IBM 4769 PCIe Cryptographic Coprocessor provides improved performance and introduces security-rich services for sensitive workloads

IBM United States Hardware Announcement 121-017
February 9, 2021

Table of contents
OverviewOverviewProduct numberProduct number
Key requirementsKey requirementsPublicationsPublications
Planned availability datePlanned availability dateTechnical informationTechnical information
DescriptionDescriptionTerms and conditionsTerms and conditions
Product positioningProduct positioningPricesPrices


At a glance

Top rule

The IBM® 4769 PCIe Cryptographic Coprocessor is a security-rich PCIe coprocessor with specialized electronics to support cryptographic functions on selected x64 architecture servers with a PCIe slot.

The 4769 PCIe Cryptographic Coprocessor is designed to deliver the following functions:

  • X.509 certificate services support
  • ANSI X9 TR34-2019 key exchange services that exploit the public key infrastructure (PKI)
  • Bitcoin Curve ECDSA: secp256k1
  • CRYSTALS-Dilithium, a quantum-safe algorithm for digital signature generation and verification
  • Rivest-Shamir-Adleman (RSA) algorithm for digital signature generation and verification with keys up to 4096 bits in length
  • High-throughput Secure Hash Algorithm (SHA), MD5 message digest algorithm, Hash-Based Message Authentication Code (HMAC), Cipher-based Message Authentication Code (CMAC), Data Encryption Standard (DES), Triple Data Encryption Standard (Triple DES), and Advanced Encryption Standard (AES)-based encryption for data integrity assurance and confidentiality, including AES Key Wrap (AESKW) that conforms to ANSI X9.102
  • Elliptic-curve cryptography (ECC) for digital signature and key agreement
  • Support for smart card applications and personal identification number (PIN®) processing
  • Secure time-of-day


Back to topBack to top

Overview

Top rule

The 4769 PCIe Cryptographic Coprocessor is designed to provide security-rich features and deliver high throughput for cryptographic functions on selected x64 architecture servers. For a list of supported servers, see the Approved x64 servers.

The cryptographic processes are performed within an enclosure on the board that is designed to comply with Federal Information Processing Standard (FIPS) 140-2, the highest level of certification achievable for commercial cryptographic devices.

Support for the following 4769 PCIe Cryptographic Coprocessor functions is controlled by an embedded operating system running on two sets of two 32-bit PowerPC® microprocessors in lockstep.

Specialized hardware performs AES, DES, Triple DES, RSA algorithm, SHA, ECC, and other cryptographic processes, relieving the main processor from these tasks:

  • HMAC
  • AES with Cipher-based Message Authentication Code (AES-CMAC) and AES with Galois Counter Mode (AES-GCM) algorithms
  • Common RSA and ECC public key infrastructure algorithms; ECC Diffie-Hellman protocol
  • Bitcoin Curve ECDSA: secp256k1
  • Widely used SHAs, including SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and MD5
  • Advanced 4096-bit modular-exponentiation operations
  • True hardware random number generation
  • Pseudorandom number generation (PRNG)
  • Secure time-of-day
  • Visa Data Secure Platform (DSP) point-to-point encryption (P2PE) with standard Visa format-preserving encryption (FPE) and format-preserving, Feistel-based encryption, instantiation X

IBM offers a Common Cryptographic Architecture (CCA) Support Program for the 4769 PCIe Cryptographic Coprocessor at no charge to the user.

CCA for the 4769 PCIe Cryptographic Coprocessor is an enhanced version of the CCA Support Program shipped with the IBM 4767-002 PCIe Cryptographic Coprocessor.



Back to topBack to top

Feature exchange

Top rule

Not applicable



Back to topBack to top

Key requirements

Top rule

  • All versions of selected x64 architecture servers with a PCIe slot
  • Red Hat® Enterprise Linux® Server 8.2, 64-bit
  • IBM-provided support program

The 4769 Approved x64 servers may be periodically updated with information regarding the successful completion of testing on x64 systems and operating systems.



Back to topBack to top

Planned availability date

Top rule

February 23, 2021



Back to topBack to top

Description

Top rule

The tamper-responding hardware and infrastructure firmware of the 4769 PCIe Cryptographic Coprocessor are designed to comply with FIPS 140-2 level of security. The specialized hardware performs AES, DES, Triple DES, RSA algorithm, SHA, ECC, and other cryptographic processes, relieving the main processor from these tasks.

The 4769 PCIe Cryptographic Coprocessor is designed to protect your cryptographic keys and sensitive custom applications. The software running in the coprocessor offers a rich programmable environment to meet unique business needs and can be customized to meet special requirements, such as on-demand transactions, automated teller machines (ATMs), and point-of-sale (POS) applications for the banking, finance, and retail industries.

Design: The 4769 PCIe Cryptographic Coprocessor has a PCIe local-bus-compatible interface. The coprocessor holds a security-enabled subsystem module and batteries for backup power. The hardened encapsulated subsystem contains two sets of two 32-bit PowerPC 476FP reduced instruction set computer (RISC) processors running in lockstep with cross-checking to detect soft errors in the hardware. It also contains a separate service processor used to manage self-test and firmware updates; RAM; flash memory and battery-powered memory; secure time-of-day; cryptographic quality random number generator; AES; DES; Triple DES; HMAC; CMAC; MD5; multiple SHA hashing methods; modular-exponentiation hardware, such as RSA and ECC; and full-duplex direct memory access (DMA) communications.

A security-enabled code-loading arrangement allows control program and application program loading and refreshes after coprocessor installation in your server. IBM offers an embedded subsystem control program and a cryptographic application programming interface (API) that implements the IBM CCA.

IBM offers support for application programs that use the 4769 PCIe Cryptographic Coprocessor in selected x64 architecture servers and operate within the specified operating system environments. The IBM Common Cryptographic Architecture Support Program can be accessed from the internet at no charge to the user. See the IBM CCA Basic Services Reference and Guide, which can be found at the IBM Cryptocards Library for a full explanation of the CCA API.

Custom programming: IBM offers a toolkit, education, consulting, support, and prototyping under custom contracts to enable you to extend the IBM features or use them to create your own on-card application.

Under a special contract with IBM, you will have the flexibility to define and load customized cryptographic functions. This service offering can be requested at the IBM Cryptocards website by selecting IBM Custom programming.



Back to topBack to top

Product positioning

Top rule

The 4769 PCIe Cryptographic Coprocessor is an integral part of the overall security-rich solution for smarter computing and is designed to provide high security and deliver high throughput for cryptographic functions on selected x64 architecture servers.

A cryptographic hardware subsystem is a critical feature required by most enterprises in the public sector and the banking and financial industry.

The 4769 PCIe Cryptographic Coprocessor is designed to replace the IBM 4767-002 PCIe Cryptographic Coprocessor.

You may be interested in deploying cryptographic hardware technology in selected x64 architecture servers if you are:

  • Implementing systems that require high security for your cryptographic keys and high assurance the cryptographic processor has not been tampered with or modified in any way
  • Implementing applications that process financial transactions, including ATM PINs and credit card transactions
  • Implementing support for EMV (EMVCo) smart card applications
  • Implementing secure cryptographic key management
  • Implementing card personalization systems
  • Using RSA public-key cryptography for digital signatures or key management
  • X.509 certificate services
  • Using Elliptic Curve public-key cryptography for digital signatures and key agreement
  • Supporting Visa DSP P2PE 1
  • Supporting financial services verbs that are based on the PIN methods of and meet the requirements specified by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK 2
  • Desiring the security or compatibility afforded by an implementation of portions of the IBM CCA

The 4769 PCIe Cryptographic Coprocessor provides high throughput for cryptographic operations. Visit IBM Cryptocards Library for performance details.

1Contact Visa directly for details on licensing their technology.

2 The German Banking Industry Committee promulgates the standards and specifications and should be contacted directly for appropriate licenses.



Back to topBack to top

Product number

Top rule

Description Machine type Model
4769-001 PCIe Cryptographic Coprocessor 4769 001



Back to topBack to top

Business Partner information

Top rule

If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld ID and password are required (use IBMid).

BP Attachment for Announcement Letter 121-017


Back to topBack to top

Publications

Top rule

The following publications are shipped with the product:

  • IBM Systems Safety Notices G229-9054
  • IBM Warranty Information for the 4769-001 PCle Cryptographic Coprocessor SC23-6884
  • IBM License Agreement for Machine Code (Contains Form Z125-5468-06) SC28-6872
  • IBM License Agreement for Machine Code Addendum for Cryptography (Contains Form Z125-8449-01) GC27-2635
  • Notice to Users of the IBM 4769 PCIe Cryptographic Coprocessor, P/N 01EL550

Online publications

Publications in US English, PDF format may downloaded from the IBM Cryptocards website for viewing and printing.

  • IBM 4769 PCIe Cryptographic Coprocessor Installation Manual
  • IBM 4769 PCIe Cryptographic Coprocessor CCA Support Program Installation Manual
  • IBM CCA Basic Services Reference and Guide for the IBM 4769 PCIe, IBM 4767 PCIe and IBM 4765 PCIe Cryptographic Coprocessors

To access the IBM Publications Center Portal, see the IBM Publications Center website.

The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided. A large number of publications are available online in various file formats, which can currently be downloaded.



Back to topBack to top

Services

Top rule

IBM Systems Lab Services

IBM Systems Lab Services offers a wide array of services available for your enterprise. It brings expertise on the latest technologies from the IBM development community and can help with your most difficult technical challenges.

IBM Systems Lab Services exists to help you successfully implement emerging technologies so as to accelerate your return on investment and improve your satisfaction with your IBM systems and solutions. Services examples include initial implementation, integration, migration, and skills transfer on IBM systems solution capabilities and recommended practices. IBM Systems Lab Services is one of the service organizations of IBM's world-renowned IBM Systems Group development labs.

For details on available services, contact your IBM representative or see the IBM Systems Lab Services website.

Global Technology Services

IBM services include business consulting, outsourcing, hosting services, applications, and other technology management.

These services help you learn about, plan, install, manage, or optimize your IT infrastructure to be an on-demand business. They can help you integrate your high-speed networks, storage systems, application servers, wireless protocols, and an array of platforms, middleware, and communications software for IBM and many non-IBM offerings. IBM is your one-stop shop for IT support needs.

For details on available services, contact your IBM representative or see the IBM Global Technology Services® website.

For details on available IBM Business Continuity and Recovery Services, contact your IBM representative or see the Resiliency Services website.

Details on education offerings related to specific products can be found on the IBM Skills Gateway website.



Back to topBack to top

Technical information

Top rule

Specified operating environment

Physical specifications

  • Length: 167.65 mm (6.60 in.)
  • Thickness: 18.1 mm (0.74 in.)
  • Weight 296 g (0.653 lb)

The 4x PCIe adapter is a half height, half length card type that complies with the electrical and mechanical requirements defined by:

  • PCI Local Bus Specification 3.0
  • PCIe Specification 1.1

Power® requirement:

  • +3.3 VDC ± 10%
  • 23.44 W max, 25 W min
Standards
  • Peripheral Component Interconnect® (PCI) Local Bus Specification 3.0
  • Peripheral Component Interconnect Express® (PCIe) Specification 1.1
Operating environment
  • Temperature: 5° to 40° C (41° to 104° F)
  • Relative humidity: 8% to 80%
  • Wet bulb: 25° C (75° F)
  • Pressure: 700 mbar minimum
Hardware requirements

All versions of selected x64 architecture servers with a PCIe slot

When the 4769 PCIe Cryptographic Coprocessor has been successfully tested with servers other than selected x64 architecture servers, they will be listed at Approved x64 servers.

Software requirements

Red Hat Enterprise Linux Server 8.2, 64 bit is required to support 4769 PCIe Cryptographic Coprocessors:

For details on future updates to the versions of operating systems that are supported by the 4769 PCIe Cryptographic Coprocessor, see the IBM Cryptocards website.

The 4769 PCIe Cryptographic Coprocessor is supported by the CCA Support Program. Licensed software is required to utilize the 4769 PCIe Cryptographic Coprocessor. Only software that the 4769 PCIe Cryptographic Coprocessor can internally validate through digital signature techniques can enable the PCIe Cryptographic Coprocessor operations.

The CCA Support Program can be downloaded from the internet. The hardware and software are subject to the export and import regulations of most countries.

Compatibility

Application programs that are designed to work with CCA Support Program versions for 4769 PCIe Cryptographic Coprocessor should not require modification.

Planning information

Client responsibilities

For instructions or publications in US English versions, see IBM Cryptocards.

Cable orders

No cables required.

Installability

This product is client setup. Clients are responsible for installation according to the instructions that IBM provides with the machine.

Security, auditability, and control

The client is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communications facilities.

IBM Systems Lab Services

For details on available services, contact your IBM representative or see the IBM Systems Lab Services website.



Back to topBack to top

Terms and conditions

Top rule

IBM Global Financing

No

Products - terms and conditions

Warranty period

Three years.

To obtain copies of the IBM Statement of Limited Warranty, contact your reseller or IBM. An IBM part or feature installed during the initial installation of an IBM machine is subject to the full warranty period specified by IBM. An IBM part or feature that replaces a previously installed part or feature assumes the remainder of the warranty period for the replaced part or feature. An IBM part or feature added to a machine without replacing a previously installed part or feature is subject to a full warranty. Unless specified otherwise, the warranty period, type of warranty service, and service level of a part or feature are the same as those for the machine in which it is installed.

Warranty

Warranty service

Warranty on the 4769 PCIe Cryptographic Coprocessor will be determined by proof of the date of purchase. The customer is responsible to provide proof at the time of service.

Once the warranty has been validated and a determination has been made that the 4769 PCIe Cryptographic Coprocessor must be replaced, the exchange is normally done by mail service.

Customer Replaceable Unit (CRU) Service applies.

Warranty service upgrades

During the warranty period, warranty service upgrades provide an enhanced level of On-site Service for an additional charge. A warranty service upgrade must be purchased during the warranty period and is for a fixed term (duration). It is not refundable or transferable and may not be prorated. If required, IBM will provide the warranty service upgrade enhanced level of On-site Service acquired by the customer. Service levels are response time objectives and are not guaranteed.

IBM will attempt to resolve your problem over the telephone or electronically by access to the IBM Cryptocards website.

Customers should use these product support pages as a primary source of information concerning the 4769 PCIe Cryptographic Coprocessor. The site supports:

  • Access to firmware for the 4769 PCIe Cryptographic Coprocessor
  • Software updates
  • Download support for product publications
  • Order and warranty support

You must follow the problem determination and resolution procedures that IBM specifies. Scheduling of service will depend upon the time of your call.

Customer Replaceable Units (CRUs) may be provided as part of the machine's standard warranty CRU Service except that you may install a CRU yourself. For additional information on the CRU service, see warranty information.

Usage plan machine

No

IBM hourly service rate classification

Not applicable

When a type of service involves the exchange of a machine part, the replacement may not be new, but will be in good working order.

General terms and conditions

Field-installable features

No

Model conversions

No

Machine installation

Client setup. Clients are responsible for installation according to the instructions IBM provides with the machine.

Graduated program license charges apply

No

Licensed Machine Code

IBM Machine Code is licensed for use by a client on the IBM machine for which it was provided by IBM under the terms and conditions of the IBM License Agreement for Machine Code, to enable the machine to function in accordance with its specifications, and only for the capacity authorized by IBM and acquired by the client. You can obtain the agreement by contacting your IBM representative. It can also be found on the License Agreement for Machine Code and Licensed Internal Code

Machine using LMC Type Model 4769-001

Access to Machine Code updates is conditioned on entitlement and license validation in accordance with IBM policy and practice. IBM may verify entitlement through client number, serial number, electronic restrictions, or any other means or methods employed by IBM in its discretion.

If the machine does not function as warranted and your problem can be resolved through your application of downloadable Machine Code, you are responsible for downloading and installing these designated Machine Code changes as IBM specifies. If you would prefer, you may request IBM to install downloadable Machine Code changes; however, you may be charged for that service.

Educational allowance

Not applicable



Back to topBack to top

Prices

Top rule

For additional information and current prices, contact your local IBM representative or IBM Business Partner.

Product charges

Description Machine type Model Purchase price
4769 PCIe Cryptographic Coprocessor 4769 001 **

** If field installed on a purchased machine, parts removed or replaced become the property of IBM and must be returned.

Annual minimum maintenance charges

IBM will attempt to resolve your problem over the telephone or electronically by access to the IBM Cryptocards website.

ServiceElect (ESA) charges

For ServiceElect (ESA) maintenance service charges, contact IBM Global Services at 888-IBM-4343 (426-4343).

Trademarks

IBM, PIN, PowerPC, Power, Global Technology Services, Interconnect and Express are registered trademarks of IBM Corporation in the United States, other countries, or both.

Red Hat is a registered trademark of Red Hat Inc. in the U.S. and other countries.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Additional terms of use are located at

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or go to the IBM worldwide contacts page

IBM United States