To exploit clear key DES and AES instructions on the CPACF, ICSF can generate and format clear DES and AES tokens to be used in callable services and stored in the cryptographic key data set (CKDS). With clear key support on the CKDS, clear keys do not have to appear in application storage during use. Clear key tokens on the CKDS can be referenced by label name in these callable services:

• Symmetric Key Encipher (CSNBSYE and CSNBSYE1)
• Symmetric Key Decipher (CSNBSYD and CSNBSYD1)
• Symmetric MAC generate (CSNBSMG and CSNBSMG1)
• Symmetric MAC verify (CSNBSMV and CSNBSMV1)

On systems sharing the CKDS without this support, it is highly recommended that you RACF-protect the label name of the clear key tokens on the other systems. This will provide additional security for your installation. Refer to Using RACF to Protect Keys and Services for more information.