PCI-X Cryptographic Coprocessor (FC 4764; CCIN 4764)

The adapter for the PCI-X Cryptographic Coprocessor provides applications with cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions available include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification for authentication. In addition, the coprocessor provides basic services for financial PIN, EMV, and SET applications. The coprocessor also can serve as an accelerator to accelerate the establishment of new SSL sessions.

The adapter is designed to meet FIPS PUB 140-2 Security Level 4 requirements.

Specifications and requirements

Item

Description

FRU number

41U0442^* or 12R6540^**

^* Designed to comply with RoHS requirement.
^** Not designed to comply with the RoHS requirement.

Battery kit

41V1061, kit contains two batteries and a battery tray.

Adapter type

Short, 64-bit, 3.3 v, PCI version 2.2, PCI-X version 1.0

Placement information

For system-specific adapter placement information, see PCI placement in the system unit or expansion unit in the PCI adapter topic

Environmental requirements

Attention: The PCI-X Cryptographic Coprocessor must be shipped, stored, and used within the following environmental specifications. If these specifications are not met, the 4764 tamper sensors can be activated and render the 4764 permanently inoperable.

Shipping

Ship the adapter in the original packaging (moisture barrier bag with desiccant and thermally insulated box with gel packs).

• Temperature when shipping: +5 degrees F (-15 degrees C) to +140 degrees F (+60 degrees C)
• Pressure when shipping: minimum 550 mbar, maximum 1039 mbar
• Humidity when shipping: 5% to 100% RH

Storage

Store the adapter in sealed moisture barrier bag with desiccant.

• Temperature in storage: +38.8 degrees F (+1 degrees C) to +140 degrees F (+60 degrees C)
• Pressure in storage: minimum 700 mbar, maximum 1039 mbar
• Humidity in storage: 5% to 80% RH

Operation (ambient in system)

• Temperature while operating: +50 degrees F (+10 degrees C) to +104 degrees F (+40 degrees C)
• Humidity while operating: 8% to 80% RH
• Altitude while operating: maximum 7000 feet, equivalent to 768 mbar

Handling requirements

Each PCI-X Cryptographic Coprocessor is shipped from the factory with a certified device key. This electronic key, which is stored in the adapter's battery-powered and protected memory, digitally signs status messages to confirm that the PCI Cryptographic Coprocessor is genuine and that no tampering has occurred.

If any of the secure module's tamper sensors are triggered by tampering or by accident, the PCI-X Cryptographic Coprocessor erases all data in the protected memory, including the certified device key. Incorrect removal of the batteries triggers the tamper sensors and destroys the certified device keys. The PCI Cryptographic Coprocessor cannot operate without the certified device keys. To protect the keys, follow the guidelines given in the documentation provided with the coprocessor.

Attention: The batteries keep the coprocessor powered on even when it is not installed in a system. When handling, installing, or removing the adapter, do not let the adapter circuits come in contact with any conductive surface or tools. Doing so can render the adapter permanently inoperable.

Do not remove the adapter's batteries. Data in the protected memory is lost when battery power is removed. For information about replacing the batteries, see Replacing the batteries.

Attention: While installing the coprocessor, observe the following precautions:

• The coprocessor is always powered by the batteries, even when it is not installed in the system.
• The battery power is necessary to keep the coprocessor operational.
• The loss of battery power or a voltage drop triggers a Tamper Event and permanently renders the coprocessor inoperable.
• Any short on the battery power distribution circuits causes a voltage drop and a Tamper Event.
• Do not lay the coprocessor on or cause the coprocessor to come in contact with any conductive surface.
• Do not touch the coprocessor circuits with metal or conductive tools.
• Use static-protective measures at all times when handling the coprocessor.

Operating system or partition requirements

• AIX 5L™ Version 5.2 with the 5200-09 Technology Level, or later
• AIX 5L Version 5.3 with the 5300-05 Technology Level, or later

Required software or drivers

AIX®

devices.pci.1410e501 device driver package

Linux®

No Linux support

Required firmware

CD form number LCD8-0477-00 contains functional firmware and must be purchased with the adapter.

PKCS11 support program installation

The 4764 PCI-X Cryptographic Coprocessor PKCS#11 Support Program Installation Manual is included on the CD that is shipped with the adapter. The manual is contained in the csufx.xcrypto.man file set.

CCA support program installation

The 4764 PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual is included on the CD that is shipped with the adapter. The manual is contained in the csufx.xcrypto.man file set.

Preparing for installation

If you are installing your operating system at this time, install your adapter before you install the operating system. See Installing the adapter for instructions.

If you are installing only the device driver for this adapter, install your device driver software before you install the adapter. See Installing the device driver software for instructions.

Installing the device driver software

To install device driver software, do the following:

1. Log in to the system unit as root user.
2. Insert the media containing the device driver software (for example; CD) into the appropriate media device.
3. Type the following System Management Interface Tool (SMIT) fast path: smitty devinst
4. Press Enter. The Install Additional Device Software menu highlights the INPUT device or directory for software option.
5. Select or type your input device:
   1. Press F4 to display the input device list.
   2. Select the name of the device (for example; CD-ROM) that you are using and press Enter.
   OR
   1. In the entry field, type the name of the input device that you are using and press Enter.
   2. The Install Additional Device Software window highlights the SOFTWARE to install option.
6. Press F4 to display the SOFTWARE to install window.
7. Enter / to display the Find window.
8. For the adapter, type the following device package name: devices.pci.1410e501
9. Press Enter. The system finds and highlights this device driver software.
10. Press F7 to select the highlighted device driver software.
11. Press Enter. The INSTALL ADDITIONAL DEVICE SOFTWARE menu displays. The entry fields are automatically updated.
12. Press Enter to accept the information. The ARE YOU SURE menu displays.
13. Press Enter to accept the information. The COMMAND STATUS menu displays.
    • The term RUNNING is highlighted to indicate that the installation and configuration command is in progress.
    • When RUNNING changes to OK, scroll to the bottom of the page and locate the Installation Summary.
    • After a successful installation, SUCCESS displays in the Result column of the Installation Summary at the bottom of the display.
14. Remove the installation media from the drive.
15. Press F10 to exit SMIT.
16. Verify the device driver. See Verifying the device driver
17. Install the adapter. See Installing the adapter.

Verifying the device driver

To verify that the device driver for the adapter is installed, do the following:

1. If necessary, log in as root user.
2. At the command line, enter: lslpp -l devices.pci.1410e501.rte
3. Press Enter.

Verify that the filesets devices.pci.1410e501.rte are at level 5.2.0.95 or higher.

If no data displays on your display, the adapter device driver did not install correctly. Reinstall the driver.

Installing the adapter

Refer to the PCI Adapters topic for instructions on placement and installation of PCI adapters.

After you have installed the adapter, verify the adapter installation.

Verifying the adapter installation

To verify that your system unit recognizes the PCI adapter, do the following:

1. If necessary, log in as root user.
2. At the command line, type: lsdev -Cs pci
3. Press Enter.

A list of PCI devices displays. If the adapter is installed correctly, an Available status for each port indicates that the adapter is installed and ready to use. If the message on your display indicates that any of the ports are DEFINED instead of AVAILABLE, shut down the system and verify that the adapter was installed correctly. The adapters appear as Crypt0, Crypt1, and so on.

Running coprocessor diagnostics

Diagnostics are provided with the device driver software. If you need to run diagnostics, see the Working with AIX diagnostics topic.

If you remove a cryptographic adapter and do not replace it, and you run diagnostics on the remaining cryptographic adapters, the results might not be correct. As a result, always run the cfgmgr -v command after removing a cryptographic adapter.

Replacing the batteries

Two lithium batteries that are mounted on the adapter supply power to the adapter's components, including protected memory. Support software or application software can query the coprocessor to determine whether the batteries need to be replaced. When the batteries need replacing, have the procedure done by trained service providers using the 41V1061 Battery kit for the 4764. Instructions are in the Replacing the battery on a type 4764 card topic.

Connectors

Figure 1. Front side of the adapter

Figure 2. Back side of the adapter