IBM PCIe Cryptographic Coprocessor

Battery replacement kits and multi-battery packs are now available for ordering as part numbers.

• Battery-replacement kit, part number 45D5803. The part number includes two replacement batteries, one battery tray with connecting wires, and two battery-attention labels.
• Multi-battery pack (20 quantity), part number 74Y0465. This part number includes twenty (20) replacement batteries and battery-attention labels. Does not include battery tray required for installing batteries.

To order the battery-replacement kit, or the multi-battery pack, customers in:

• US or Canada can call the IBM Maintenance Parts and Warranty Center at 800-388-7080. When calling, provide the part number and your IBM End User Customer number.
• Other countries will need to follow these steps:
  • Find the general contact information number for your country by going to www.ibm.com/planetwide/ and clicking on your country. You can also call the IBM general contact information number 800-IBM-4YOU (800-426-4968). When calling, ask for the general contact information number for your country.
  • Using the general contact information number retrieved for your country from the previous step, call and ask for the parts phone number. Call the parts phone number to order the part or parts. When calling, provide the part number and your IBM End User Customer number.

The IBM PCIe Cryptographic Coprocessor provides a high-security, high-throughput cryptographic subsystem. The IBM 4765 Cryptographic Security Module validated to FIPS 140-2, Overall Level 4 (highest level of security). See FIPS certification number 1505 (link resides outside of ibm.com). The 4765 Cryptographic Coprocessor is a tamper responding, programmable, cryptographic PCIe card, containing CPU, encryption hardware, RAM, persistent memory, hardware random number generator, time of day clock, infrastructure firmware, and software. Specialized hardware performs AES, DES, TDES, RSA, SHA-1, SHA-224 to SHA-512, and other cryptographic processes, relieving the main processor from these tasks. The coprocessor design protects your cryptographic keys and sensitive custom applications. The software running in the coprocessor can be customized to meet special requirements.

The IBM PCIe Cryptographic Coprocessor has a PCIe local-bus-compatible interface. The coprocessor holds a secured subsystem module, batteries for backup power and a full-speed USB 2.0 host port available through a mini-A connector. The securely encapsulated subsystem contains two 32-bit PowerPC 405D5 RISC processors running in lock-step with cross-checking to detect malfunctions as well as a separate service processor used to manage self-test and firmware updates, RAM, flash memory, and battery-powered memory, cryptographic-quality random number generator, AES, DES, TDES, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and modular-exponentiation (for example, RSA, DSA) hardware, and full-duplex DMA communications. A secure code-loading arrangement enables control program and application program loading and refreshes after coprocessor installation in your server. IBM offers a Linux-based subsystem control program and a cryptographic application programming interface (API) which implements the IBM Common Cryptographic Architecture (CCA).

The IBM PCIe Cryptographic Coprocessor is supported in the following IBM server families:

• IBM System z™ mainframes, where the coprocessor is available as a Crypto Express3 (CEX3C) feature.
  • The coprocessor is supported under IBM z/OS® with the Integrated Cryptographic Support Facility (ICSF) and the IBM Resource Access Control Facility (RACF®) to provide cryptographic services using the CCA cryptographic API.
  • The coprocessor is supported under Linux on System z to provide cryptographic services using the CCA cryptographic API.
  • Solution Brief: Please note the following link to materials about this support:
    • Support materials (PDF, 71.11KB)
• IBM Power Systems™, where the IBM 4765 PCIe Cryptographic Coprocessor is available on IBM AIX® and IBM i® as the following hardware feature codes:
  • FC 4807, 4765-001, IBM POWER6® or IBM POWER 7®, no custom carrier
  • FC 4808, 4765-001, IBM POWER6 custom carrier and instruction EC N23386
  • FC 4809, 4765-001, IBM POWER7 custom carrier and instruction EC N23597
• IBM System x™, where the coprocessor is ordered as a System z machine type-model (4765-001).

Further details on specific supported environments are provided elsewhere on this Web site or on the Web sites for the individual IBM server families.

Note that system software on some IBM servers provides higher-level interfaces to the cryptographic functions in the IBM PCIe Cryptographic Coprocessor. For example, some systems may offer Java interfaces which make use of the coprocessor.

Spotlight

As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.

Effective February 2013, a host code fix is available for users of Release 4.3.5 who get the error "The key-storage file is not usable" (return code 8, reason code 752)

New product release for IBM 4765 now available on IBM ServerProven System x servers, effective July 2012. This release includes support for the SLES 11.2 O/S. Support is also included for controlling the wrapping of a key with a weaker key, DUKPT for encryption and MAC keys, ciphertext translation, and AMEX enhanced CSC generation and PIN/Change Unblock.
Important notice to ECC users: This release contains important security-related changes for ECC users. See Release 4.3.5 information for details.

New CCA support program release now available for
Linux on IBM System z
effective April 2012.
This release adds
CCA release 4.2
support for the IBM
CEX3C PCIe Cryptographic Coprocessor.

Effective December 2011, new add-on features are being offered for the IBM 4765 on System x to support additional operating systems. See the IBM 4765 software updates page.

• IBM CCA Basic Services Reference and Guide for the IBM 4765 PCIe and IBM 4765 PCI-X Cryptographic Coprocessors: Releases 4.2, 4.1, 4.0, 3.60, 3.30, 3.27, and 3.25 (10/2011, PDF, 3.1MB), 24th edition.

Support for optional Smart Card hardware is available. See Smart Card User Guide (PDF, 2.17MB) for more information.

• New CCA support program release now available for Linux on IBM System z effective April 2011. This release adds CCA Release 4.1 support for the IBM CEX3C PCIe Cryptographic Coprocessor.

IBM 4765 Cryptographic Security Module validated to FIPS 140-2, Overall Level 4 (highest level of security). See FIPS certification number 1505 (link resides outside of ibm.com).

• Get Adobe® Reader®