AES EXPORTER keys have key usage flags that determine what is allowed. For your use case, I would expect that you are missing WR-RSA. In CSNBKTB2, the rule array group Key-usage wrap algorithm control says "Keywords WR-DES, WR-AES, and WR-HMAC are defaults unless one or more keywords are specified." In CSNDPKG, under transport_key_identifier, it says "When this parameter is a variable-length CCA AES internal key token, it must have the appropriate wrapping flag (for example, WR-RSA, WR-ECC, or WR-QSA) enabled for the source key token."
If you are specifying the XPORT rule with an AES EXPORTER, you will need to use CSNDPKI using the corresponding AES IMPORTER.
------------------------------
Eric Rossman
------------------------------
Original Message:
Sent: Sun July 13, 2025 08:38 AM
From: Radosław Skorupka
Subject: Same private key in two system
The goal: create assymetric key pair on two systems (with same private key value).
The key value need not to be known for the user (no clear form needed), just same key in two systems.
I mean new key, so there is no need to export existing private key (which is impossible as far as I know).
Well, I tried to use CSNDPKG. The service allow to provide KEK label to export the assymetric key. I've got rc=8, rsn=85e, which means "The key usage attributes of the variable-length key token does not allow the requested operation."
The KEK is AES EXPORTER key. I can't guess what key usage is missing or how to change it. I could use other KEK, however I still don't know how to create the KEK.
BTW: My understanding is the CSNDPKG with KEK will create assym key par encrypted under the KEK. Then I have to import it (how?) on both, this (local) system and the remote system. Am I right?
------------------------------
Radosław Skorupka
------------------------------