CEX7S / 4769 Library

This page provides product documentation information for the IBM CEX7S / 4769 HSM.

Product documentation for the IBM CEX7S / 4769 Cryptographic Coprocessor is available in PDF format. To view a PDF document, you need the Adobe® (Adobe Systems Incorporated) Reader®.

Download a complimentary copy of Adobe Reader

Available on Multiple Platforms

IBM Z mainframe.
The CEX7S / 4769 is available as feature code (FC) 0898 / 0899 (Crypto Express7S, or CEX7S) on IBM Z mainframes (z15® only), either on z/OS® or Linux® on IBM Z® operating systems.

On Linux on IBM Z, IBM offers a CCA API for the CEX7S and a PKCS #11 (EP11) API to the user.

x64 servers.
The 4769 is available as machine type-model 4769-001 on x64 servers on Red Hat® Enterprise Linux® (RHEL) 64-bit operating systems. IBM offers a Common Cryptographic Architecture (CCA) Support Program for the IBM 4769 at no charge to the user.

IBM Power Systems.
On IBM POWER10® systems, the 4769 is available as FC EJ35, Customer Card Identification Number (CCIN) C0AF (without blind-swap cassette custom carrier) and as FC EJ37, CCIN C0AF (with blind-swap cassette custom carrier), on IBM AIX®, IBM i®, or PowerLinux® (with certain Red Hat® Enterprise Linux (RHEL) or SUSE® Linux Enterprise Server (SLES) operating systems).

On IBM POWER9® systems, the 4769 is available as FC EJ35 / FC EJ37, CCIN C0AF either on IBM AIX or IBM i.

HSM CEX7S / 4769 General Documentation

These manuals apply to the IBM CEX7S/4769 Cryptographic Coprocessor.

IBM 4769 Data Sheet (PDF, 383 KB)
IBM 4769 PCIe Cryptographic Coprocessor Installation Manual (PDF, 929 KB)
IBM CEX7S Operational Management Manual (PDF, 462 KB)
IBM Systems Environmental Notices and User Guide, Z125-5823 (PDF, 3.7 MB)
IBM Systems Safety Notices, G229-9054 (PDF, 54 MB)
IBM Warranty Information, SC23-6884 (PDF, 1.8 MB)
IBM Support - Machine warranties and license information
IBM License Agreement for Machine Code (Contains Form Z125-5468-06)
IBM License Agreement for Machine Code Addendum for Cryptography (Contains Form Z125-8449-01)

CCA Support Program

For Linux on IBM Z, the IBM Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide describes the capabilities of the security application programming interface (API) provided with the CCA Support Program.

For x64 servers, the CCA manuals describe:
  • how to install and use CCA and its tools and utilities,
  • the capabilities of the security application programming interface (API) provided with the CCA Support Program, and
  • how to use the Crypto Hardware Installation and Maintenance (CHIM) program on the workstation
For x64 installations, these manuals are available on the IBM CCA download site. This site also has the IBM Operational Management Manual for CEX7.
Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Independent Review of IBM Custom Key Block Formats

IBM CCA introduced the first proprietary TDES key block (also known as a key token) to be independently reviewed and confirmed to be compliant with Payment Card Industry (PCI) Security Standard Council (SSC) PIN Security key block requirements from September 2020.

The independent review report is publicly available as required by PCI SSC PIN requirement 18-3. It is posted on the IBM CryptoCards public download site (PDF, 1.1 MB).

For additional information, see the following update on our news page: May 6, 2021 | All HSMs with CCA | PCI PIN Security - first independently reviewed TDES key block.

IBM 4769 Custom Programming

IBM provides documentation that helps developers design, write, and debug applications that take advantage of CCA's capabilities. The following manuals are available on the IBM CCA download site:
  • Custom Software Developer's Toolkit Guide describes the tools that enable developers to build applications for the IBM 4769, authenticate programs, and load programs into the IBM 4769.
  • Custom Software Interface Reference describes the function calls that applications running in the IBM 4769 use to obtain services from the coprocessor operating system and from the coprocessor device driver in the host system.
  • CCA User Defined Extensions Reference and Guide describes the user-defined extensions programming environment within the CCA application in the IBM 4769, the method for extending the CCA host API, and the application programming interface reference for these environments.
  • Interactive Code Analysis Tool (ICAT) describes the tool that developers use to debug applications running on the IBM 4769.
Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Enterprise PKCS #11 (EP11)

The EP11 manuals, which describe the library structure and capabilities of the cryptographic API provided with the EP11 Library for Linux on Z, as well as other details, are available on the IBM EP11 download site.
Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Related products

The IBM CPACF Enablement crypto feature

The IBM Central Processor Assist for Cryptographic Functions (CPACF) feature, IBM Z feature code 3863, provides hardware acceleration for 290-960 MB/sec bulk encryption rate, AES (128, 192, 256 bit), DES (DEA, TDEA2, TDEA3), SHA-1 (160 bit), and SHA-2 (224, 256, 384, 512 bit).

The IBM Cryptographic Coprocessor Facility (CCF)

The Cryptographic Coprocessor Facility (CCF) is an optional hardware feature that provides high-performance cryptographic capabilities for z/VM®, including DES, Triple-DES, RSA, and various finance-industry-specific cryptographic services. IBM zSeries servers, except the zSeries 990, offer the CCF feature.

Standards and Technology

Standards and technology