z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

  • SAF may be invoked to verify the caller is authorized to use the specified key label stored in the CKDS.
  • To use a CKDS encrypted key, the ICSF segment of the CSFKEYS class general resource profile associated with the specified key label must contain SYMCPACFWRAP(YES).
  • No pre- or post-processing exits are enabled for this service.
  • The master keys need to be loaded only when using this service with the encrypted key labels.
  • The AES algorithm will use hardware if it is available. Otherwise, clear key operations will be performed in software.
  • AES has the same availability restrictions as triple-DES.
  • This service will fail if execution would cause destructive overlay of the clear_text field.

When the label of an encrypted key is specified for the key_identifier parameter, the appropriate access control point listed below must be enabled.

Table 141. Required access control points for Symmetric Key Encipher
Key algorithmAccess control point
AESSymmetric Key Encipher/Decipher - Encrypted AES keys
DESSymmetric Key Encipher/Decipher - Encrypted DES keys

Table 142. Symmetric Key Encipher required hardware
ServerRequired cryptographic hardwareRestrictions
IBM eServer zSeries 900DES keyword is not supported.

CFB-LCFB, GCM, and OFB processing rules are not supported.

IBM eServer zSeries 990

IBM eServer zSeries 890

CP Assist for Cryptographic Functions

CFB-LCFB, GCM, and OFB processing rules are not supported.

IBM System z9 EC

IBM System z9 BC

CP Assist for Cryptographic Functions

CFB-LCFB, GCM, and OFB processing rules are not supported.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014