z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Key Forms

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

A key that is protected under the master key is in operational form, which means ICSF can use it in cryptographic functions on the system.

When you store a key with a file or send it to another system, the key is enciphered under a transport key rather than the master key because, for security reasons, the key should no longer be active on the system. When ICSF enciphers a key under a transport key, the key is not in operational form and cannot be used to perform cryptographic functions.

When a key is enciphered under a transport key, the sending system considers the key in exportable form. The receiving system considers the key in importable form. When a key is reenciphered from under a transport key to under a system's master key, it is in operational form again.

Enciphered keys appear in three forms. The form you need depends on how and when you use a key.

  • Operational key form is used at the local system. Many callable services can use an operational key form.

    The key token build, key generate, key import, data key import, clear key import, multiple clear key import, secure key import, and multiple secure key import callable services can create an operational key form.

  • Exportable key form is transported to another cryptographic system. It can only be passed to another system. The ICSF callable services cannot use it for cryptographic functions. The key generate, data key export, and key export callable services produce the exportable key form.
  • Importable key form can be transformed into operational form on the local system. The key import callable service (CSNBKIM) and the Data key import callable service (CSNBDKM) can use an importable key form. Only the key generate callable service (CSNBKGN) can create an importable key form. The secure key import (CSNBSKI) and multiple secure key import (CSNBSKM) callable services can convert a clear key into an importable key form.

For more information about the key types, see either Functions of the Symmetric Cryptographic Keys or the z/OS Cryptographic Services ICSF Administrator’s Guide. See Key Forms and Types Used in the Key Generate Callable Service for more information about key form.

DES Key Flow

The conversion from one key to another key is considered to be a one-way flow. An operational key form cannot be turned back into an importable key form. An exportable key form cannot be turned back into an operational or importable key form. The flow of ICSF key forms can only be in one direction:

IMPORTABLE —to→ OPERATIONAL —to→ EXPORTABLE

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014