ICSF wraps the key value in a DES key token using one of two possible methods.

• The original method of DES key wrapping has been used by ICSF since its initial release, and is the only key wrapping method that was available prior to FMID HCR7780. Using this original key wrapping method, the key value in DES tokens are encrypted using triple DES encryption, and key parts are encrypted separately.
• The enhanced method of symmetric key wrapping, introduced in FMID HCR7780, is designed to be ANSI X9.24 compliant. Using the enhanced method, the key value for keys is bundled with other token data and encrypted using triple DES encryption and cipher block chaining mode. The enhanced method is only available on the z196 with a CEX3C and applies only to DES key tokens.

Using the DEFAULTWRAP keyword in the installation options data set, you can specify the default wrapping method that ICSF will use for internal key tokens and external key tokens. The default wrapping method for internal key tokens and the default wrapping method for external key tokens are independent to each other and are specified separately. If the installation options data set does not contain the DEFAULTWRAP keyword, the original method of symmetric key wrapping will be the default key wrapping method for both internal and external key tokens. Refer to z/OS Cryptographic Services ICSF System Programmer’s Guide for information on the installation options data set and the DEFAULTWRAP keyword.

If you are sharing a CKDS with a release of ICSF that does not support the enhanced wrapping method (which is available only on systems running ICSF FMID HCR7780 or later), you should use the original wrapping method until all systems sharing the CKDS support the enhanced wrapping method.

A CKDS conversion utility, CSFCNV2, enables you to convert all tokens in the CKDS to use either the original or the enhanced wrapping method. Refer to Rewrapping DES key token values in the CKDS using the utility program CSFCNV2 for more information.