z/OS Cryptographic Services ICSF System Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Steps for enabling/disabling cryptographic coprocessors (PCICC, PCIXCC, CEX2C, and CEX3C)

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

With TKE 3.0 or higher you can disable/enable the PCICCs. With TKE V4.0 or higher, you can disable/enable the PCIXCCs/CEX2Cs. With TKE V6.0, you can disable/enable the CEX3Cs.

When a PCICA, PCICC, PCIXCC, CEX2C, CEX2A, CEX3C, or CEX3A is deactivated through the Coprocessor Management Panel, the card is only deactivated for that one LPAR. When a PCICC, PCIXCC, CEX2C, or CEX3C is disabled by TKE, the card is disabled for the entire system, not just the LPAR that issued the disable.

Intrusion Latch on the PCICC, PCIXCC, CEX2C, or CEX3C

Under normal operation, the intrusion latch on a PCICC, PCIXCC, CEX2C, or CEX3C is tripped when the card is removed. This causes all installation data, master keys, retained keys, roles and authorities to be zeroized in the card when it is reinstalled.

If a situation arises where a PCIXCC, CEX2C, or CEX3C needs to be removed, for example, you need to remove your card for service, and you do not want the installation data to be cleared, perform this procedure to disable the PCIXCC, CEX2C, or CEX3C before removing.

There is no similar procedure for the PCICC.

This process will require you to switch between the TKE application, the ICSF Coprocessor Management panel, and the Support Element.

  1. Open an Emulator Session on the TKE workstation and logon to your TSO userid on the Host System where the PCIXCC, CEX2C, or CEX3C will be removed.
  2. From the ICSF Primary Option Menu on TSO, select Option 1 for Coprocessor Management.
  3. Leave the Coprocessor Management panel displayed during the rest of this procedure. You will be required to hit ENTER on the Coprocessor Management panel at different times. DO NOT EXIT this panel.
  4. Open the TKE Host where the PCIXCC, CEX2C, or CEX3C will be removed. Open the PCIXCC, CEX2C, or CEX3C. Click on Disable Crypto Module.
  5. After the PCIXCC, CEX2C, or CEX3C has been disabled from TKE, hit ENTER on the Coprocessor Management panel. The status should change to DISABLED.
    Note:
    You do not need to deactivate a disabled card.
  6. Configure Off the PCIXCC, CEX2C, or CEX3C from the Support Element.
  7. After the card has been taken Offline, hit ENTER on the Coprocessor Management panel. The status should change to OFFLINE.
  8. Remove the PCIXCC, CEX2C, or CEX3C. Perform whatever operation needs to be done. Replace the PCIXCC, CEX2C, or CEX3C.
  9. Configure On the PCIXCC, CEX2C, or CEX3C from the Support Element.
  10. When the initialization process is complete, hit ENTER on the Coprocessor Management panel. The status should change to DISABLED.
  11. From the TKE Workstation Crypto Module General page, click on Enable Crypto Module.
  12. After the PCIXCC, CEX2C, or CEX3C has been enabled from TKE, hit ENTER on the Coprocessor Management panel. The Status should return to its original state. If the Status was ACTIVE in step 2, when the PCIXCC, CEX2C, or CEX3C is enabled it should return to ACTIVE.

All installation data; master keys, retained keys, roles, and authorities should still be available. The PCIXCC, CEX2C, or CEX3C data was not cleared with the card removal because it was Disabled first via the TKE workstation.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014