On this FAQ page you may find answers to some of the questions you have concerning the Coprocessor hardware and its IBM software.

1. How can you validate a Coprocessor and its IBM software?
2. Can the PKCS #11 support be used with the IBM 4758 models 1 or 13?
3. When can the new models 2 and 23 be ordered, and when are they available?
4. Are the models 1 and 13 still available?
5. What is the meaning of the "8xxxxxxx" return codes from CLU?
6. How to maximize throughout when using CCA?
7. Linux and the IBM 4758?
8. Windows 2000 support?
9. Where can I find sample coding for CCA?
10. Can an IBM 4758 Model 002 or 023, rather than feature #4958 or #4963, be used in a pSeries (RS/6000)?
11. CCA 12\338 problem...
12. Using iPlanet Enterprise Server with the PKCS#11 Support Program FAQ
13. Cambridge researches report break against CCA
14. What differentiates CCA and PKCS #11?
15. Coprocessor Battery Information
16. CBU and CCF Issues
    
17. Why do I have to wait for the 4758 card to be ready to use when it is powered on or reset, or when the device driver is loaded?
    
18. Why does the 4758 card occasionally fail the statistical random number generator tests?
    
19. I get an "Illegal instruction" error when I run CCA on AIX 5.2. What should I do?
    

     

1. How can you validate a Coprocessor and its IBM software?

See: Verifying the integrity of an IBM 4758


2. Can the PKCS #11 support be used with the IBM 4758 models 1 or 13?

No, only with the new models 2 and 23.


3. When can Models 2 and 23 be ordered, and when are they available?

The Coprocessor can be ordered now as an IBM 4758 Model 002 for Intel-platform machines. Coprocessor features are also available now for the IBM eServer iSeries, pSeries and zSeries machines. See the Order page.


4. Are the models 1 and 13 still available?

No.


5. What is the meaning of the "8xxxxxxx" return codes from CLU?

See: Understanding the 8xxxxxxx return codes.


6. How to maximize throughout when using CCA?

A technical note describes how you can utilize additional multi-threading and key-caching capabilities of the CCA software for Model 002 to enhance throughput.


7. Linux and the IBM 4758?

IBM Research developed an Intel-platform Linux device driver for the IBM 4758 and made this available on the IBM alphaWorks website. In order to use the IBM 4758 in a PC/Linux environment, you need the device driver, an IBM 4758 Coprocessor, and some application software to run within the Coprocessor. The standard IBM 4758 software offerings, the CCA Support Program and the PKCS #11 Support Program, have not been ported to Linux. Although each support program provides Coprocessor application code that is host-platform independent, these offerings cannot be used with Linux without a port of their host portions. IBM Research has also placed a toolkit for the development of Coprocessor application code on the IBM developerWorks website. This toolkit, which can be downloaded in the USA and Canada (and not elsewhere due to Export Regulation considerations), runs on an NT platform. This toolkit could be used to develop Coprocessor code for use with Linux and other host platforms. Limited support for the Linux device driver and for the toolkit is available as explained on their websites. This support is oriented towards experimental users. IBM has not announced either a CCA or a PKCS #11 solution with the IBM 4758 for the Linux environment. However, IBM is pleased to discuss the commercial possibilities for IBM 4758-related software offerings on Linux and other platforms. IBM has made the 4758 developer's toolkit and the open source Linux driver available in an effort to foster continued research and use of secure coprocessors with and for applications that require the highest levels of security and assurance. We also hope to showcase the 4758's flexibility/adaptability (to different host platforms and various application domains) by making the programming environment (tools, APIs, sample source code, etc.) available to interested parties, and by encouraging the use of the open source driver on both the Linux platform as well as to be used as a base for development on various other platforms which may currently not be supported. For further information, please contact the Crypto team.


8. Windows 2000 support?

Windows 2000 is fully supported with the Release 2.x Support Programs.


9. Where can I find sample coding for CCA?
A sample program is available that you can compile and run to obtain performance information for your system. This program may also serve as a starting point in your efforts to benchmark the CCA offerings for the IBM 4758 models. The program will operate with CCA Version 2 installations on AIX and Windows NT systems.


10. Can an IBM 4758 Model 002 or 023, rather than feature #4958 or #4963, be used in a pSeries (RS/6000)?

No. The products supplied under pSeries feature codes #4958 and #4963 are designed with a different power system and four batteries. Only these product variations of the regular IBM 4758 Model 002 and 023 have been qualified for use in pSeries machines.


11. CCA 12\338 problem...

CCA return code 12, reason code 338, will arise when an application attempts to use CCA but the Coprocessor has not been loaded with the CCA code. While other conditions can give rise to 12\338, this is often the source of difficulty. Be sure that the Coprocessor code loading is complete by following the instructions in Chapter 4 of the CCA Support Program Installation Manual and the README file accompanying your CCA software. To determine what software is loaded in your Coprocessor, use the CLU utility ST or VA commands as also described in Chapter 4 of the manual.


12. Using iPlanet Enterprise Server with the PKCS#11 Support Program FAQ

Click here for the PKCS#11 FAQs.


13. Cambridge researches report break against CCA

In the fall of 2001 two Cambridge University researchers claimed to have broken the security of the CCA implementation for the IBM 4758. IBM posted a response to the researchers' claims, and incorporated features features in CCA Support Program Release 2.41 to block the specific attack reported by the researchers.


14. What differentiates CCA and PKCS #11?

CCA and PKCS #11 both provide access to cryptographic functions such as data encryption, digital signatures, and so forth. The two cryptographic architectures are available on various computing systems and in support of various hardware (and software) cryptographic implementations. Some facts that you might wish to consider are discussed in this white paper.

15. Coprocessor Battery Information
    What should I know?
    
    See Coprocessor Battery Information
    
    
16. CBU and CCF Issues



1. Will activation of additional processors, on a single processor model/machine
   via CBU, automatically enable the second Cryptographic Coprocessor Facility (CCF)?
   No, activating additional CPs does not automatically activate the second coprocessor facility. Therefore, the system will continue to operate with one CCF.
   
   
2. Will activation of the second CCF require a Power On Reset (POR)?
   Yes, a POR, which is disruptive, is required to activate the second CCF.
   
   
3. Does the original enablement diskette, ordered with the single CP machine and
   CBU feature, contain the files to activate the second CCF?
   Yes, depending on machine type and model, either one diskette containing both files
   or two diskettes, each containing a file, is provided.
   
   
4. A customer running a 2064 model 114 with the CBU feature, activated for a temporary upgrade, deactivates CBU and restores the system to a 2064 model 1C1. Will the second CCF automatically activate when the CBU feature is reactivated in the future?
   Yes, when the CP’s are varied online.

   Will the master keys and the other data items that were previously loaded into the Crypto (CCF) module, be available to second coprocessor without requiring a reload of the master keys?
   
   Yes, the Integrated Cryptographic Service Facility (ICSF) will verify, following the vary online

17. Why do I have to wait for the 4758 card to be ready to use when it is powered on or reset, or when the device driver is loaded?

Any time the 4758 card is reset, it goes through an extensive set of power-on self test (POST) functions which carefully test all parts of the card. This includes special tests required for a device that is certified under FIPS 140 at Level 4. Because the 4758 is a complex device and contains cryptographic hardware that must be carefully tested, these tests can take up to 2-3 minutes to run. The card is not available for use by application programs until the POST tests have completed execution. On most servers, this will not be a problem because the 4758 POST runs at the same time that the server itself is booting, and the 4758 is usually available before the server is ready to run application programs.

The user can cause the 4758 to be reset by explicitly loading the host device driver, or by running the CLU program. In either case, the card will begin executing POST and will not be usable for several minutes afterwards. You can write an application program to poll the card in order to determine when it is ready, by periodically sending a CCA command like a Crypto_Facility_Query status request and waiting until it returns with a successful return code.

18. Why does the 4758 card occasionally fail the statistical random number generator tests?

The FIPS 140-1 standard requires certain statistical tests of the random number generator on the 4758 card. The card must capture a sample of 20,000 consecutive bits of random generator output, and perform a number of statistical tests on those bits. Since these tests are statistical in nature, there is some nonzero probability that the random data will result in a failure even though it is truly random. When this happens, you should simply restart the 4758 card, and it should pass the tests without encountering the error.

Here is a very high level summary of the tests that are performed on the 20,000 bit sample. For more details, see the FIPS 140-1 standard at http://csrc.nist.gov/publications/fips/fips140-1/fips1401.htm, and search for the section titled "Statistical random number generator tests".

1. Verify that the number of 1 bits and the number of 0 bits are nearly equal.
2. Divide the 20,000 bits into 5,000 4-bit numbers. Verify that the distribution of 4-bit values is nearly uniform over the entire sample.
3. Look for runs of identical (0 or 1) bits, of length 1, 2, 3, 4, 5, and 6-33. For each of these run lengths, the number of runs in the 20,000 bit sample must be within a defined range. For example, the number of runs of length 3 must be between 502 and 748.
4. There must be no runs that are longer than 33 bits. Any run of either 1 bits or 0 bits that is 34 bits or more in length is an error.

Since the bits are random, it is possible for any of these tests to fail. For example, test number 4 can fail because there is some small but nonzero possibility that 34 consecutive random bits will all be either 0 or 1. Since these tests are mandated by the FIPS 140-1 standard, the 4758 must execute them, and therefore it should be expected that random number test errors will be seen on rare occasions. They are not truly errors unless they continue occurring. If they do, it is an indication that the random number generation hardware in the card may be experiencing a failure.

19. I get an "Illegal instruction" error when I run CCA on AIX 5.2. What should I do?

This applies to you if you are using the 4758 (pSeries Feature Code 4958 or 4963) on AIX 5.2, and you see the message "Illegal instruction" when your application is first started. You may also see a core file being produced. If you are experiencing these symptoms, read the explanation below.

A problem has been discovered with the AIX system loader that produces these symptoms when trying to load shared libraries that are marked as private. This problem is reported in AIX defect 430876.

There is a work around for this problem. It has been shown to work if the shared libraries are changed to public read-only. Therefore, change the file permissions from

     -r--r----- (or 440)

to

     -r--r--r-- (or 444)

on the following CCA shared libraries:

     /usr/lib/libcsufcall.a
     /usr/lib/libcsufsapi.a
     /usr/lib/libcsufsecy.a
     /usr/lib/libds30.a


After you have changed the permissions, you should no longer get the error.