining_vector parameter is ignored.
party_identifier_length
Direction: Input/OutputType: Integer
The length of the party_identifier parameter. Valid values are 0, or between 8 and 64. The party_identifier_length must be 0 when the PASSTHRU rule array keyword is specified.
party_identifier
Direction: Input/OutputType: String
The party_identifier parameter contains the entity identifier information. This information should contain the both entities data according to NIST SP800-56A Section 5.8 when the DERIV01 rule array keyword is specified.
key_bit_length
Direction: Input/OutputType: Integer
The key bit length parameter contains the number of bits of key material to derive and place in the provided key token. The value must be 0 if the PASSTHRU rule array keyword was specified. Otherwise it must be 64 - 2048.
reserved_length
Direction: Input/OutputType: Integer
The reserved_length parameter must be zero.
reserved
Direction: Input/OutputType: String
This parameter is ignored.
reserved2_length
Direction: Input/OutputType: Integer
The reserved2_length parameter must be zero.
reserved2
Direction: Input/OutputType: String
This parameter is ignored.
reserved3_length
Direction: Input/OutputType: Integer
The reserved3_length parameter must be zero.
reserved3
Direction: Input/OutputType: String
This parameter is ignored.
reserved4_length
Direction: Input/OutputType: Integer
The reserved4_length parameter must be zero.
reserved4
Direction: Input/OutputType: String
This parameter is ignored.
reserved5_length
Direction: Input/OutputType: Integer
The reserved5_length parameter must be zero.
reserved5
Direction: Input/OutputType: String
This parameter is ignored.
output_KEK_key_identifier_length
Direction: InputType: Integer
The length of the output_KEK_key_identifier. The maximum value is 900. The output_KEK_key_identifier_length must be zero if output_key_identifier will contain an internal token or if the PASSTHRU rule array keyword was specified.
output_KEK_key_identifier
Direction: InputType: String
The output_KEK_key_identifier contains a KEK key token or the label of a KEK key if the output_key_identifier will contain an external ECC token. Otherwise this field is ignored.

If the output KEK key identifier identifies a DES KEK, then it must be an IMPORTER or an EXPORTER key type, and have the export bit set. The XLATE bit is not checked. If the output KEK key identifier identifies an AES KEK, then it must be either an IMPORTER or an EXPORTER key type and have the export/import bit set in key usage field 1 and the derivation bit set in key usage field 4.

output_key_identifier_length
Direction: Input/OutputType: Integer
The length of the output_key_identifier. The service checks the field to ensure it is at least equal to the size of the token to return. On return from this service, this field is updated with the exact length of the key token created. The maximum allowed value is 900 bytes.
output_key_identifier
Direction: OutputType: String
On input, the output_key_identifier must contain a skeleton token or a null token.

On output, the output_key_identifier will contain:

  • An internal or an external key token containing the generated symmetric key material.
  • “Z" data (in the clear) if the PASSTHRU rule array keyword was specified.

If this variable specifies an external DES key token then the output KEK key identifier must identify a DES KEK key token. If this specifies an external key token other than a DES key token then the output KEK key identifier must identify an AES KEK key token.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014