This topic lists programming changes that should be considered when installing a PCIXCC/CEX2C.

Consideration should be given to:

1. The DATAC key type can not be used on the IBM zSeries 900.
2. The PIN block format checking on PCIXCC/CEX2C is more rigorous than with a CCF.

   For CSNBPVR, CSNBPTR and CSNBCPA services, the input PIN block must have the correct format as specified in the PIN Profile parameter. On a CCF system, the PIN block format checking is incomplete.

   For example, the REFORMAT processing mode of PIN Translate (CSNBPTR) may now fail on a PCIXCC/CEX2C when it was previously successful on a CCF. On a CCF, if input to the PIN verify service (CSNBPVR) is a malformed encrypted PIN block, the service will fail with return code 4, reason code 3028 (verification failed); on a PCIXCC/CEX2C, the service may fail with return code 8 and some appropriate reason code for invalid PIN format.

3. 512 to 2048 bit modulus for RSA keys is supported in all PKA services except SET services (Set Block Compose and Set Block Decompose).
4. All CCF functions are now executed on the PCIXCC/CEX2C. This may cause some impact on the performance of customer applications.
5. Reason codes from the PCIXCC/CEX2C may be different from previous cryptographic hardware.
6. With PCIXCCs/CEX2Cs, the requirement that caller must be in supervisor state to use NOCV tokens is lifted for the CKDS Key Record Write (CSNBKRW) service.
7. The z/OS SCHEDULE and IEAMSCHD macros are used to schedule SRBs. On the IBM zSeries 990, IBM zSeries 890, IBM System Enterprise Class or IBM System Business Class, since there are no CCFs on the system, applications should delete FEATURE=CRYPTO on the SCHEDULE and IEAMSCHD macros or the SRB being scheduled will not run.
8. External tokens that are export prohibited are imported differently on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 system with PCIXCCs/CEX2C/CEX3Cs. The imported internal token will have the same control vector as the external token with export prohibited. These tokens will only be usable on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 with a PCIXCC/CEX2C or on CCF systems with PCICCs. On previous hardware (CCF systems) the imported internal token had a control vector that allowed export, and export prohibition was enforced by the export flag in the token.
9. Prohibit Export service can now be used for MAC and MACVER keys.
10. New rule array keyword TDES-MAC added to the MAC Generate and MAC Verify services.
11. New rule array keywords, CFB and PKCS-PAD added to the Symmetric Key Decipher and Symmetric Key Encipher services.
12. A RACF check is added to the Key Generation Utility (CSFKGUP).
13. The CSFKGUP utility exit control block has been changed for AES. See Installation Exits for the new format.