ICSF provides key management callable services that are identical to the 4753-HSP verbs of the same name. Key management applications that are developed for the 4753-HSP and use these common verbs can be run on OS/390 ICSF or z/OS ICSF without reassembly. You will, however, need to relink them.

If your installation is currently using the 4753-HSP and you are migrating to OS/390 ICSF or z/OS ICSF, consider:

• 4753-HSP cryptographic key storage

  Internal key tokens for ICSF and the 4753-HSP are not interchangeable. Key token migration for the 4753 exists through the optional TKE Version 3 Workstation for the S/390 G5, G6, and z900 servers and TKE Version 4 or higher for z900, z890, z990, z9 EC and z9 BC servers. TKE Version 3, Version 4, and Version 5 supply a 4753 Migration Utility. It allows you to migrate internal DES key tokens from the 4753 to ICSF. Key exchange between the two systems is through the external key token. To migrate keys from the 4753-HSP to ICSF, you must first establish an exporter/importer key relationship between the 4753-HSP and ICSF. You can then write an application to export keys from the 4753-HSP key storage and import them into the ICSF CKDS. You can perform this type of key exchange only with CCA-defined keys, which have the same control vectors on key-encrypting keys. If your 4753-HSP installation includes non-CCA key types in key storage, you need to generate a special exporter/importer key-encrypting key pair on the 4753-HSP. The exporter key-encrypting key nullifies the CV value that is used on the 4753-HSP, and the importer key-encrypting key includes the CV value that is needed at ICSF.

• Key labels

  ICSF/MVS Version 1 Release 2 and above supports an extended key label of up to 64 bytes. Although the 4753-HSP also supports a 64-byte key label, there are additional key label formatting restrictions that do not apply to ICSF. The 4753-HSP key label consists of one to five name tokens that are separated by periods. Each name token includes one to eight alphanumeric or national string characters. ICSF, therefore, can accept all 4753-HSP key labels, but the 4753-HSP cannot accept all ICSF key labels. For more information on key label formatting restrictions, refer to IBM Transaction Security System: Concepts and Programming Guide: Volume I, Access Controls and DES Cryptography.

  ICSF/MVS Version 1 Release 2 and above, like the 4753-HSP, requires unique key labels for data-encrypting keys, data-translation keys, and MAC keys. To maintain compatibility with ICSF/MVS Version 1 Release 1, however, KGUP will continue to allow multiple key types per label for importer, exporter, and PIN keys under these conditions. Use either KGUP or the KEU to enter the keys, and ensure that the key labels do not conflict with other unique label restrictions.

• UDX (User Defined Extension) support

  Beginning with OS/390 V2 R10 ICSF, ICSF support is provided for UDX capabilities. UDX routines are developed by special contract with IBM and are only distributed to authorized customers.

  The UDX function is invoked by an "installation-defined" or generic callable service. The callable service is defined in the Installation Options data set (UDX parameter) and the service stub is link-edited with the application. The application program calls the service stub which accesses the UDX installation-defined service.

  There is a one-to-one correspondence between a specific generic service in ICSF and a specific UDX command processor in the PCICC, PCIXCC, or CEX2C. The administrator, through ISCF panels, performs UDX authorization processing on each PCI Cryptographic Coprocessor. Authorization is not LPAR specific. See Managing User Defined Extensions in z/OS Cryptographic Services ICSF Administrator’s Guide for additional information.

  Support for writing your own UDX for a PCI Cryptographic Coprocessor is available. Development of a UDX for a PCIXCC or CEX2C requires a special contract with IBM. See the UDX Reference and Guide and the 4758 Custom Software Developer's Toolkit Guide for additional information. These, and other publications related to the IBM 4758 Coprocessor can be obtained in PDF format from the Library page located at http://www.ibm.com/security/cryptocards.

  See the UDX parameter and Installation-Defined Callable Services in z/OS Cryptographic Services ICSF System Programmer’s Guide for additional details.