IBM 4765 PCIe Cryptographic Coprocessor

CCA support program


  • Application development with a common API for IBM AIX®, IBM i5/OS®, IBM z/OS®, IBM OS/390®, and SUSE Linux Enterprise Server.
  • Note: Integrated implementations are available for:
  • IBM z/OS and OS/390, and Linux on System z9 (System z™)
  • Description

    The IBM CCA Support Program (known as ICSF on System z) provides a comprehensive, integrated family of services that employs the major capabilities of the IBM coprocessors.

    CCA provides the usual AES, DES, and RSA functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. Other changes and extensions to the Support Program are described in the "Revision history" section of the CCA Basic Services Reference and Guide.

    The CCA software has been independently reviewed and certified by the German ZKA industry organization for use in specific finance systems. Also, the IBM 4765 Cryptographic Coprocessor is the latest generation of the IBM cryptographic coprocessor family. It is certified by NIST (certificate #1505) under the U.S. Government FIPS 140-2, "Security Requirements for Cryptographic Modules" at the Level 4 standard. The CCA software can be operated compliant with the the FIPS 140-2 cryptographic module standard.

    Capabilities include the following:

    The DES and PKA master keys can be randomly generated within the coprocessor and they can also be cloned, while an AES master key currently cannot. Each of the AES, DES, and PKA master keys can be inserted in parts by two or more trusted individuals. Active DES and PKA master keys can be securely cloned to additional coprocessor cards using an m-of-n secret splitting technique. See "Cloning of a DES or PKA master key" below for more information.