SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

An RSA modulus-exponent form token imported on the PCICC, PCIXCC, CEX2C, or CEX3C results in a X'06' format, while a token imported on a Cryptographic Coprocessor Feature will result in a X'02' format. If the modulus length is less than 512, the token will be imported on the CCF, and it will be X'02' format.

This service imports keys of any modulus size up to 4096 bits. However, the hardware configuration sets the limits on the modulus size of keys for digital signatures and key management; thus, the key may be successfully imported but fail when used if the limits are exceeded.

The PKA Key Import access control point controls the function of this service. If the source_key_token parameter points to a trusted block, the PKA Key Import - Import an External Trusted Block access control point must also be enabled.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 231. PKA key import required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	The request will be processed on the CCF when the source_key_identifier contains an RSA modulus-exponent private key with a modulus length of less than 512 bits the source_key_identifier contains a DSS private key RSA keys with moduli greater than 1024-bit length are not supported.
	PCI Cryptographic Coprocessor	The request will be processed on the PCICC when the source_key_identifier contains an RSA modulus-exponent private key with a modulus length of a least 512 bits the source_key_identifier contains an RSA CRT private key RSA keys with moduli greater than 2048-bit length are not supported.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	DSS tokens are not supported. RSA keys with moduli greater than 2048-bit length are not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor	DSS tokens are not supported. RSA key support with moduli within the range 2048-bit to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC).