If a PCICC, PCIXCC, CEX2C, or CEX3C is installed, ICSF is able to generate RSA keys using the PKA Key Generate service. On the z196 with the CEX3C, ICSF is able to generate ECC keys using the PKA Key Generate service.

The RSA key format can be the Modulus Exponent form or the Chinese Remainder form. Retained keys are RSA keys generated within the secure boundary of the card and never leave the secure boundary. Only the domain that created the retained key can access it. Retained key format can be the Modulus Exponent form or the Chinese Remainder form. For more information on how to retain a generated key, see z/OS Cryptographic Services ICSF Application Programmer’s Guide.

Normally the output key is randomly generated. You may find it useful in testing situations to recreate the same key values. By providing regeneration data, a seed can be supplied so that the same value of the generated key can be obtained in multiple instances. To generate the keys based on the value supplied in the regeneration_data parameter, you must enable one of these access control points:

• When using the RETAIN keyword, enable the Permit Regeneration Data for Retain Keys access control point.
• When not using the RETAIN keyword, enable the Permit Regeneration Data access control point.

For more information on enabling access control points, refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

RSA keys in the PKDS can be managed using the PKDS key management panel utilities.

• You can generate an RSA key which is stored in the PKDS
• You can delete any key from the PKDS
• You can create an X.509 certificate to export an RSA public key in the PKDS
• You can import an RSA public key from an X.509 certificate and store it in the PKDS.

For more information see Using the Utility Panels to Manage Keys in the PKDS.