Supported platforms by IBM HSM

IBM 4769

The IBM 4769, available on IBM Z, on x64 systems, and on IBM Power SystemsTM (POWER10® and POWER9®), is the latest generation of IBM's PCIe hardware security modules (HSMs). It is redesigned for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. The IBM 4769 is referred to as the IBM Crypto Express7S, or CEX7S, on IBM Z; as machine type-model (MTM) 4769-001 on x64; and as Feature Code (FC) EJ35 / EJ37 on Power.

PCI HSM is the "Payment Card Industry Hardware Security Module" standard issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. To view IBM firmware levels and devices that have achieved this certification, search by 'Company name' for "IBM Corporation" on the PCI PTS website (Link resides outside of ibm.com).

The IBM 4769 hardware with CCA firmware versions 7.0, 7.1, or 7.2 meets the requirements of the German Banking Industry Committee (GBIC) (Link resides outside ibm.com). These CCA releases provide sophisticated state-of-the-art protections for handling sensitive information like PIN data, cryptographic key data and account data. The HSM IBM Model 4769-001 CCA Release 7.0/7.1/7.2 implementations are compliant with GBIC's security requirements.

IBM 4768

The IBM 4768, available on IBM Z, is designed for high performance and security rich services for your sensitive workloads. It delivers high throughput for cryptographic functions. The IBM 4768 is referred to as the IBM Crypto Express6S, or CEX6S.

FIPS 140 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The IBM CEX6S is validated by NIST (certificate number 3410 (Link resides outside ibm.com) at FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices.

PCI HSM is the "Payment Card Industry Hardware Security Module" standard issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. To view IBM firmware levels and devices that have achieved this certification, search by 'Company name' for "IBM Corporation" on the PCI PTS website (Link resides outside of ibm.com).

    IBM 4767

    The IBM 4767 is designed for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. The IBM 4767 is referred to as the IBM Crypto Express5S, or CEX5S, on IBM Z, as machine-type model 4767-002 on x64 systems, and as feature code EJ32/EJ33 on IBM Power.

    Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The 4767's cryptographic processes are performed within an enclosure on the HSM and are validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification achievable for commercial cryptographic devices. See FIPS certification number 3164 (Link resides outside ibm.com) on the Computer Security Resource Center website for the certification.

    The IBM 4767 with IBM Enterprise PKCS#11 firmware is Common Criteria EAL4 Certified (Link resides outside ibm.com).

    The IBM 4767 hardware with CCA firmware version 5.3 meets the requirements of the German Banking Industry Committee (GBIC) (Link resides outside ibm.com). The CCA release 5.3 provides sophisticated state-of-the-art protections for handling sensitive information like PIN data, cryptographic key data and account data. The HSM IBM Model 4767-002 CCA Release 5.3 implementation is compliant with GBIC's security requirements.

    The IBM 4767 is available on IBM Z mainframes (z14, z13s™, and z13® only), on x64 servers, and IBM Power Systems®:

    Software

    IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the HSM to perform cryptographic functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit or through IBM consulting services.

    IBM also provides EP11, which is specifically designed for customers seeking support for open standards and enhanced security. The EP11 library provides an interface very similar to the industry-standard PKCS #11 API. Existing applications using PKCS #11 will benefit from using EP11 for secure key cryptography.

    The IBM 4767 HSM is suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of sale transaction servers, Internet business and Webserving applications, Public Key Infrastructure applications, smart card applications, and custom proprietary solutions. Applications can benefit from the strong security characteristics of the HSM and the opportunity to offload computationally intensive cryptographic processing.