z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Enabling use of encrypted keys in Symmetric Key Encipher and Symmetric Key Decipher callable services

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

The Symmetric Key Encipher (CSNBSYE, CSNBSYE1, CSNESYE and CSNESYE1) and Symmetric Key Decipher (CSNBSYD, CSNBSYD1, CSNESYD and CSNESYD1) callable services exploit CP Assist for Cryptographic Functions (CPACF) for improved performance. These services accept AES and DES clear key values and clear key tokens for the key identifier. These services have been enhanced to support encrypted AES and DES key tokens. This support requires the Crypto Express3 Feature. The encrypted keys tokens must be stored in the CKDS and have a CSFKEYS profile with the ICSF segment.

A CSFKEYS profile can contain an ICSF segment, which specifies rules for key use. The SYMCPACFWRAP field of the ICSF segment enables you to specify whether ICSF can rewrap the encrypted key using the CPACF wrapping key. The specification:

  • SYMCPACFWRAP(YES) indicates that encrypted keys covered by the profile can be rewrapped.
  • SYMCPACFWRAP(NO), which is the default, indicates that encrypted keys covered by the profile cannot be rewrapped.

Rewrapping the encrypted key using the CPACF wrapping key is necessary in order to use an encrypted key as input to the Symmetric Key Encipher or Symmetric Key Decipher callable services. You should be aware, however, that although the rewrapping operation ensures that no key is visible in application or system storage, the operation also requires the key to exist in the clear outside of the tamper-resistant hardware boundary. If your installation requires that a particular encrypted key must never exist outside of the tamper-resistant hardware boundary, do not use the SYMCPACFWRAP(YES) specification in a CSFKEYS profile that covers the key.

For example, say the CSFKEYs general resource profile DES.CHAOS.CAT covers an encrypted key stored in the CKDS that you would like to use as input to the Symmetric Key Encipher and Symmetric Key Decipher callable services. The following command modifies the SYMCPACFWRAP field of the profile’s ICSF segment to allow this. The SETROPTS RACLIST command is used to refresh the CSFKEYS class in common storage.

RALTER CSFKEYS DES.CHAOS.CAT ICSF(SYMCPACFWRAP(YES))
SETROPTS RACLIST(CSFKEYS) REFRESH

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014