IBM Systems cryptographic hardware products

Security demands a variety of cryptographic solutions. The IBM Systems offer multiple products to address your cryptographic needs.

The IBM PCIe Cryptographic Coprocessor (CEX3C/4765):

The PCIe Cryptographic Coprocessor (PCIeCC) provides a replacement on PCIe architectures for the PCIXCC. The PCIeCC, in addition to the functions available on the PCIXCC, provides support for the following functions:

The IBM PCI-X Cryptographic Coprocessor (PCIXCC/4764) (reached end of service):

The PCI-X Cryptographic Coprocessor was introduced with the IBM Systems zSeries 990 servers. It provides a replacement for both the PCICC and the CMOS Cryptographic Coprocessor Facility (CCF). The PCIXCC supports highly secure cryptographic functions, use of secure encrypted key values and user-defined extensions.

Note: Effective December 31, 2013, the IBM 4764-001 PCI-X Cryptographic Coprocessor on System x and its associated feature code 1008 (battery-replacement kit) reached end of service.

The IBM e-business Cryptographic Accelerator (PCICA) (reached end of service):

Secure Web transactions frequently employ the Secure Socket Layer (SSL) protocol. The IBM e-business PCI Cryptographic Accelerator board offloads your server from compute-intensive public-key cryptographic operations employed in the protocol. This cost-effective solution often enables significantly greater server throughput.

Note: The PCICA was available for iSeries, pSeries, and zSeries machines. Effective January 28, 2005, IBM withdrew it from marketing and it has since reached end of service.

The IBM 4758 PCI Cryptographic Coprocessor (reached end of service):

The IBM 4758 PCI Cryptographic Coprocessor is a high security, programmable PCI board. Specialized cryptographic electronics, micro-processor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed.

Note: Effective March 15, 2010, the IBM 4758 PCI Cryptographic Coprocessor reached end of service.

Related products

The IBM CP Assist for Cryptographic Function (CPACF):

New with the IBM Systems zSeries 990 servers, the standard CP Assist for Cryptographic Function feature provides hardware acceleration for DES, TDES, MAC, and SHA-1 cryptographic services. Cryptographic keys must be protected by your application system, as required.

News for current customers


Important security notice for System x and System p Users.

New product release for IBM 4765 now available on IBM ServerProven System x servers, effective April 2014, and IBM Power Systems (IBM AIX only), effective May 2014. This release includes support for new financial services verbs for the German Banking Industry Committee (including rejecting a weak PIN), new AES key types, new verbs including Diversified Key Generate2, Recover PIN from Offset, Authentication Parameter Generate, Symmetric Key Export with Data, and Log Query, enhancements to several existing verbs, and a new more secure fixed-length token format for variable-length symmetric key tokens. Beginning with Release 4.4.20, a new financial services verb for the German Banking Industry Committee called DK Migrate PIN is added. Users of the PKA Key Translate (CSNDPKT) verb must migrate to Release 4.4.20 or later to resolve a key-token format issue when using keyword EMVCRT, EMVDDAT, or EMVDDAE.

New release of drivers to support the IBM 4765 on 64 bit platforms is now available. The new release of 'Extended OS' support now includes support for Windows 2012 release 2 (64bit) at the latest CCA level.

The IBM CCA cryptographic coprocessors have never used the Dual_EC_DBRG method, and thus customers using these coprocessors are not exposed to any weakness that might be in that algorithm.

IBM PureFlex™ customers can purchase an IBM 4765 as an add-on feature as of September 10, 2013.
See CCA Release 4.3.5 for more information.

New product release CCA 4.3.8 for IBM 4765 now available on IBM AIX operating system effective June 2013. See Library page for additional information.

As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.

Important notice to ECC users: This release contains important security-related changes for ECC users. Refer to Release 4.3.5 information for details.

Effective December 2011, new add-on features are being offered for the IBM 4765 on System x to support additional operating systems. See the IBM 4765 software updates page.

On System z, the coprocessor is available as Crypto Express3 and is also available for Linux.

The IBM 4764-001 Cryptographic Coprocessor for System x is withdrawn from marketing effective December 31, 2011. Battery-replacement kit feature code 1008 is replaced by part number 45D8663, and added is a new multi-battery pack (20 quantity), part number 74Y0460.