IBM Cryptographic Coprocessors for IBM i

The cryptographic coprocessor provides proven cryptographic services, ensuring privacy and integrity, for developing secure e-business applications.

Using an IBM® Cryptographic Coprocessor for the IBM i adds highly secure cryptographic processing capability to your system. If you have a cryptographic coprocessor installed and varied on for your system, you can use the cryptographic coprocessor to provide more secure key storage for your certificate private keys.

You can use the cryptographic coprocessor to store the private key for a server or client certificate and for a local Certificate Authority (CA) certificate. However, you cannot use the cryptographic coprocessor to store a user certificate private key because this key must be stored on the user's system. Also, you cannot use the coprocessor to store the private key for an object signing certificate at this time.

You can either store a certificate private key directly in the cryptographic coprocessor, or you can use the cryptographic coprocessor master key to encrypt the key and store it in a special key file. You can select these key storage options as part of the process of creating or renewing a certificate. Also, if you use the coprocessor to store a certificate's private key, you can change the coprocessor device assignment for that key.

To use the cryptographic coprocessor for private key storage, you must ensure that the coprocessor is varied on before using Digital Certificate Manager (DCM). Otherwise, DCM does not provide the option for selecting a storage location as part of the certificate creation or renewal process.