Reinitializing the Cryptographic Coprocessor
If you set up your Cryptographic Coprocessor incorrectly, you can end up with an unusable configuration with which you cannot perform any cryptographic functions and cannot use any of the APIs to recover. For example, you can configure it such that you have no role authorized to set the master key and no role authorized to change or create new roles or profiles. You can call the hardware command for reinitializing the card by using the Cryptographic_Facility_Control (CSUACFC) SAPI.
However, in some cases, there may not be a role that is authorized to any hardware command. In this case, you must reload the Licensed Internal Code by using the function that is provided in Hardware Service Manager in System Service Tools.
Updating the Licensed Internal Code in the Cryptographic Coprocessor
Loading the Licensed Internal Code in your Cryptographic
Coprocessor erases the master key, all private keys, and all roles
and profiles that are stored in your Cryptographic Coprocessor. Because
of this, the system does not automatically load PTFs for the Licensed
Internal Code in the Cryptographic Coprocessor, and the PTFs always
require action on your part to enable them. Before you load the Licensed
Internal Code, take appropriate actions to ensure that you can recover,
such as ensuring that you have a hard copy of your master key.
Note: If
you randomly generated your master key, you will need to clone that
key into a second Cryptographic Coprocessor. If you do not, you will
lose all your encrypted keys when you reinitialize your Cryptographic
Coprocessor.