Access control points that affect CPACF protected key operations

Edit online

There are certain access points that enable the protected key feature.

High-performance secure DES keys
This is bit X'0295', and is set ON by default.

This ACP enables translating DES keys for use with the CPACF. Without this bit set ON, the call to the CEX*C to rewrap the key under the CPACF wrapping key will fail with a return code 8 and reason code 90, which will in turn imply disabling the use of this function by the host user. This error will not be returned to the user, instead the operation will be sent to the CEX*C. Because the default value of the bit is ON, it is assumed that the user will know that it is set OFF on purpose. A return code 8 and reason code 90 will cause no further requests to go to the CEX*C verb that translates keys, in an effort to preserve normal path performance.

High-performance secure AES keys
This is bit X'0296', and is set ON by default.

This ACP enables translating AES keys for use with the CPACF. Without this bit set ON, the call to the CEX*C to rewrap the key under the CPACF wrapping key will fail with a return code 8 and reason code 90, which will in turn imply disabling the use of this function by the host user. This error will not be returned to the user, instead the operation will be sent to the CEX*C. Because the default value of the bit is ON, it is assumed that the user knows that it is set OFF on purpose. A return code 8 and reason code 90 do not cause further requests to go to the CEX*C verb that translates keys, in an effort to preserve normal path performance.