SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

If you are using the IBM 3624 PIN and IBM German Bank Pool PIN algorithms, you can supply an unencrypted customer selected PIN to generate a PIN offset.

This table shows the access control points in the ICSF role that control the function of this service.

If the ANSI X9.8 PIN - Use stored decimalization tables only access control point is enabled in the ICSF role, any decimalization table specified must match one of the active decimalization tables in the coprocessors.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 175. Clear PIN generate required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	ICSF routes this service to a PCI Cryptographic Coprocessor if the control vector of the PIN generating key cannot be processed on the Cryptographic Coprocessor Feature.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	Rule_array keyword GBP-PINO is not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor	Rule_array keyword GBP-PINO is not supported.