Unless otherwise noted, all String parameters that are either written to, or read from, a TR-31 key block will be in EBCDIC format. Input parameters are converted to ASCII before being written to the TR-31 key block and output parameters are converted to EBCDIC before being returned (see Appendix G. EBCDIC and ASCII Default Conversion Tables). TR-31 key blocks themselves are always in printable ASCII format as required by the ANSI TR-31 specification.

If keyword INCL-CV or ATTR-CV is specified, the service inserts the CCA control vector from the source key into an optional data field in the TR-31 header. The TR-31 Import callable service can extract this CV and use it as the CV for the CCA key it creates when importing the TR-31 block. This provides a way to use TR-31 for transport of CCA keys and to make the CCA key have identical control vectors on the sending and receiving nodes. The difference between INCL-CV and ATTR-CV is that INCL-CV is a normal TR-31 export in which the TR-31 key attributes are set based on the supplied rule array keywords but the CV is also included in the TR-31 block to provide additional detail. In contrast, the ATTR-CV causes the service to include the CV but to set both the TR-31 usage and mode of use fields to proprietary values which indicate that the usage and mode information are specified in the CV and not in the TR-31 header. For option INCL-CV, the export operation is still subject to the restrictions imposed by the settings of the relevant access control points. For option ATTR CV, those access control points are not checked and any CCA key can be exported as long as the export control fields in the CV permit it.

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS.

Note that the optional data, if present, must not already contain a padding Block, ID “PB". A Padding Block of the appropriate size, if needed, will be added when building the TR-31 key block. If this callable service encounters a padding block in the optional block data, an error will occur.

The access control points in the ICSF role that control the general function of this service are:

• TR31 Export - Permit version A TR-31 key blocks
• TR31 Export - Permit version B TR-31 key blocks
• TR31 Export - Permit version C TR-31 key blocks

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 116. TR-31 export required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900		This service is not supported.
IBM zSeries 990 IBM zSeries 890		This service is not supported.
IBM System z9 EC IBM System z9 BC		This service is not supported.
IBM System z10 EC IBM System z10 BC		This service is not supported.
z196	Crypto Express3 Coprocessor	TR-31 key support requires the Sep. 2011 or later LIC.