Controlling how cryptographic keys can be used

In addition to using profiles in the CSFKEYS class (and, when Symmetric Key Label Export is enabled, the XCSFKEY class) to identify which users have permission to certain cryptographic keys, you can also enable the PKA Key Management Extensions control so that CSFKEYS and XCSFKEY profiles can place restrictions on how keys are used. For example, you can:
  • Restrict an asymmetric key from being used in secure export and import operations.
  • Restrict an asymmetric key from being used in handshake operations.
  • Restrict a symmetric key from being exported (transferred from encryption under a master key to encryption under an application-supplied RSA public key). Alternatively, you can allow the symmetric key to be exported, but only by certain public keys (as indicated by a list of key labels), or only by public keys bound to certain identities (as indicated by a list of certificates in either a PKCS #11 token, or a SAF key ring).
Setting restrictions such as these can help ensure that keys are used only for intended purposes, regardless of who has access to the keys. For example, if you have an RSA key pair intended only for generating and verifying digital signatures, you can set a restriction to ensure that the public key of this key pair is never used to export a symmetric key.

You place restrictions on cryptographic keys using the ICSF segment of the CSFKEYS or XCSFKEY class profiles that cover the keys. After you have modified the profiles with the restrictions you want to place on the keys, you can enable the PKA Key Management Extensions control by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. You can also enable PKA Key Management Extensions in warning mode by creating a CSF.PKAEXTNS.ENABLE.WARNONLY profile in class XFACILIT. In order to enable PKA Key Management Extensions, Key Store Policy must be active for both the CKDS and the PKDS. For more information, refer to Enabling PKA key management extensions.