IMPORT Keyword—Import Certificate from PKCS#11 Token

Keywords › IMPORT Keyword—Import Certificate from PKCS#11 Token

IMPORT Keyword—Import Certificate from PKCS#11 Token

Valid on z/OS.

Use the IMPORT keyword with the P11TOKEN function to import a certificate and its private key from a PKCS#11 token and add it to CA Top Secret.

This keyword has the following format:

TSS P11TOKEN IMPORT LABLCTKN(token name) 
             TOKNDATA(userid,digicert) 
             SEQNUM(nnnnnnnn)
             [LABLPKDS(PKDS—label—name/*)]
             [WITHLABL(certificate label)]  
             [PCICC]
             [ICSF]

LABLCTKN(token name)

Specifies the name of the token. The token must already exist.

TOKNDATA(userid,digicert)

Userid specifies the ACID for the digital certificate. Digicert identifies the digital certificate.

SEQNUM(nnnnnnnn)

Specifies the sequence number of the certificate being imported.

LABLPKDS(PKDS—label—name/*)

(Optional) Specifies the PKDS label of the record created in the ICSF Public Key Data Set (PKDS). The field can be used with the ICSF, PCICC, NISTECC, or BPECC, but many of these keywords cannot be used together (see individual keyword descriptions for details). If neither ICSF or PCICC is specified, a PCICC key is generated by the hardware and saved in CRT format in the ICSF PKDS. If NISTECC or BPECC is specified, an ECC key is generated, otherwise an RSA key is generated.

Specify (*) to take the value from the LABLCERT keyword. In that case, LABLCERT is specified along side LABLPKDS(*). If LABLPKDS(*) is specified without the LABLCERT keyword, an error message is displayed.

In either case, the PKDS label must conform to ICSF label syntax rules. The first character must be alphabetic or national. The field is folded to uppercase.

Valid characters: Alphanumeric, national (@,#,$) or period(.).

Limits: Up to 64 characters

WITHLABL(certificate label)

(Optional) Specifies the label to be associated with the imported certificate. If not specified CA Top Secret generates a label name.

Range: Up to 32 Characters

PCICC

(Optional) Specifies that the key pair is generated using the PCI Cryptographic Coprocessor and that the private key is stored in ICSF PKDS.

ICSF

(Optional) Specifies that the generated private key is stored in ICSF.

The administrator must have the following authority:

MISC3(PTOK).
MISC4(CERTSITE) when the certificate is from the CERTSITE ACID
MISC4(CERTAUTH) when the certificate is from the CERTAUTH ACID
Controlled by ICSF using resources in the CRYPTOZ and IBMFAC resource classes.

To add an imported certificate to CA Top Secret, the authority required for:

One's own certificate is sufficient authority to CRYPTOZ resources and READ authority to IRR.DIGTCERT.ADD
Someone else's certificate is sufficient authority to CRYPTOZ resources and UPDATE authority to IRR.DIGTCERT.ADD
CERTSITE or CERTAUTH certificate is sufficient authority to CRYPTOZ resources and CONTROL authority to IRR.DIGTCERT.ADD