Reinitializing the Cryptographic Coprocessor

If you set up your Cryptographic Coprocessor incorrectly, you can end up with an unusable configuration with which you cannot perform any cryptographic functions and cannot use any of the APIs to recover. For example, you can configure it such that you have no role authorized to set the master key and no role authorized to change or create new roles or profiles. You can call the hardware command for reinitializing the card by using the Cryptographic_Facility_Control (CSUACFC) SAPI.

However, in some cases, there may not be a role that is authorized to any hardware command. In this case, you must reload the Licensed Internal Code by using the function that is provided in Hardware Service Manager in System Service Tools.

Updating the Licensed Internal Code in the Cryptographic Coprocessor

Loading the Licensed Internal Code in your Cryptographic Coprocessor erases the master key, all private keys, and all roles and profiles that are stored in your Cryptographic Coprocessor. Because of this, the system does not automatically load PTFs for the Licensed Internal Code in the Cryptographic Coprocessor, and the PTFs always require action on your part to enable them. Before you load the Licensed Internal Code, take appropriate actions to ensure that you can recover, such as ensuring that you have a hard copy of your master key.
Note: If you randomly generated your master key, you will need to clone that key into a second Cryptographic Coprocessor. If you do not, you will lose all your encrypted keys when you reinitialize your Cryptographic Coprocessor.