Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Usage Notes z/OS Cryptographic Services ICSF Application Programmer's Guide SA22-7522-16 |
|||||||||||||||||||||
SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS. Use of NOCV keys are controlled by an access control point in the PCIXCC. Creation of NOCV key-encrypting keys is only available for standard IMPORTERs and EXPORTERs. Systems with the Cryptographic Coprocessor FeatureThe key import callable service cannot be used to import ANSI key-encrypting keys. For information on importing these types of keys, refer to ANSI X9.17 Key Import (CSNAKIM and CSNGKIM). To use NOCV key-encrypting keys or to import DATAM or DATAMV keys, NOCV-enablement keys must be installed in the CKDS. This service will mark an imported KEK as a NOCV-KEK by suppling a valid IMPORTER or EXPORTER token in the target_key_identifier field with the NOCV-KEK flag enabled. The type of the token must match the key type of the imported key. This service will mark DATA and key-encrypting key tokens with the system encryption algorithm if the request is processed on the CCF. The service propagates the data encryption algorithm mark on the operational KEK unless token copying overrides this:
Key Import operations which specify a NOCV key-encrypting key as either the importer key or the target and also specify a source or key-encrypting key which contains a control vector not supported by the Cryptographic Coprocessor Feature will fail. Systems with the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 CoprocessorUse of NOCV keys are controlled by an access control point in the PCIXCC, CEX2C, or CEX3C. This service will mark an imported KEK as a NOCV-KEK:
The software bit used to mark the imported token with export prohibited is not supported on a PCIXCC, CEX2C, or CEX3C. The internal token for an export prohibited key will have the appropriate control vector that prohibits export. The following table shows the access control points in the ICSF role that control the function of this service.
To use a NOCV key-encrypting key with the key import service, the NOCV KEK usage for import-related functions access control point must be enabled in addition to one or both of the access control points listed. This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.
|
Copyright IBM Corporation 1990, 2014
|