Retained keys are RSA private keys that are stored in a cryptographic coprocessor instead of in the public key storage data set. This change does not affect retained keys that you are currently using, that is, keys that are stored on the cryptographic coprocessor. However, starting with ICSF HCR7750, the ICSF services do no allow you to store in a cryptographic coprocessor RSA keys intended for key management use. Your applications can continue to store in the cryptographic coprocessor RSA private keys intended for signature usage. The modulus length of these private keys is limited to 2048-bits. ICSF HCR7750 introduces 4096-bit modulus RSA keys support.

The 2048-bit RSA keys may have an public exponent, e, in the range of ²⁰⁴⁸. and e must be odd. The RSA public key exponents for 2049-bit to 4096-bit RSA keys are restricted to the values 3 and 65537

ICSF delivers the migration check support for PKDS compatibility with 4096-bit RSA key support for HCR7731 and z/OS V1.9 (ICSF release HCR7740) only, but not for any releases earlier or later. This check support also requires that its delivery PTF pre-req the PTF for the PKDS 4096-bit key toleration - APAR OA21807. Doing so ensures that you have enabled the opportunity for a sufficiently allocated PKDS, and avoids the problem where you attempt to properly allocate a PKDS for 4096-bit RSA keys, but then find the current ICSF service level fails to support it.