Special secure mode is a special processing mode in which:

• The Secure Key Import, Secure Key Import2, and Multiple Secure Key Import callable services, which work with clear keys, can be used.
• The Clear PIN Generate callable service, which works with clear PINs, can be used.
• The Symmetric Key Generate callable service with the "IM" keyword (the DES enciphered key is enciphered by an IMPORTER key) can be used (CCF Systems Only).
• The key generator utility program (KGUP) can be used to enter clear keys into the CKDS.

To use special secure mode, several conditions must be met.

• The installation options data set must specify YES for the SSM installation option.

  For information about specifying installation options, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

  This is required for all systems.

• The environmental control mask (ECM) must be configured to permit special secure mode.

  The ECM is a 32-bit mask defined for each cryptographic domain during hardware installation. The second bit in this mask must have been turned on to enable special secure mode. The default is to have this bit turned on in the ECM. The bit can only be turned off/on through the optional TKE Workstation.

  This is required for systems with the Cryptographic Coprocessor Feature.

• If you are running in LPAR mode, special secure mode must be enabled.

  On the IBM zSeries 900, you enable special secure mode during activation using the Crypto page of the Customize Activation Profiles task. When activated, you can enable or disable special secure mode on the Change LPAR Crypto task. Both of these tasks can be accessed from the Hardware Management Console.

  This is required for systems with the Cryptographic Coprocessor Feature.

For the IBM zSeries 900 with TKE, TKE can disable/enable special secure mode.