Unloading coprocessor software and zeroize the CCA node
The steps to unload the coprocessor software and to zeroize the CCA node to surrender the ownership of the segments are described here.
When you use Coprocessor Load Utility (CLU) to process a file that surrenders ownership of Segment 2, both Segment 2 and the subordinate Segment 3 are cleared, and the code is removed. The validating public key for the segment is cleared, the security-relevant data items that are held within the coprocessor for the segment are zeroized. The owner identifiers are cleared, and the segment's status is set to UNOWNED.
See the README file that accompanies the software distribution you are using for the specific .clu file name that is used to surrender ownership of Segments 2 and 3. The README file might also provide additional information that amplifies or modifies this general procedure.
- Change to the directory that contains the CLU files.
- Start the CLU utility.
- Respond to the prompts and use the serial number of the coprocessor in the log file name.
- Use the PL command to surrender Segment 2 as indicated in the README file for your platform.
- You can also zeroize CCA without removing the software by using the CCA reinitialize process.
- IBM® does not normally make available a file to restore the factory Segment 1 validating key to put the coprocessor into a condition similar to a factory-ready product. Segment 1 can be changed to a limited number of times before the available Device Key certificate space is used and the coprocessor is potentially rendered unusable. If you require the capability to restore the validating key of Segment 1, and are willing to display your coprocessor to a possible lock-up condition, you can obtain the required file from IBM by submitting a query by using the Support Form on the product website, http://www.ibm.com/security/cryptocards. It is important to note that certificate space is a nonrenewable resource. After it is used, it cannot be recovered.