The IBM PCIe Cryptographic Coprocessor Version 3 (PCIeCC3) is the latest generation of IBM's PCIe hardware security modules (HSMs). It is redesigned for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the PCIeCC3 (also referred to as the Crypto Express6S, or CEX6S), refer to the IBM 4768 Data Sheet (PDF, 474 KB).
The PCIeCC3 is described more fully here.
FIPS 140 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The IBM CEX6S is validated by NIST (certificate number 3410) at FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices.
PCI HSM is the "Payment Card Industry Hardware Security Module" standard issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. To view IBM firmware levels and devices that have achieved this certification, search by 'Company name' for "IBM Corporation" on the PCI PTS website (link resides outside of ibm.com).
The PCIeCC3 is available on IBM Z® mainframes (z14® only):
The PCIeCC3 is available as feature code (FC) 0893 (Crypto Express6S, or CEX6S) on IBM Z mainframes (z14 only), either on z/OS® or Linux® on IBM Z operating systems.
- On z/OS, IBM offers the Integrated Cryptographic Service Facility (ICSF) component that ships with the base product. ICSF is the software on z/OS that provides access to the z Systems CEX5S cryptographic hardware feature through the use of callable services that comply with IBM's Common Cryptographic Architecture (CCA). ICSF together with the IBM Resource Access Control Facility (RACF) licensed program provide cryptographic services using the CCA security API.
- On Linux on Z, IBM offers a CCA API for the CEX6S and a PKCS #11 (EP11) API to the user. The CCA API shipped with the CEX6S is an enhanced version of the CCA API shipped with the CEX5S, CEX4S, or CEX3.