POWER7 information

PCI-X Cryptographic Coprocessor (FC 4764; CCIN 4764)

Learn about the specifications, requirements, and installation notes for the 4764 PCI-X Cryptographic Coprocessor.

The adapter for the PCI-X Cryptographic Coprocessor provides applications with cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions available include encryption for keeping data confidential, message digests, and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification for authentication. In addition, the coprocessor provides basic services for financial PIN, EMV, and SET applications. The coprocessor also can serve as an accelerator to accelerate the establishment of new SSL sessions.

The adapter is designed to meet FIPS PUB 140-2 Security Level 4 requirements.

Specifications and requirements

Item
Description
FRU number
41U0442* or 12R6540**
* Designed to comply with RoHS requirement.
** Not designed to comply with the RoHS requirement.
Battery kit
41V1061, kit contains two batteries and a battery tray.
Adapter type
Short, 64 bit, 3.3 v, PCI version 2.2, PCI-X version 1.0
Placement information
For the maximum adapters supported, see the PCI adapter placement topic collection for your system.
Environmental requirements
Attention: The PCI-X Cryptographic Coprocessor must be shipped, stored, and used within the following environmental specifications. If these specifications are not met, the 4764 tamper sensors can be activated and render the 4764 permanently inoperable.

Shipping

Ship the adapter in the original packaging (moisture barrier bag with desiccant and thermally insulated box with gel packs).
  • Temperature when shipping: -15 degrees C (+5 degrees F) to +60 degrees C (+140 degrees F)
  • Pressure when shipping: minimum 550 mbar, maximum 1039 mbar
  • Humidity when shipping: 5% to 100% RH

Storage

Store the adapter in sealed moisture barrier bag with desiccant.
  • Temperature in storage: +1 degree C (+38.8 degrees F) to +60 degrees C (+140 degrees F)
  • Pressure in storage: minimum 700 mbar, maximum 1039 mbar
  • Humidity in storage: 5% to 80% RH
Operation (ambient in system)
  • Temperature while operating: +10 degrees C (+50 degrees F) to +40 degrees C (+104 degrees F)
  • Humidity while operating: 8% to 80% RH
  • Altitude while operating: maximum 7000 feet, equivalent to 768 mbar
Handling requirements
Each PCI-X Cryptographic Coprocessor is shipped from the factory with a certified device key. This electronic key, which is stored in the battery-powered and protected memory of the adapter, digitally signs status messages to confirm that the PCI Cryptographic Coprocessor is genuine and that no tampering has occurred.

If any of the secure module's tamper sensors are triggered by tampering or by accident, the PCI-X Cryptographic Coprocessor erases all data in the protected memory, including the certified device key. Incorrect removal of the batteries triggers the tamper sensors and deletes the certified device keys. The PCI Cryptographic Coprocessor cannot operate without the certified device keys. To protect the keys, follow the guidelines given in the documentation provided with the coprocessor.

Attention: The batteries keep the coprocessor powered on even when it is not installed in a system. When handling, installing, or removing the adapter, ensure that the adapter circuits do not come in contact with any conductive surface or tools. Doing so can render the adapter permanently inoperable.

Do not remove the batteries from the adapter. Data in the protected memory is lost when battery power is removed. For information about replacing the batteries, see Replacing the batteries.

Attention: While installing the coprocessor, observe the following precautions:
  • The coprocessor is always powered by the batteries, even when it is not installed in the system.
  • The battery power is necessary to keep the coprocessor operational.
  • The loss of battery power or a voltage drop triggers a Tamper Event and permanently renders the coprocessor inoperable.
  • Any short on the battery power distribution circuits causes a voltage drop and a Tamper Event.
  • Do not lay the coprocessor on or cause the coprocessor to come in contact with any conductive surface.
  • Do not touch the coprocessor circuits with metal or conductive tools.
  • Use static-protective measures at all times when handling the coprocessor.
Required software or device drivers
AIX®

devices.pci.1410e501 device driver package.

Linux

No Linux support.

Required firmware
CD form number LCD8-0477-00 contains functional firmware and must be purchased with the adapter.
PKCS11 support program installation
The 4764 PCI-X Cryptographic Coprocessor PKCS#11 Support Program Installation Manual is included on the CD that is shipped with the adapter. The manual is contained in the csufx.xcrypto.man file set.
CCA support program installation
The 4764 PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual is included on the CD that is shipped with the adapter. The manual is contained in the csufx.xcrypto.man file set. You can also view or download the manual from the IBM® Power Systems™ hardware information website at http://publib.boulder.ibm.com/infocenter/eserver/v1r3s/index.jsp.

For details about slot priorities and placement rules, see the PCI adapter placement topic collection for your system.

Operating system or partition requirements

The adapter is supported on the following versions of the operating system:
  • AIX
    • AIX 5L™ Version 5.2 with the 5200-09 Technology Level, or later
    • AIX 5L Version 5.3 with the 5300-05 Technology Level, or later

Preparing for installation

If you are installing your operating system at this time, install your adapter before you install the operating system. See Installing the adapter for instructions.

If you are installing only the device driver for this adapter, install your device driver software before you install the adapter. See Installing the device driver software for instructions.

Installing the device driver software

This section explains how to install device driver software. The device driver is provided for the following AIX 5L technology levels:
  • AIX 5L Version 5.2 with the 5200-09 Technology Level
  • AIX 5L Version 5.3 with the 5300-05 Technology Level

To install device driver software, do the following steps:

  1. Log in to the system unit as root user.
  2. Insert the media containing the device driver software (for example; CD) into the appropriate media device.
  3. Type the following System Management Interface Tool (SMIT) fast path: smitty devinst
  4. Press Enter. The Install Additional Device Software menu highlights the INPUT device or directory for software option.
  5. Select or type your input device by doing one of the following actions:
    • Press F4 to display the input device list and select the name of the device (for example; CD-ROM) that you are using and press Enter.
    • In the entry field, type the name of the input device you are using and press Enter. The Install Additional Device Software window highlights the SOFTWARE to install option.
  6. Press F4 to display the SOFTWARE to install window.
  7. Enter / to display the Find window.
  8. For the adapter, type the following device package name: devices.pci.1410e501
  9. Press Enter. The system finds and highlights this device driver software.
  10. Press F7 to select the highlighted device driver software.
  11. Press Enter. The INSTALL ADDITIONAL DEVICE SOFTWARE menu displays. The entry fields are automatically updated.
  12. Press Enter to accept the information. The ARE YOU SURE menu displays.
  13. Press Enter to accept the information. The COMMAND STATUS menu displays.
    • The term RUNNING is highlighted to indicate that the installation and configuration command is in progress.
    • When RUNNING changes to OK, scroll to the bottom of the page and locate the Installation Summary.
    • After a successful installation, SUCCESS displays in the Result column of the Installation Summary at the bottom of the display.
  14. Remove the installation media from the drive.
  15. Press F10 to exit SMIT.
  16. Verify the device driver. See Verifying the device driver
  17. Install the adapter. See Installing the adapter.

Verifying the device driver

To verify that the device driver for the adapter is installed, do the following steps:

  1. If necessary, log in as root user.
  2. At the command line, enter: lslpp -l devices.pci.1410e501.rte
  3. Press Enter.
If the adapter device driver is installed, the following is an example of the data that displays on your display:
Fileset Level State Description
Path: /usr/lib/objrepos devices.pci.1410e501.rte 5.2.0.95 COMMITTED Cryptographic Coprocessor

Verify that the filesets devices.pci.1410e501.rte are at level 5.2.0.95 or later.

If no data displays on your display, the adapter device driver did not install correctly. Reinstall the driver.

Installing the adapter

Attention: While installing the coprocessor, observe the following precautions:
  • The coprocessor is always powered by the batteries, even when it is not installed in the system.
  • The battery power is necessary to keep the coprocessor operational.
  • The loss of battery power or a voltage drop triggers a Tamper Event and permanently renders the coprocessor inoperable.
  • Any short on the battery power distribution circuits causes a voltage drop and a Tamper Event.
  • Do not lay the coprocessor on or cause the coprocessor to come in contact with any conductive surface.
  • Do not touch the coprocessor circuits with metal or conductive tools.
  • Use static-protective measures at all times when handling the coprocessor.

For instructions on how to install PCI adapters, see Installing the PCI adapters topic.

After you have installed the adapter, verify the adapter installation.

Verifying the adapter installation

To verify that your system unit recognizes the PCI adapter, do the following steps:

  1. If necessary, log in as root user.
  2. At the command line, type: lsdev -Cs pci
  3. Press Enter.

A list of PCI devices displays. If the adapter is installed correctly, an Available status for each port indicates that the adapter is installed and ready to use. If the message on your display indicates that any of the ports are DEFINED instead of AVAILABLE, shut down the system and verify that the adapter was installed correctly. The adapters appear as Crypt0, Crypt1, and so on.

Running coprocessor diagnostics

Diagnostics are provided with the device driver software.

If you remove a cryptographic adapter and do not replace it, and you run diagnostics on the remaining cryptographic adapters, the results might not be correct. As a result, always run the cfgmgr -v command after removing a cryptographic adapter.

Replacing the batteries

Two lithium batteries that are mounted on the adapter supply power to the adapter components, including protected memory. Support software or application software can query the coprocessor to determine whether the batteries must be replaced. When the batteries need replacing, have the procedure done by trained service providers using the 41V1061 Battery kit for the 4764.

CAUTION:
Only trained service personnel may replace this battery. The battery contains lithium. To avoid possible explosion, do not burn or charge the battery.
Do Not:
  • ___ Throw or immerse into water
  • ___ Heat to more than 100 degrees C (212 degrees F)
  • ___ Repair or disassemble

Exchange only with the IBM-approved part. Recycle or discard the battery as instructed by local regulations. In the United States, IBM has a process for the collection of this battery. For information, call 1-800-426-4333. Have the IBM part number for the battery unit available when you call. (C002)

The Battery Replacement Kit includes:
  • Two replacement batteries
  • A battery tray with connecting wires
  • Two sets of spare battery attention labels
To replace the batteries, follow these steps:
  1. Turn off the computer and all attached devices.
  2. Disconnect all cables, including the power cable.
    CAUTION:
    The battery is a nickel-cadmium battery. To avoid possible explosion, do not burn. Exchange only with the IBM-approved part. Recycle or discard the battery as instructed by local regulations. In the United States, IBM has a process for the collection of this battery. For information, call 1-800-426-4333. Have the IBM part number for the battery unit available when you call. (C005)
  3. Remove the cover from the expansion slots according to the directions provided with your computer.
  4. Open the Battery Replacement Kit.
    Attention: Electrostatic discharge (ESD) can damage the card and its components. Wear an ESD wrist strip while handling and installing the card, or take the following precautions:
    • Limit your movements to prevent static electricity building up around you.
    • Prevent others from touching the card or other components.
    • Handle the card by its edges only. Do not touch exposed circuitry and components.
  5. Remove the card from the bus slot in the host computer.
  6. Insert one of the new batteries into the battery tray provided with the kit. Align the + on the battery with the + on the battery tray (the end with the red wire). Connect the tray wires to the J10 connector located near the RS-232 serial port, as shown in Figure 1. The connector is polarized to ensure a correct connection.
    Attention: Any loss of power erases data stored in the protected memory of the card. To prevent loss, ensure that the battery tray contains a fresh battery and is attached to the J10 connector.
  7. Remove the battery attention labels from the battery holders on the card. These labels can be torn off and discarded. They are to be replaced by the spare labels included in the kit.
  8. Remove the battery from the BT1 position. To eject the battery, turn the coprocessor over and insert a small object, such as a screwdriver, through the hole to eject the battery.
  9. Replace the battery in the BT1 position with a new battery.
  10. Replace the battery in the BT2 position with the battery in the battery tray. The new battery already installed in the BT1 position provides power to the adapter while you perform this step.
  11. Remove the battery holder from the J10 connector.
  12. Reapply the spare battery attention labels onto the holders on the card covering the batteries.
  13. Reinstall the coprocessor into the PCI-X bus slot, and be sure that the card is fully seated.
  14. Replace the cover of the host computer.
  15. Reconnect the power cable and any other cables you disconnected.
  16. Power® on the computer. The card runs its power on self-test (POST).
  17. Reinstall the adapter.

Connectors

Table 1. Connectors and jumpers on the PCI-X Cryptographic Coprocessor
Connectors Name of jumper Default position
J7 PCI-X EEPROM write Jumper installed
J8 External intrusion latch disable Jumper not installed
J9 Battery disconnect wire Jumper (wire loop) installed
J10 Temporary-battery connector Jumper not installed
J11 External intrusion latch Jumper not installed
Figure 1. Front side of the adapter
Graphic showing the front side of the adapter
Figure 2. Rear side of the adapter
Graphic showing the rear side of the adapter
Parent topic: PCI adapter information by feature type for the 8202-E4B, 8202-E4C, 8202-E4D, 8205-E6B, 8205-E6C, or 8205-E6D
Parent topic: PCI adapter information by feature type for the 8233-E8B or 8236-E8C
Parent topic: PCI adapter information by feature type for the 8412-EAD, 9117-MMB, 9117-MMC, 9117-MMD, 9179-MHB, 9179-MHC, or 9179-MHD
Parent topic: PCI adapter information by feature type for the 5803 and 5873 expansion units
Related tasks:
Removing and replacing parts on type 2748, 2757, 2763, 2778, 2780, 2782, 4758, 4764, 5703, 5708, 5709, 571B, 571E, 571F, 573D, 574F, 575B
Related reference:
IBM Prerequisite Web page
Parts information
Backplane daughter cards and RAID enablement cards

Send feedback Rate this page

Last updated: Wed, January 17, 2018