Software updates
Update information is provided about Releases 2.53, 2.42, 2.41.
| Architecture | PKCS#11 | CCA |
|---|---|---|
| Platform | AIX | Windows AIX Windows OS/2 |
| IBM 4758-002/023 | 2.4.2.0 | 2.42 2.5.3.0 2.53 None |
| IBM 4758-002/023 update to current support | 2.4.2.0 | 2.42 2.4.2.0 2.42 None |
| IBM 4758-002/023 Current Support | 2.4.1.0 and 2.4.1.1 | 2.41 2.4.1.0 2.41 None |
Release 2.41 Windows NT and Windows 2000 Device Drivers with CCA and PKCS #11
Customers who use Release 2.41 on systems with multiple processors should replace the device driver supplied in the Release 2.41 installation package. The Windows NT device driver file name is cryptont.sys. The Windows 2000 device driver name is cryptw2k.sys.
The file names of the new device drivers have not changed from those supplied in the Release 2.41 installation package, only the version is changed to 168. To determine the installed device driver version, look at the properties of the cryptont.sys or cryptow2k.sys file and review the Version. For Windows NT, upgrade to version 168. For Windows 2000, upgrade to version 1.0.168.0. Any version less than 168 must be updated when the machine has multiple processors.
To replace the IBM 4758 device driver in a Windows NT system, locate the cryptont.sys file. This file is typically found in the c:\winnt\system32\drivers path. Substitute the cryptont.sys file with this version 168 cryptont.sys file. The updated device driver will be loaded when the machine is rebooted. Or you may invoke the new driver by stopping and restarting the 4758 device driver. The command to stop the device driver is "net stop cryptont" and the command to start the device driver is "net start cryptont".
To replace the IBM 4758 device driver in a Windows 2000 system, locate the cryptw2k.sys file. This file is typically found in the c:\winnt\system32\drivers path. Substitute the cryptw2k.sys file with this version 168 cryptw2k.sys file. The updated device driver will be loaded when the machine is rebooted. Or you may invoke the new driver using the Device Manager, devmgmt.msc. To uninstall the device driver listed in the Coprocessor group of the Device Manager, select the "IBM 4758 Cryptographic Coprocessor", then click the uninstall icon, repeating until all "IBM 4758 Cryptographic Coprocessors" have been uninstalled. Next, click the "Scan for hardware changes" icon to load the new device driver.
Release 2.53/2.5.3.0 CCA
Release 2.53 is the current full CCA release supporting AIX and Windows platforms and is available for download. All IBM 4758 Model 002 and Model 023 CCA customers should update to this current release. Note that the Coprocessor code files are designated CNW25300.CLU and CEX25300.CLU. Status reported by the CLU utility will show the Coprocessor code in segment 2 as "2.41 CP/Q++" and in segment 3 as "2.53.00 CCA".
Release 2.53 contains updates to Release 2.41 and 2.42. It is recommended that all customers upgrade to the Release 2.53 package. See here for details on the content of the 2.53 update.
Copy of 2.41 HIKM.zip for Accessing the old SA Databases
The CNM utility in CCA versions 2.53 and 2.5.3.0 have been improved to use 2048-bit SA and CSS keys for master key cloning, and to give the user the option to create 2048-bit CSR keys on the target node. Due to this change, users will NOT be able use master key share databases which were created by the previous versions of the CNM utility. If there is a need for using the old cloning databases, users should keep a copy of their existing HIKM.zip file before installing the new version of CCA code or click here to download the old version of CNM which works with the cloning databases created based on 1024-bit SA/CSS keys
Release 2.41/2.4.1.0 CCA and 2.42/2.4.2.0 update
Release 2.41 is the current full CCA release supporting AIX and Windows platforms and is available for download. All IBM 4758 Model 002 and 023 CCA customers should update to this current release. Note that the Coprocessor code files are designated CNW24101.CLU and CEX24101.CLU. Status reported by the CLU utility will show the Coprocessor code in segment 2 as "2.41 CP/Q++" and in segment 3 as "2.41.01 CCA".
Release 2.42 contains updates to Release 2.41. Release 2.41 must be installed prior to installation of Release 2.42. It is recommended that all customers immediately upgrade to the Release 2.42 package. See here for details on the content of the 2.42 update.
Release 2.41/2.4.1.0/2.4.1.1 PKCS #11
The PEX*.CLU files released with all previous versions of PKCS #11, and with Release 2.41 prior to June 3, 2002, have a packaging problem. PEX*.CLU files are used when you want to update segment 2 (the CP/Q++ operating system) and segment 3 (the PKCS #11 application) on the Coprocessor.
The packaging of the PEX*.CLU files was done in a manner such that nonvolatile PKCS #11 memory objects are erased when the PEX*.CLU files are loaded. Nonvolatile memory objects (PKCS #11 firmware "token objects") are keys, certificates, or application-defined data objects, and some global state information (token name, PINs, etc.).
This problem has been repaired as of June 3, 2002. All PKCS #11 users should download the 2.41 packages for AIX and WindowsNT/2000 which contain a PEX24101.CLU file that leaves nonvolatile memory objects as-is on the Coprocessor.
On a Windows 2000 platform, you should install the Support Program software before you install the Coprocessor(s). If a Coprocessor is present when Windows 2000 is started, and information provided by the Support Program is not present, Windows 2000 will place entries into the registry that you will have to remove after you install the Support Program. These are similar to the entries that must be removed if you migrate from Windows NT to Windows 2000. To remove the problem entries, do:
- If not already installed, install the Support Program so that Coprocessor-specific information will be available to Windows 2000.
- From the Windows 2000 Control Panel, open the Add/Remove Hardware folder and activate the Add/Remove Hardware Wizard to uninstall the Coprocessor entry in the hardware device list.
- If you have multiple Coprocessors installed on the system, repeat the preceding step until all of the Coprocessor entries in the hardware device list are removed.
- Restart Windows 2000.
All customers are reminded to backup key storage as the CCA software does not provide any automatic backup of this potentially critical file.