Use the prohibit export extended callable service to change the external token of a cryptographic key in exportable DES key token form so that it can be imported at the receiver node and is non-exportable from that node. You cannot prohibit export of DATA keys.

The inputs are an external token of the key to change in the source_key_token parameter and the label or internal token of the exporter key-encrypting key in the KEK_key_identifier parameter.

This service is a variation of the Prohibit Export service (CSNBPEX and CSNEPEX), which supports changing an internal token.

The callable service name for AMODE(64) invocation is CSNEPEXX.