A key identifier for a PKA key token is a variable length (maximum allowed size is 3500 bytes) area that contains one of these:

• Key label identifies keys that are in the PKDS. Ask your ICSF administrator for the key labels that you can use.
• Key token can be either an internal key token, an external key token, or a null key token. Key tokens are generated by an application (for example, using the PKA key generate callable service), or received from another system that can produce external key tokens.

  An internal key token can be used only on ICSF, because a PKA master key encrypts the key value. Internal key tokens contain keys in operational form only.

  An external key token can be exchanged with other systems because a transport key that is shared with the other system encrypts the key value. External key tokens contain keys in either exportable or importable form.

  A null key token consists of 8 bytes of binary zeros. The PKDS Key Record Create service can be used to write a null token to the PKDS. This PKDS record can subsequently be identified as the target token for the PKA key import or PKA key generate service.

The term key identifier is used when a parameter could be one of the previously discussed items and to indicate that different inputs are possible. For example, you may want to specify a specific parameter as either an internal key token or a key label. The key label is, in effect, an indirect reference to a stored internal key token.