Intrusion latch on the cryptographic coprocessors

Under normal operation, the intrusion latch on a coprocessor is tripped when the feature is removed. This causes all installation data, master keys, retained keys, roles and authorities to be zeroized in the feature when it is reinstalled.

If a situation arises where a coprocessor needs to be removed, for example, you need to remove your feature for service, and you do not want the installation data to be cleared, perform this procedure to disable the coprocessor before removing.

This process will require you to switch between the TKE application, the ICSF Coprocessor Management panel, and the Support Element.

  1. Open an Emulator Session on the TKE workstation and logon to your TSO userid on the Host System where the coprocessor will be removed.
  2. From the ICSF Primary Option Menu on TSO, select Option 1 for Coprocessor Management.
  3. Leave the Coprocessor Management panel displayed during the rest of this procedure. You will be required to press ENTER on the Coprocessor Management panel at different times. DO NOT EXIT this panel.
  4. Open the TKE Host where the coprocessor will be removed. Open the coprocessor. Click on Disable Crypto Module.
  5. After the coprocessor has been disabled from TKE, press ENTER on the Coprocessor Management panel. The status should change to DISABLED.
    Note: You do not need to deactivate a disabled card.
  6. Configure Off the coprocessor from the Support Element.
  7. After the card has been taken Offline, press ENTER on the Coprocessor Management panel. The status should change to OFFLINE.
  8. Remove the coprocessor. Perform whatever operation needs to be done. Replace the coprocessor.
  9. Configure On the coprocessor from the Support Element.
  10. When the initialization process is complete, press ENTER on the Coprocessor Management panel. The status should change to DISABLED.
  11. From the TKE Workstation Crypto Module General page, click on Enable Crypto Module.
  12. After the coprocessor has been enabled from TKE, press ENTER on the Coprocessor Management panel. The Status should return to its original state. If the Status was ACTIVE in step 2, when the coprocessor is enabled it should return to ACTIVE.

All installation data, master keys, retained keys, roles, and authorities should still be available. The coprocessor data was not cleared with the card removal because it was Disabled first via the TKE workstation.