CEX5S / 4767 Ordering

This page provides information on how to order the IBM CEX5S / 4767 HSM.

Note: On March 30, 2021, IBM announced the hardware withdrawal of the IBM MTM 4767-002 on x64 systems. Please see the withdrawal notice for additional information.

The IBM 4767 is currently available on:

  1. IBM Z® family z14®, z13s™, and z13® mainframes only, either on z/OS® or Linux® on z Systems® operating systems, ordered as a Crypto feature code (FC)
  2. x64 servers as an IBM Z machine type-model (MTM), either on Microsoft® Windows® Server, SUSE® (a Micro Focus Company) Linux Enterprise Server (SLES), or Red Hat® Enterprise Linux (RHEL) 64-bit operating systems
  3. IBM Power Systems™ POWER8® server only, either on IBM AIX®, IBM i®, or PowerLinux™ (RHEL Server, SLES, or Ubuntu) operating systems
Refer to the following table for IBM 4767 machine type-model or feature code by platform:
IBM PCIe Cryptographic Coprocessor IBM Z feature code (z/OS or Linux on z) x86 server MTM (Windows, SLES, or RHEL) Power Systems feature code
4767 FC 0890 - Crypto Express5S (CEX5S)Note: FC 0890 is only available on z14, z13s, and z13 mainframes and requires Crypto feature code FC 3863 (CPACF Enablement). CPACF stands for Central Processor Assist for Cryptographic Functions. MTM 4767-002 FC EJ32, Customer Card Identification Number 4767 (IBM POWER8 without blind-swap cassette custom carrier)FC EJ33, Customer Card Identification Number 4767 (IBM POWER8 with blind-swap cassette custom carrier)

How to Place an Order for FC 0890 (CEX5S)

The IBM 4767 is currently only available on IBM z14, z13s, and z13 mainframes, either on z/OS or Linux on z Systems operating systems. The Crypto feature can be ordered as feature code (FC) 0890 - Crypto Express5S (CEX5S). CEX5S includes the HSM and its embedded firmware.

Note: FC 0890 requires FC 3863 - CPACF Enablement (Central Processor Assist for Cryptographic Functions). CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and CEX5S through in-kernel cryptography APIs and, for Linux on z Systems, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

To place an order for the CEX5S feature, contact your IBM Customer Engineer. A minimum of 2 features is required per computer, with a maximum of 16.

How to Place an Order for MTM 4767-002

The IBM Z MTM 4767-002 is supported in x64 servers.

The IBM 4767-002 is no longer marketed by IBM. Its replacement cryptographic adapter is the IBM 4769-001. For more information about the IBM 4769, see the CEX7S / 4769 Overview page.

Publications related to the IBM 4767 are available on the IBM 4767 download site.
Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

How to Place an Order for FC EJ32 or FC EJ33

The 4767 is currently available on IBM Power Systems, either on IBM AIX, IBM i, or PowerLinux operating systems. The feature can be ordered as feature code (FC) EJ32 or EJ33. Refer to the IBM 4767 machine type-model or feature code by platform table above .

If you wish to order the feature for the IBM Power Systems™ (FC EJ32 or EJ33), see the IBM Power Systems website for information. The coprocessor and its software and firmware are obtained as features of the IBM Power Systems and not from this website. However, the CCA Basic Services manual is obtained from the CEX5S / 4767 Library page.

How to Place an Order for a 4767 Battery-Replacement Kit

The 4767 has two on-board batteries which provide critical backup power to a small quantity of internal memory, the clock-calendar, and the tamper-detection circuitry. So that you can maintain the functionality of the coprocessor, a kit containing replacement batteries for the 4767 is available through IBM as a field replaceable unit (FRU). Refer to the Part number for 4767 Battery-Replacement Kit table.

To place an order for a 4767 battery-replacement kit, contact your Americas Call Centers, local IBM representative, or your IBM Business Partner as outlined in How to Place an Order for MTM 4767-002.

You can also use the IBM Maintenance Parts website to order a battery-replacement kit. Navigate to this page:
https://www-store.shop.ibm.com/shop/en-US/PartsUSStorefrontAssetStore/MaintenanceParts
Click “Retail store”, enter the battery-replacement kit part number, 45D5803, and click the search icon. The part number, description, price, and availability will be displayed. You can complete your order online or via the phone number provided on the page.

Part number for 4767 Battery-Replacement Kit

Part number Description
FRU 45D5803 Battery-replacement kit. Includes two replacement batteries, one battery-attention label, and one battery tray with connecting wires.

You can also use part number 45D5803 for IBM 4767-001 battery replacement.

Please Contact Cryptocards if you have any questions about battery replacement.

Notes:

  1. Important: It is imperative that the coprocessor always has batteries installed with sufficient stored energy to power the coprocessor during its entire useful life. When the coprocessor is not in a powered-on system and the batteries either fail or are removed from the coprocessor, the unit will zeroize and be rendered permanently inoperable. There is no recovery from this situation.
  2. Special procedures are required to safely replace coprocessor batteries. Instructions for replacing the batteries are in IBM 4767 PCIe Cryptographic Coprocessor Installation Manual. This manual is available for download from the CEX5S / 4767 Library page.