CCA symmetric key usage event

This subtype consists of a number of tag-length-value (TLV) triplets. The following triplets may be contained in the record. The specific set of triplets is dependent on the type of event and the information that is available.

Table 1. Subtype 44 CCA symmetric key usage event
Tag value Name Length Format Description
Dec Hex
257 101 KDS_LABEL 72 EBCDIC The label in the KDS.
259 103 KEY_NAME 64 EBCDIC The key name from the token. Applies to variable-length CCA tokens only.
261 105 KEY_FPRINT 1 - 64 binary

One or more key fingerprints.

The first byte is the number (n) of fingerprints present for the key. Following that are n type-length-value triplets. Within each of these triplets is a 1-byte fingerprint type, followed by a 1-byte length for the triplet, followed by the fingerprint.

Fingerprint types:
X'01'
Ciphertext obtained from encrypting a data block filled with binary zeros in ECB mode.
X'03'
SHA-256 algorithm. See Appendix E in z/OS Cryptographic Services ICSF Application Programmer's Guide for more information.
X'04'
SHAVP1 algorithm. See Appendix E in z/OS Cryptographic Services ICSF Application Programmer's Guide for more information.
For example, X'010105010203' indicates that there is one fingerprint value (01) which is the ciphertext obtained from using the key to encrypt a data block of binary zeros in ECB mode (01). The fingerprint is 3 bytes in length (05 – 2) and the value is X'010203'.
262 106 SERVICE 8 EBCDIC The service associated with the event.
264 108 TOK_FMT 1 binary The format of the token.
X'01'
Fixed length CCA token.
X'02'
Variable length CCA token.
X'03'
TR-31 key block.
X'04'
RKX token.
Note:
  1. When format is RKX token, no other key or token related fields are present.
  2. When format is TR-31 key block, the only other key or token related field that may be present is the key fingerprint.
265 109 KEY_SEC 1 binary Key security.
X'01'
No key present.
X'02'
Clear key.
X'03'
Key encrypted under master key.
X'04'
Key encrypted under key encrypting key.
266 10A KEY_ALG 1 binary Key algorithm.
X'02'
DES.
X'03'
AES.
X'04'
HMAC.
267 10B KEY_TYPE 2 binary Key type.

The key type from the token. Applies to variable-length CCA tokens only. See “Variable-length symmetric key token” in z/OS Cryptographic Services ICSF Application Programmer's Guide for the list of key types.
268 10C KEY_CV 8 binary Key control vector.

The first eight bytes of the control vector from the token. Applies to fixed-length DES CCA tokens only.

See Appendix C in z/OS Cryptographic Services ICSF Application Programmer's Guide for information on how to interpret the control vector.
269 10D KEY_USAGE_CKDS 3 - 33 binary Key usage fields.

Consists of a 1 byte count followed by one or more 2-byte key usage fields. Applies to variable-length CCA tokens only.

See Appendix B in z/OS Cryptographic Services ICSF Application Programmer's Guide for the list of key usage values for variable length tokens.
270 10E KEY_LEN 2 binary The length of the key (in bits). Applies to fixed-length CCA tokens only.
275 113 START_TOD 16 binary Start time of the interval in STCKE format.
276 114 END_TOD 16 binary End time of the interval in STCKE format.
277 115 USG_COUNT 4 binary Number of usages accounted for in this record.
278 116 KEY_OLD 0 binary The key is internal, but not wrapped under the current master key. Additionally, if key store policy is enabled for CKDS, the key is wrapped under the old master key. Applies to token usage only.
The following tags may be present in the end user audit section:
  • X500_IDN
  • X500_SDN
  • IDID_USRI
  • IDID_USRF
  • IDID_REG
  • USRI
See Audit header and audit section for more details.