z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Usage Notes

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

PIN block formats are more rigorously validated on the IBM eServer zSeries 990 and subsequent releases than on CCF systems.

Some PIN block formats are known by several names. This table shows the additional names.

Table 193. Additional Names for PIN Formats
PIN FormatAdditional Name
ISO-0ANSI X9.8, VISA format 1, ECI format 1
ISO-1ECI format 4

This table lists the PIN block variant constants (PBVC) to be used.

Note:
PBVC is NOT supported on the IBM eServer zSeries 990 and subsequent releases. If PBVC is specified in the format control parameter of the PIN profile, the Encrypted PIN translate service will not be routed to a PCI Cryptographic Coprocessor for processing. This means that only control vectors and extraction methods valid for the Cryptographic Coprocessor Feature may be used if PBVC formatting is desired. It is recommended that a format control of NONE be used for maximum flexibility.
Table 194. PIN Block Variant Constants (PBVCs)
PIN Format NamePIN Block Variant Constant (PBVC)
ECI-2X'00000000000093000000000000009300'
ECI-3X'00000000000095000000000000009500'
ISO-0X'00000000000088000000000000008800'
ISO-1X'0000000000008B000000000000008B00'
VISA-2X'0000000000008D000000000000008D00'
VISA-3X'0000000000008E000000000000008E00'
VISA-4X'00000000000090000000000000009000'
3621X'00000000000084000000000000008400'
3624X'00000000000082000000000000008200'
4704-EPPX'00000000000087000000000000008700'

The following table shows the access control points in the ICSF role that control the function of this service.

Table 195. Required access control points for Encrypted PIN Translate
Processing ruleAccess control point
TRANSLATEncrypted PIN Translate - Translate
REFORMATEncrypted PIN Translate - Reformat

If any of the Unique Key per Transaction rule array keywords are specified, the UKPT - PIN Verify, PIN Translate access control point must be enabled.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 196. Encrypted PIN translate required hardware
ServerRequired cryptographic hardwareRestrictions
IBM eServer zSeries 900Cryptographic Coprocessor FeatureIf PBVC is specified for format control, the request will be routed to the Cryptographic Coprocessor Feature.

ISO-3 PIN block format is not supported.

PCI Cryptographic Coprocessor

ICSF routes this service to a PCI Cryptographic Coprocessor if:

  • The control vector in a supplied PIN encrypting key cannot be processed on the Cryptographic Coprocessor Feature.
  • UKPT support is requested.
  • The PIN profile specifies the ISO-2 PIN block format.
  • if the input_PIN_encrypting_key_identifier identifies a key which does not have the default input PIN encrypting key control vector (IPINENC)
  • if the output_PIN_encrypting_key_identifier identifies a key which does not have the default output PIN encrypting key control vector (OPINENC)
  • if anything is specified other than the default in the PIN extraction method keyword for the given PIN block format in rule_array

DUKPT-IP, DUKPT-OP and DUKPT-BH keywords are not supported.

ISO-3 PIN block format is not supported.

IBM eServer zSeries 990

IBM eServer zSeries 890

PCI X Cryptographic Coprocessor

Crypto Express2 Coprocessor

Format control in the PIN profile parameter must specify NONE.

ISO-3 PIN block format is not supported.

IBM System z9 EC

IBM System z9 BC

Crypto Express2 CoprocessorFormat control in the PIN profile parameter must specify NONE.

ISO-3 PIN block format requires the Nov. 2007 or later licensed internal code (LIC).

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014