IBM Global Security Kit, Version 8 - PKCS#11 device integration

This article describes the hardware cryptographic devices that support the PKCS#11 standard and have been tested for use with IBM® Global Security Toolkit (GSKit), Version 8.

GSKit Development Team, Software Group, IBM

The GSKit Development Team designs, develops, and maintains IBM's cryptographic toolkit, GSKit. GSKit is a common component used in many IBM software products.

15 July 2014 (First published 02 November 2010)

Also available in Portuguese


Version 8 of the IBM Global Security Toolkit (GSKit) component can integrate with and exploit hardware cryptographic devices that support the PKCS#11 industry standard.

Hardware PKCS#11 devices offer a variety of features across operating system platforms. Please refer to the PKCS#11 device vendor for specific details of their offering. Some of the most common features include:

  • More secure key storage and protected usage (some with tamper detection).
  • Offloading of CPU intensive operations to device hardware. For example, most devices support asymmetric key operations.
  • Some devices are capable of load sharing when more than one of them is installed.

GSKit's use of PKCS#11 is limited to those functions (where available) required for secure communication via SSL:

  • Asymmetric key generation and secure storage
  • Certificate storage
  • Asymmetric key operations (Sign & Verify, and Decryption during SSL key-exchange)
  • Random number generation
  • Hash functions (i.e. digest calculation)
  • Symmetric key operations

Trust Anchor Certificates (Root Certificates) should only be stored on the device where the device offers Certificate modification/replacement protection via the setting of the PKCS#11 CKA_TRUSTED attribute. The support and setting of this attribute is vendor-specific. If in doubt, do not use the PKCS#11 device for Trust Anchor Certificate storage but rather use a GSKit key store.

The GSKit component team performs interoperability testing on specific hardware, firmware, and driver levels for each device. IBM product teams typically test on a subset of these devices. If an integration problem is found, the IBM product team, IBM GSKit component team, and the PKCS#11 device vendor will work together on defect resolution. All IBM product defects should be reported through the standard IBM product support channels.

Operating system platforms

This article does not cover z/OS® or OS/400® variants of GSKit. In general, the list of platforms an IBM product integrates with a PKCS#11 device is the intersection of the IBM product's supported platforms and the PKCS#11 device's supported platforms. Known exceptions are noted below in the section “Card observations” or in IBM product documentation.

Hardware cryptographic devices tested with GSKit, Version 8

Refer issues regarding installation and configuration of these cards and software to the device vendor.

  • SafeNet
    • PSG PCI HSM 600
    • LunaSA HSM
  • Sun®
    • The on-chip cryptography within the Sun Ultra-SPARC T1 and T2 CMT processor (Solaris 10 on Sparc)
  • Thales
    • nShield 6000e F2 PCI-Express (Solo)
    • nShield Edge
    • nShield Connect
  • IBM
    • IBM Crypto Express3 (CEX3)
    • IBM 4765 PCI Crypto card

Observations on specific cards

nShield 6000e F2 PCI-Express (Solo) and nShield Edge

  • Set the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES to "import;silent". This setting is required when using an nCipher device for symmetric key operations when enabled with GSKit. In this mode of operation, GSKit directly creates the SSL Session Key as a PKCS#11 Session Object during the SSL handshake. Despite the security override being required, no security issue is caused as the SSL Session Key is created by GSKit as part of the SSL handshake. nCipher devices do not provide Symmetric Key acceleration and as such, GSKit should not be enabled for the mode of operation when using nCipher devices unless absolutely required.


  • The GSKit testing statement is restricted to Linux on zSeries and GSKit or later must be used. Please refer to SystemSSL documentation for z/OS crypto device information.
  • There currently exists an issue with this device and GSKit FIPS mode of operation. Until the next FIPS certification round (i.e. until gsk8ver indicates that both of the ICC instances within GSKit are higher than version 8.0.n.n) GSKit v8 cannot be operated in FIPS mode with this device, and the FIPS ICC support that resides in the lib/C or lib64/C directory of the GSKit install must be removed or renamed.

nShield Connect

  • The GSKit testing statement is restricted to cipher suites that include the RSA algorithm and or later must be used.

IBM 4765 PCI Crypto card

  • The GSKit testing statement is restricted such that only asymmetric operations may be used. So GSKit SSL environment setting GSK_PKCS11_ACCELERATOR_MODE must not be set to either GSK_PKCS11_SYMMETRIC_CIPHER_ON or GSK_PKCS11_DIGEST_ON.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Tivoli (service management) on developerWorks

Zone=Tivoli (service management), Tivoli, WebSphere, Security
ArticleTitle=IBM Global Security Kit, Version 8 - PKCS#11 device integration