CEX6S / 4768 Library

This page provides product documentation information for the IBM CEX6S / 4768 HSM.

Product documentation for the IBM 4768 is available in PDF format. To view a PDF document, you need the Adobe® (Adobe Systems Incorporated) Reader®.

Download a complimentary copy of Adobe Reader

IBM 4768 Availability

IBM Z mainframe.
The IBM 4768 is available as feature code (FC) 0893 (Crypto Express6S, or CEX6S) on IBM Z mainframes (z14® only), either on z/OS® or Linux® on z Systems® operating systems.

On Linux on IBM Z, IBM offers a CCA API for the CEX6S and a PKCS #11 (EP11) API to the user.

Publications for these installations are discussed below.

Access CEX6S publications for z/OS

HSM CEX6S General Documentation

These manuals apply to the IBM CEX6S Cryptographic Coprocessor.

IBM 4768 Data Sheet (PDF, 262 KB)
IBM CEX6S Operational Management Manual (PDF, 1,9 MB)

IBM Systems Environmental Notices and User Guide, Z125-5823
IBM Systems Safety Notices, G229-9054
IBM Statement of Limited Warranty, Z125-4753
IBM License Agreement for Machine Code (Contains Form Z125-5468-06)
IBM License Agreement for Machine Code Addendum for Cryptography (Contains Form Z125-8448)

CEX6S CCA

The Secure Key Solution manual describes the capabilities of the security application programming interface (API) provided with the CCA Support Program.

Manuals by platform

Platform	Manual
Linux on IBM Z	IBM Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide (PDF, 7 MB)

Independent Review of IBM Custom Key Block Formats

IBM CCA introduced the first proprietary TDES key block (also known as a key token) to be independently reviewed and confirmed to be compliant with Payment Card Industry (PCI) Security Standard Council (SSC) PIN Security key block requirements from September 2020.

The independent review report is publicly available as required by PCI SSC PIN requirement 18-3. It is posted on the IBM CryptoCards public download site (PDF, 1.1 MB).

For additional information, see the following update on our news page: May 6, 2021 | All HSMs with CCA | PCI PIN Security - first independently reviewed TDES key block.

CEX6S Enterprise PKCS #11 (EP11)

The EP11 manuals, which describe the library structure and capabilities of the cryptographic API provided with the EP11 Library for Linux on Z, as well as other details, are available on the IBM EP11 download site.

Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Related Products

The IBM CPACF Enablement crypto feature

The IBM Central Processor Assist for Cryptographic Functions (CPACF) feature, IBM Z feature code 3863, provides hardware acceleration for 290-960 MB/sec bulk encryption rate, AES (128, 192, 256 bit), DES (DEA, TDEA2, TDEA3), SHA-1 (160 bit), and SHA-2 (224, 256, 384, 512 bit).

The IBM Cryptographic Coprocessor Facility (CCF)

The Cryptographic Coprocessor Facility (CCF) is an optional hardware feature that provides high-performance cryptographic capabilities for z/VM®, including DES, Triple-DES, RSA, and various finance-industry-specific cryptographic services. IBM zSeries servers, except the zSeries 990, offer the CCF feature.

Standards and Technology

NIST Federal Information Processing Standards on Computer Security