Use the ANSI X9.17 key translate callable service to translate a key from encryption under one AKEK to encryption under another AKEK. In a single service call you can translate either one or two encrypted DATA keys, or a single encrypted key-encrypting key. In addition, this service also imports the supplied DATA keys. If the rule_array parameter specifies 2-KD, this service exclusive-ORs the two imported DATA keys and converts the result into a MAC key, which it returns in the MAC_key_token field. The MAC key is used to perform MAC processing on the service message. If the rule_array specifies keywords 1-KD and 2-KD, ICSF translates only DATA keys. The service uses the inbound transport key-encrypting key to decrypt the DATA keys, and uses the outbound transport key-encrypting key to reencrypt the DATA keys. The service uses the ANSI X9.17 key offset process during decryption or importing. The service can use the ANSI X9.17 notarization process during reencryption or exporting of the DATA keys.

If the rule_array parameter specifies 1-KD+KK or 1-KD+*KK , the service translates only the AKEK. The service uses the inbound transport key-encrypting key to decrypt or import the input AKEK, applying the ANSI X9.17 offset process. The service uses the outbound transport key-encrypting key to reencipher or export the AKEK, with or without applying the optional ANSI X9.17 notarization process. ICSF uses the inbound key-encrypting key that is being translated to import the supplied DATA key, applying the ANSI X9.17 offset processing only with an offset of 0. The DATA key is imported as previously discussed then converted to a MAC key token and returned in the MAC_key_token field.

Restriction: This service is only supported on an IBM zSeries 900.

The callable service name for AMODE(64) invocation is CSNGKTR.