Intrusion latch

Under normal operation, the intrusion latch of a cryptographic card is tripped when the card is removed. This trip causes all master keys to be erased, all administrators to be removed, and all other configuration settings to revert to their default values. The card and all domains reenter imprint mode. See Imprint mode.

A situation might arise where a cryptographic card needs to be removed. For example, you might need to remove a card for service. If you must remove a card, and you do not want the installation data to be cleared, perform the following procedure to disable the card. This procedure requires you to switch between the TKE application, the ICSF Coprocessor Management panel, and the Support Element.
  1. Open an emulator session on the TKE workstation and log on to your TSO/E user ID on the host system where the card will be removed.
  2. From the ICSF Primary Option Menu, select Option 1 for Coprocessor Management.
  3. Leave the Coprocessor Management panel displayed during the rest of this procedure. You will be required to press Enter on the Coprocessor Management panel at different times.

    Important: Do not exit this panel.

  4. Open the TKE Host where the card will be removed. Open the crypto module notebook for the host crypto module. Click Disable Crypto Module.
  5. After the crypto module is disabled within TKE, press the Enter key on the ICSF Coprocessor Management panel. The status should change to DISABLED.
    Note: You do not need to deactivate a disabled card before configuring it OFFLINE.
  6. Configure Off the card from the Support Element. The Support Element is a dedicated workstation used for monitoring and operating IBM® System z® hardware. A user authorized to perform actions on the Support Element must complete this step.
  7. After the card is Offline, press the Enter key on the Coprocessor Management panel. The status should change to OFFLINE.
  8. Remove the card. Perform whatever operation needs to be done. Replace the card.
  9. Configure On the card from the Support Element. The Support Element is a dedicated workstation used for monitoring and operating IBM System z hardware. A user authorized to perform actions on the Support Element must complete this step.
  10. When the initialization process is complete, press the Enter key on the Coprocessor Management panel. The status should change to DISABLED.
  11. From the TKE Workstation Crypto Module General page, click Enable Crypto Module.
  12. After the card is enabled from TKE, press the Enter key on the Coprocessor Management panel. The Status should return to its original state. If the Status was ACTIVE in step 2, when the card is enabled it should return to ACTIVE.

All master keys, administrators, and other configuration data should still be available. The data was not cleared with the card removal because it was DISABLED first using the TKE workstation.

Parent topic: Crypto Module Notebook Module General tab