z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: Input/OutputType: Integer

The length of the data that is passed to the installation exit. The length can be from X'00000000' to X'7FFFFFFF' (2 gigabytes). The data is identified in the exit_data parameter.

exit_data
Direction: Input/OutputType: String

The data that is passed to the installation exit.

key_form
Direction: InputType: Character string

A 4-byte keyword that defines the type of key(s) you want to generate. This parameter also specifies if each key should be returned for either operational, importable, or exportable use. The keyword must be in a 4-byte field, left-justified, and padded with blanks.

The first two characters refer to key_type_1. The next two characters refer to key_type_2.

These keywords are allowed: OP, IM, EX, OPIM, OPEX, IMEX, EXEX, OPOP, and IMIM. See Table 27 for their meanings.

If the key_form is OP, EX or IM, the KEK_key_identifier_2, generated_key_identifier_1 and generated_key_identifier_2 should be set to NULL.

Table 27. Key Form Values for the Key Generate Callable Service
KeywordMeaning
EXOne key that can be sent to another system.
EXEXA key pair; both keys to be sent elsewhere, possibly for exporting to two different systems. The key pair has the same clear value.
IMOne key that can be locally imported. The key can be imported onto this system to make it operational at another time.
IMEXA key pair to be imported; one key to be imported locally and one key to be sent elsewhere. Both keys have the same clear value.
IMIMA key pair to be imported; both keys to be imported locally at another time.
OPOne operational key. The key is returned to the caller in the key token format. Specify the OP key form when generating AKEKs and AES keys.
OPEXA key pair; one key that is operational and one key to be sent from this system. Both keys have the same clear value.
OPIMA key pair; one key that is operational and one key to be imported to the local system. Both keys have the same clear value. On the other system, the external key token can be imported to make it operational.
OPOPA key pair; normally with different control vector values.

The key forms are defined as follows:

Operational (OP)
The key value is enciphered under a master key. The result is placed into an internal key token. The key is then operational at the local system. For AKEKs, the result is placed in a skeleton token created by the key token build callable service. AES AKEKs are not supported.
Importable (IM)
The key value is enciphered under an importer key-encrypting key. The result is placed into an external key token.
Exportable (EX)
The key value is enciphered under an exporter key-encrypting key. The result is placed into an external key token. The key can then be transported or exported to another system and imported there for use. This key form cannot be used by any ICSF callable service.

The keys are placed into tokens that the generated_key_identifier_1 and generated_key_identifier_2 parameters identify.

Valid key type combinations depend on the key form. See Table 34 for valid key combinations.

key_length
Direction: InputType: Character string

An 8-byte value that defines the length of the key. The keyword must be left-justified and padded on the right with blanks. You must supply one of the key length values in the key_length parameter.

Table 28. Key Length Values for the Key Generate Callable Service
ValueDescriptionAlgorithm
SINGLE, SINGLE-R or KEYLN8The key should be a single length (8-byte or 64-bit) key.DES
DOUBLE or KEYLN16The key should be a double length (16-byte or 128-bit) keyAES or DES
KEYLN24The key should be a 24-byte (192-bit) key.AES or DES
KEYLN32The key should be a 32-byte (256-bit) key.AES

DES Keys: Double-length (16-byte) keys have an 8-byte left half and an 8-byte right half. Both halves can have identical clear values or not. If you want the same value to be used in both key halves (refered to as replicated key values), specify key_length as SINGLE, SINGLE-R or KEYLN8. If you want different values to be the basis of each key half, specify key_length as DOUBLE or KEYLN16.

Triple-length (24-byte) keys have three 8-byte key parts. This key length is valid for DATA keys only. To generate a triple-length DATA key with three different values to be the basis of each key part, specify key_length as KEYLN24.

Use SINGLE/SINGLE-R if you want to create a DES transport key that you would use to exchange DATA keys with a PCF system. Because PCF does not use double-length transport keys, specify SINGLE so that the effects of multiple encipherment are nullified. When generating an AKEK, the key_length parameter is ignored. The AKEK key length (8-byte or 16-byte) is determined by the skeleton token created by the key token build callable service and provided in the generated_key_identifier_1 parameter.

Note:
SINGLE-R is not supported on IBM eServer zSeries 900 servers.

AES Keys: AES only allows KEYLN16, KEYLN24, KEYLN32. To generate a 128-bit AES key, specify key_length as KEYLN16. For 192-bit AES keys specify key_length as KENLN24. A 256-bit AES key requires a key_length of KEYLN32. All AES keys are DATA keys.

Systems with CCFs (with or without PCICCs): This table shows the valid key lengths for each key type supported by DES keys. An X indicates that a key length is permitted for a key type. A Y indicates that the key generated will be a double-length key with replicated key values.

Note:
When generating a double-length key with replicated key values and the key_form parameter as IMEX, the KEK_key_identifier_1 parameter must contain a NOCV IMPORTER key-encrypting key either as a key label or an internal key token. Also the CKDS must contain NOCV enablement keys.
Table 29. Key lengths for DES keys - CCF systems
Key TypeSingle - KEYLN8Double - KEYLN16KEYLN24
MAC
MACVER
X
X
DATAXXX
DATAM
DATAMV
X
X
EXPORTER
IMPORTER
Y
Y
X
X
IKEYXLAT  
OKEYXLAT
Y
Y
X
X
CIPHER#
DECIPHER#
ENCIPHER#
X
X
X
IPINENC
OPINENC
PINGEN
PINVER
Y
Y
Y
Y
X
X
X
X
CVARDEC*#
CVARENC*#
CVARPINE*#
CVARXCVL*#
CVARXCVR*#
X
X
X
X
X
X
X
X
X
X
DKYGENKY*#
KEYGENKY*#
Y
X
X
X
Notes:
  1. * — key types marked with an asterisk (*) are requested through the use of the TOKEN keyword and specifying a proper control-vector in a key token
  2. # — key types marked with a pound sign (#) require a PCICC

Systems with PCIXCCs/CEX2C/CEX3C: This table shows the valid key lengths for each key type supported by DES keys. An X indicates that a key length is permitted for a key type. A Y indicates that the key generated will be a double-length key with replicated key values. It is preferred that SINGLE-R be used for this result.

Table 30. Key lengths for DES keys - PCIXCC/CEX2C/CEX3C systems
Key TypeSingle - KEYLN8Single-RDouble - KEYLN16KEYLN24
MAC
MACVER
X
X
X
X
DATAXXX
DATAC*
DATAM
DATAMV
X
X
X
EXPORTER
IMPORTER
Y
Y
X
X
X
X
IKEYXLAT  
OKEYXLAT
Y
Y
X
X
X
X
CIPHER
DECIPHER
ENCIPHER
X
X
X
X
X
X
IPINENC
OPINENC
PINGEN
PINVER
Y
Y
Y
Y
X
X
X
X
X
X
X
X
CVARDEC*
CVARENC*
CVARPINE*
CVARXCVL*
CVARXCVR*
X
X
X
X
X
X
X
X
X
X
DKYGENKY*
KEYGENKY*
X
X
X
X
X

This table shows the valid key lengths for each key type supported by AES keys. An X indicates that a key length is permitted for that key type.

Table 31. Key lengths for AES keys - CEX2C/CEX3C systems
Key Type128-byte192-byte256-byte
AESTOKEN
AESDATA
X
X
X
X
X
X
key_type_1
Direction: InputType: Character string

Use the key_type_1 parameter for the first, or only key, that you want generated. The keyword must be left-justified and padded with blanks. Valid type combinations depend on the key form.

The 8-byte keyword for the key_type_1 parameter can be one of the following:

  • AESDATA, AESTOKEN, CIPHER, DATA, DATAC, DATAM, DATAMV, DATAXLAT, DECIPHER, ENCIPHER, EXPORTER, IKEYXLAT, IMPORTER, IPINENC, MAC, MACVER, OKEYXLAT, OPINENC, PINGEN and PINVER
  • or the keyword TOKEN

For information on the meaning of the key types, see Table 3.

If key_type_1 is TOKEN, ICSF examines the control vector (CV) field in the generated_key_identifier_1 parameter to derive the key type. When key_type_1 is TOKEN, ICSF does not check for the length of the key for DATA keys. Instead, ICSF uses the key_length parameter to determine the length of the key.

To generate a DES AKEK, specify a key_type_1 of TOKEN. The generated_key_identifier_1 parameter must be a skeleton token of an AKEK created by the Key Token Build callable service. The token cannot be a partially notarized AKEK or an AKEK key part.

If key_type_1 is AESDATA or AESTOKEN, the key generated will be an AES key of type DATA. When key_type_1 is AESTOKEN, ICSF uses the key_length parameter to determine the length of the key.

See Table 33 and Table 34 for valid key type and key form combinations.

key_type_2
Direction: InputType: Character string

Use the key_type_2 parameter for a key pair, which is shown in Table 34. The keyword must be left-justified and padded with blanks. Valid type combinations depend on the key form. key_type_2 is only used when DES keys are generated.

key_type_2 is only use when DES keys are generated. The 8-byte keyword for the key_type_2 parameter can be one of the following:

  • CIPHER, DATA, DATAC, DATAM, DATAMV, DATAXLAT, DECIPHER, ENCIPHER, EXPORTER, IKEYXLAT, IMPORTER, IPINENC, MAC, MACVER, OKEYXLAT, OPINENC, PINGEN and PINVER
  • or the keyword TOKEN

For information on the meaning of the key types, see Description of Key Types, Table 3.

If key_type_2 is TOKEN, ICSF examines the control vector (CV) field in the generated_key_identifier_2 parameter to derive the key type. When key_type_2 is TOKEN, ICSF does not check for the length of the key for DATA keys. Instead, ICSF uses the key_length parameter to determine the length of the key.

If only one key is to be generated, key_type_2 and KEK_key_identifier_2 are ignored.

See Table 33 and Table 34 for valid key type and key form combinations.

KEK_key_identifier_1
Direction: Input/OutputType: String

A 64-byte string of a DES internal key token containing the importer or exporter key-encrypting key, or a key label. If you supply a key label that is less than 64-bytes, it must be left-justified and padded with blanks. KEK_key_identifier_1 is required for a key_form of IM, EX, IMEX, EXEX, or IMIM.

When key_form OP is used, parameters KEK_key_identifier_1 and KEK_key_identifier_2 are ignored. In this case, it is recommended that the parameters are initialized to 64-bytes of X'00'.

If the NOCV bit is on in the internal key token containing the key-encrypting key, the key-encrypting key itself (not the key-encrypting key variant) is used to encipher the generated key. For example, the key has been installed in the cryptographic key data set through the key generator utility program or the key entry hardware using the NOCV parameter; or you are passing the key-encrypting key in the internal key token with the NOCV bit on and your program is running in supervisor state or key 0-7.

Control vectors are explained in Control Vector for DES Keys and the NOCV bit is shown in Table 333.

KEK_key_identifier_1 cannot be an AES key token or label.

KEK_key_identifier_2
Direction: Input/OutputType: String

A 64-byte string of a DES internal key token containing the importer or exporter key-encrypting key, or a key label of an internal token. If you supply a key label that is less than 64-bytes, it must be left-justified and padded with blanks. KEK_key_identifier_2 is required for a key_form of OPIM, OPEX, IMEX, IMIM, or EXEX. This field is ignored for key_form keywords OP, IM and EX. When key_form OP is used, parameter KEK_key_identifier_2 is ignored. In this case, it is recommended that the parameter is initialized to 64-bytes of X'00'.

If the NOCV bit is on in the internal key token containing the key-encrypting key, the key-encrypting key itself (not the key-encrypting key variant) is used to encipher the generated key. For example, the key has been installed in the cryptographic key data set through the key generator utility program or the key entry hardware using the NOCV parameter; or you are passing the key-encrypting key in the internal key token with the NOCV bit on and your program is running in supervisor state or in key 0-7.

Control vectors are explained in Control Vector for DES Keys and the NOCV bit is shown in Table 333.

KEK_key_identifier_2 cannot be an AES key token or label.

generated_key_identifier_1
Direction: Input/OutputType: String

This parameter specifies either a generated:

  • Internal DES or AES key token for an operational key form, or
  • External DES key tokens containing a key enciphered under the KEK_key_identifier_1 parameter.

If you specify a key_type_1 of TOKEN, then this field contains a valid DES token of the key type you want to generate. Otherwise, on input, this parameter must be binary zeros. See key_type_1 for a list of valid key types.

If you specify a key_type_1 of IMPORTER or EXPORTER and a key_form of OPEX, and if the generated_key_identifier_1 parameter contains a valid DES internal token of the SAME type, the NOCV bit, if on, is propagated to the generated key token.

When generating an AKEK, specify the skeleton key token created by the Key Token Build callable service as input for this parameter.

When key_type_1 parameter is AESDATA, then generated_key_identifier_1 is ignored. In this case, it is recommended that the parameter be initialized to 64-bytes of X'00'. If you specify a key_type_1 of AESTOKEN, the generated_key_identifier_1 parameter must be an internal AES key token or a clear AES key token. Information in this token can be used to determine the key type:

  • The key_type_1 parameter overrides the type in the token.
  • The key_length parameter overrides the length value in the generated key token.

ICSF supports two methods of wrapping the key value in a symmetric key token: the original ECB wrapping and an enhanced CBC wrapping method which is ANSI X9.24 compliant. The output generated_key_identifier_1 will use the default wrapping method unless a skeleton token is supplied as input. If a skeleton token is supplied as input, the wrapping method in the skeleton token will be used.

generated_key_identifier_2
Direction: Input/OutputType: String

This parameter specifies a generated external key token containing a key enciphered under the KEK_key_identifier_2 parameter.

When key_type_1 parameter is AESDATA or AESTOKEN, then generated_key_identifier_2 is ignored. In this case, it is recommended that the parameters are initialized to 64-bytes of X'00'.

If you specify a key_type_2 of TOKEN, then this field contains a valid token of the key type you want to generate. Otherwise, on input, this parameter must be binary zeros. See key_type_1 for a list of valid key types.

The token can be an internal or external token.

ICSF supports two methods of wrapping the key value in a symmetric key token: the original ECB wrapping and an enhanced CBC wrapping method which is ANSI X9.24 compliant. The output generated_key_identifier_2 will use the default wrapping method unless a skeleton token is supplied as input. If a skeleton token is supplied as input, the wrapping method in the skeleton token will be used.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014