- SAF may be invoked to verify the caller is authorized to use the
specified key label stored in the CKDS.
- To use a CKDS encrypted key, the ICSF segment of the CSFKEYS class
general resource profile associated with the specified key label must
contain SYMCPACFWRAP(YES).
- No pre- or post-processing exits are enabled for this service.
- The master keys need to be loaded only when using this service
with the encrypted key labels.
- The AES algorithm will use hardware if it is available. Otherwise,
clear key operations will be performed in software.
- AES has the same availability restrictions as triple-DES.
- This service will fail if execution would cause destructive overlay
of the clear_text field.
When the label of an encrypted key is specified for
the key_identifier parameter, the appropriate access control
point listed below must be enabled.
Table 142. Symmetric Key Encipher required hardwareServer | Required
cryptographic hardware | Restrictions |
---|
IBM zSeries 900 | | DES
keyword is not supported.
CFB-LCFB, GCM, and OFB processing
rules are not supported. | IBM zSeries 990
IBM zSeries 890 | CP Assist for Cryptographic Functions |
CFB-LCFB,
GCM, and OFB processing rules are not supported. | IBM
System z9 EC
IBM System z9 BC | CP Assist for Cryptographic Functions |
CFB-LCFB,
GCM, and OFB processing rules are not supported. |
|