Using keys with CPACF, protected key

Follow the steps in this procedure to use keys with CPACF, protected key.

1. An eligible CCA verb call (see lists in Access control points that affect CPACF protected key operations) specifying a key token or key identifier for a key token that is a normal internal CCA key token, called key-e here, comes into the CCA library.
2. The CCA library verifies that a CEX*C is available for key translation. If not, then the standard no-available-device error is returned.
3. The CCA library tries to find an already translated version (key-t) that matches the key-e passed into the CCA library.
   • The user application (CCA library in this case) must cache translated key-t objects in RAM, using the key-e tokens as references.
4. If a key-t is not found for the key-e used:

   The CCA library translates the key-e to a key-t for use with the CPACF using CCA secure services, then caches the key pair.

5. At this point, either a fresh key-t has been obtained, or a key-t was found in RAM cache for the operation.
6. The CCA library directs the operation to the CPACF using the key-t.

Results

The panel.exe --list-cpacf command displays all the supported CPACF functions. This is especially useful on a z/VM® system, to make sure that the protected key functions are available. For details, see The panel.exe utility.