Using the AUTOSELECT option and the use of protected key CPACF

While the CPACF can be used to encrypt and decrypt data in the absence of a CEX*C, for protected key operations a CEX*C is still necessary, because the users' key tokens are translated with a service only available on the CEX*C for use with the CPACF.

Therefore, when enabling the AUTOSELECT option, all CCA coprocessors available to the operating system must be CEX3C or newer. See Multi-coprocessor selection capabilities for more information.