Exporting an AES protected key from one system to another system

Answer

Steps to export an AES protected key
On the sending system,
1. Invoke CSNBKTR2 (Key Translate2) convert an AES-256 DATA key to an AES-256 CIPHER key
2. Invoke CSNDSYX to export the AES-256 CIPHER key with an AES EXPORTER key or with the remote system's public key

Steps to import an AES protected key
On the receiving system,
1. Invoke CSNDSYI to import the AES-256 CIPHER key with an AES IMPORTER key or with local system's private key
2. Invoke CSNBKTR2 (Key Translate2) to convert the AES-256 CIPHER key back to an AES-256 DATA key
3. Define CSFKEYS profile for the AES-256 DATA key and use it as protected key

Steps to create a RSA certificate to be used for exporting/importing an AES-256 DATA key
On the receiving system,
Perform 'Generate a new RSA key pair record' and 'Export the RSA record's public key to a certificate data set' via ICSF option 5.6 panel (PKDSKEYS). The output will be a certificate in DER format.
or
Create a certificate and store the private-public key pair into the PKDS, then export the public key out in X.509 format.

On the sending system,
Perform 'Create a RSA public key record from an input certificate' via ICSF option 5.6 panel (PKDSKEYS).
The output will be a certificate in DER format.
or
Add the X.509 certificate using RACF's RACDCERT ADD command with a parameter to specify that the public key is to be stored in the PKDS.

Steps to create an AES EXPORTER/IMPORTER key using KGUP
Make sure the CKDS is a variable length (regular or KDSR) CKDS.
Make sure ICSF is at HCR77A1 or higher version (KGUP support for AES variable length key was added by HCR77A1).

A summary of sequence of actions
On the sending system,
Invoke KGUP to create AES 256-bit DATA key
Refresh CKDS
CSNBKRR to read in the AES DATA v04 token
CSNBKTB2 to create a null AES secure v05 token
CSNBKTR2 to convert an AES DATA v04 token to an AES CIPHER v05 token
CSNBKRW2 to write an AES CIPHER v05 token to the CKDS (optional)
Invoke KGUP to create an AES EXPORTER key

On the receiving system,
Invoke KGUP to add an AES 16-byte IMPORTER key
Refresh CKDS
CSNDSYI2 to import an AES CIPHER v05 token
CSNBKTR2 to convert the AES CIPHER v05 token to an AES DATA v04
CSNBKRC2 to create and write an AES DATA v4 token in the CKDS

Sample parmemters for the APIs
CSNDSYI2:
SYI2rc = 'FFFFFFFF'x ;
SYI2rs = 'FFFFFFFF'x ;
Exit_Length = '00000000'x ;
Exit_Data = '' ;
SYI2_Rule_Count = '00000002'x
SYI2_Rule_Array = 'AES AESKW ' ;
enciphered_key_length = enciphered_key_length ; /* from CSNDSYX */
enciphered_key = enciphered_key ; /* from CSNDSYX */
KEKl = '00000040'x ;
KEK = left('AMY.AES.IMPORTER',64) ;
key_name_length = '00000000'x ;
key_name = '' ;
Target_Key_Length = '000002D5'x ;
Target_Key = copies('00'x,724) ;

CSNBKTR2:
KTR2_rc = '00000000'x ;
KTR2_rs = '00000000'x ;
KTR2_Exit_Length = '00000000'x ;
KTR2_Exit_Data = '' ;
KTR2_Rule_Array_Count = '00000002'x ;
KTR2_Rule_Array = 'AES REFORMAT' ;
KTR2_Input_Key_Length = Target_Key_Length ; /* from CSNDSYI2 */
KTR2_Input_Key = Target_Key ; /* from CSNDSYI2 */
KTR2_Input_KEK_Length = '00000000'x ;
KTR2_Input_KEK = '' ;
KTR2_Output_KEK_Length = '00000000'x ;
KTR2_Output_KEK = '' ;
KTR2_Output_Key_Length = '00000040'x ;
KTR2_Output_Key = copies('00'x,64) ;

CSNBKRC2:
krc2_rc = 'FFFFFFFF'x;
krc2_rs = 'FFFFFFFF'x;
krc2_exit_data_length = '00000000'x;
krc2_exit_data = '';
krc2_rule_count = '00000000'x;
krc2_rule_array = '';
krc2_label = left('AMY.AES.EXPIMP.DATA',64) ;
krc2_token_length = KTR2_Output_Key_Length ;
krc2_token = KTR2_Output_Key ;