IBM HSM Highlights

Highest cryptographic security available.

Each of IBM’s HSM devices offer the highest cryptographic security available commercially. Federal Information Processing Standards (FIPS) publication 140-2 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The cryptographic processes of each of the IBM HSMs are performed within an enclosure on the HSM that is designed to provide complete physical security.

IBM CEX7S / 4769

The IBM 4769 is designed to meet FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices.
The FIPS 140-2 Level 4 certification for the IBM CEX7S is in process.

The "Payment Card Industry Hardware Security Module" standard, PCI HSM, is issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. The PCI HSM certification process for the IBM CEX7S is in process.

Top view of the PCIeCC4

IBM CEX6S / 4768

The IBM 4768 is validated to FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. The IBM CEX6S with CCA 6.0 has PCI HSM certification.

IBM CEX5S / 4767

The IBM 4767 is validated to FIPS 140-2 Level 4.

The IBM 4767 with IBM Enterprise PKCS#11 firmware is Common Criteria EAL4 Certified (Link resides outside ibm.com). 

The IBM 4767 hardware with CCA firmware version 5.3 meets the requirements of the German Banking Industry Committee (GBIC) (Link resides outside ibm.com). The CCA release 5.3 provides sophisticated state-of-the-art protections for handling sensitive information like PIN data, cryptographic key data and account data. The HSM IBM Model 4767-002 CCA Release 5.3 implementation is compliant with GBIC's security requirements.

IBM 4765

The IBM 4765 (no longer sold by IBM) is validated to FIPS 140-2 Level  4.

The IBM HSMs are supported on the following platforms:

IBM Z®

(CEX7S (4769), CEX6S (4768), and CEX5S(4767))

IBM Power Systemsᵀᴹ

(FC EJ32/EJ33 (4767) and FC EJ27/EJ28/EJ29 (4765))

x64 servers

(MTM 4767-002)

Available on multiple platforms.

This table shows the machine type-model (MTM) or feature code (FC) for each version of IBM HSM.

IBM 4769

x64 server MTM

  • N/A

IBM Z feature code (note 1)

  • FC 0898 / 0899 - Crypto Express7S (CEX7S).
  • Only on z15ᵀᴹ

Power Systems feature code

  • N/A

IBM 4768

x64 server MTM

  • N/A

IBM Z feature code (note 1)

  • FC 0893 - Crypto Express6S (CEX6S).
  • Only on z14®

Power Systems feature code

  • N/A

IBM 4767

x64 server MTM

  • MTM 4767-002

IBM Z feature code (note 1)

  • FC 0890 - Crypto Express5S (CEX5S).
  • Only on z14®, z13sᵀᴹ, and z13®.

Power Systems feature code

  • FC EJ32 (IBM POWER8®, Customer Card Identification Number 4767, without blind-swap cassette custom carrier)
  • FC EJ33 (IBM POWER8®, Customer Card Identification Number 4767, with blind-swap cassette custom carrier)

IBM 4765
(no longer sold by IBM)

x86 server MTM

  • MTM 4765-001

IBM Z feature code (note 1)

  • FC 0865 - Crypto Express4S (CEX4S). Excluding z14, z13s, and z13. 
  • FC 0864 - Crypto Express3 (CEX3). Excluding z14, z13s, and z13. 

Power Systems feature code

  • FC EJ27 (not a blind-swap cassette)
  • FC EJ28 (IBM POWER6® generation-3 blind-swap cassette and instruction EC N23386)
  • FC EJ29 (IBM POWER7® generation-4 blind-swap and instruction EC N23597)

Note:

1. FC 0898, FC 0899, FC 0893, FC 0890, FC 0865, and FC 0864 all require FC 3863 - CPACF Enablement (Central Processor Assist for Cryptographic Functions). CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and the Crypto feature through in-kernel cryptography APIs and, for Linux on IBM Z, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

Relieves main processor from cryptographic tasks.

The IBM HSMs have a PCIe local-bus-compatible interface, and have tamper responding, programmable, cryptographic coprocessors, each containing a CPU, encryption hardware, RAM, persistent memory, hardware random number generator, time-of-day clock, infrastructure firmware, and software. Their specialized hardware performs AES, DES, DES, RSA, ECC, AESKW, HMAC, DES/3DES/AES MAC, SHA-1, SHA-224 to SHA-512, SHA-3, and other cryptographic processes, relieving the main processor from these tasks. The coprocessor design protects your cryptographic keys and any sensitive customer applications.

Customizable to meet special requirements.

The firmware running in the coprocessor together with the software running on your host can be customized to meet any special requirements that your enterprise has. For the 4767, the Cryptographic Coprocessor Toolkit (CCTK) is available for purchase from IBM, subject to the export regulations of the United States Government. The CCTK can enable developers to build applications for the HSM, authenticate programs, and load programs into the HSM. The custom programming toolkit includes a custom software interface reference which describes the function calls that applications running in the HSM use to obtain services from the HSM operating system and from the HSM host system device driver. Another included reference provides the method for extending the CCA host API and the API reference for the user-defined extensions programming environment. Finally, an Interactive Code Analysis Tool (ICAT) is provided that developers can use to debug applications running on the HSM. Frequently a custom contract provides consultation to hasten application development, and sometimes provides for initial development by IBM. Whenever needed, IBM is also able to bid on developing your custom solution or extension.

Secure Administration of HSMs.

For the 4767, IBM offers GUI-based utilities to administer the HSM cards, including loading of initial keys and setup of the access control system. Each of these can use smart cards as part of the administrative process, to carry key parts securely and to identify administrators and allow them to perform sensitive functions. On Intel x64 systems and Power servers running AIX, the Cryptographic Hardware Initialization and Maintenance (CHIM) and/or CNM (Cryptographic Node Management) utilities are provided for free with the HSM software. On IBM Z, the TKE feature is a separate device with an HSM card and smart card readers as well as special software. TKE communicates with IBM Z servers over a network using secure protocols, and can administer many HSM cards in many different servers.

The IBM Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM zEnterprise® and distributed platforms for streamlined, efficient and secure key and certificate management operations. Contact IBM's Crypto Competence Center Copenhagen for details.

Smart cards on Linux.

For the 4767, IBM provides a Smart Card Utility Program (SCUP), a GUI application for use on Linux, with the CHIM and CNM applications, to manage smart cards with an IBM HSM. Linux users can use SCUP to initialize smart cards that can then be used with CNM to generate and store CCA DES and PKA master key parts on supported smart cards, load CCA master key parts stored on supported smart cards, and log on to CCA using smart card CCA profiles tied to an RSA key pair associated with a particular smart card and user profile. Smart cards are available for purchase from IBM. Additionally, IBM can provide assistance in setting up and configuring SCUP, CHIM, and CNM.

CCA Java Native Interface (JNI).

For the 4767: In addition to support for C and C++ programming languages, the CCA Support Program includes a CCA Java Native Interface (JNI) that application programmers can use to build Java applications that call CCA API functions. On Intel x64 and IBM AIX, the CCA JNI is provided with the IBM CCA installation. The IBM i® Option 35 (CCA Cryptographic Service Provider feature) does not support the CCA JNI, but it does provide language bindings for COBOL, RPG, and CL. CCA for Linux on Z features its own cryptographic JNI.