4767-adapter

Download CCA / EP11 software packages

From this website you can download the software packages for the IBM PCIeCC2 for the platforms shown in the following sections.


IBM Z® servers running Linux®

Obtain CCA or EP11 software for use in IBM Z servers running Linux on this software-package selection page.


x86 servers

The purchase of an IBM 4767 includes CCA software and firmware that can be installed on the following 64-bit operating systems:

  • Microsoft® Windows® Server
  • SUSE® (a Micro Focus Company) Linux Enterprise Server (SLES)
  • Red Hat® Enterprise Linux (RHEL)

 

 

4767-serialno

Figure 1. IBM 4767 serial numbers

Obtain CCA software and firmware for use in x86 servers as follows:

Get the IBM System serial number from the black label on the edge of one of your IBM 4767 PCIe Cryptographic Coprocessors. Refer to Figure 1. This serial number along with your IBM customer number are required as part of the download package request.

Go to the software-package selection page. If you do not have a universal IBM user ID, you will need to register. Once registered, sign in and select an offering, then complete the download.


IBM Power Systems™ servers

The purchase of an IBM feature code EJ32 or EJ33 for use in POWER8® servers includes CCA software and firmware that can be installed on the following operating systems:

  • IBM AIX®
  • IBM i®
  • IBM PowerLinux® (RHEL Server, SLES, Ubuntu® by Canonical)

 

How to obtain CCA software and firmware

Obtain CCA software and firmware as follows:

Get the IBM System serial number from the black label on the edge of one of your PCIeCC2 HSMs. Refer to Figure 1. This serial number along with your IBM customer number are required as part of the download package request.

Go to the software-package selection page. If you do not have a universal IBM user ID, you will need to register. Once registered, sign in and select an offering, then complete the download.


IBM PCIeCC2 software

With the purchase of an IBM PCIeCC2 HSM, you also receive IBM’s Common Cryptographic Architecture (CCA) and IBM's Enterprise PKCS #11 (EP11). CCA is described here, and EP11 is described here. A comparison of the capabilities of CCA and EP11 is provided here to help customers choose the product that fits their needs.


CCA

IBM CCA provides a comprehensive set of cryptographic functions, including the common AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support.  In addition, CCA features extensive functions for key management and many functions of special interest to the banking and finance industry. Changes and extensions to CCA are described in the "Revision history" section of the IBM CCA Basic Services Reference and Guide.
CCA and the 4767 HSM hardware have been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.

CCA includes these capabilities:
Cryptographic algorithms, including:
    •    Symmetric key algorithms: AES (128-256 bit), Triple-DES (112, 192 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
    •    Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
    •    Hashing algorithms: SHA-1, SHA-2 (224-512), MD5, RIPEMD-160, MDC
    •    HMAC using SHA-1 or SHA-2
    •    Hardware-based prime number generator
Financial cryptography support, including:
    •    Sophisticated key typing and key usage control
    •    PIN processing
    •    EMV smart card personalization and transaction processing
    •    ATM remote key distribution
    •    Key derivation
    •    TR-31 key block support
    •    Derived Unique Key Per Transaction (DUKPT)
Relevant standards that are supported (not a complete list):
    •    Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
    •    Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
    •    Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
    •    Random number generation: NIST SP 800-90A
    •    Hashing and HMAC: NIST FIPS 180, NIST FIPS 198
Custom programming support:
    •    UDX (User Defined eXtensions) toolkit allows adding custom functions to the CCA API
    •    Toolkit also allows developing your own custom firmware in place of IBM CCA or EP11
The IBM CCA Support Program (known as ICSF on IBM Z® running z/OS®) provides a comprehensive, integrated family of services that employs the major capabilities of the IBM coprocessors.
CCA provides the usual AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. Other changes and extensions to the Support Program are described in the "Revision history" section of the CCA Basic Services Reference and Guide (PDF, 6MB).
The CCA software has been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.

    CCA Diagram

    EP11

    EP11 is specifically designed for customers seeking support for open standards and enhanced security. 

    The EP11 library provides an interface very similar to the industry-standard PKCS #11 API. Existing applications using PKCS #11 will benefit from using EP11 as they can be migrated easily to IBM z and by that benefit from enhanced security using secure key cryptography.

    EP11 provides many interesting additions to the PKCS #11 with Login Sessions, attribute bound keys and different operational modes. More information about the EP11 Library can be found in the Enterprise PKCS #11 (EP11) Library structure document. 

    EP11 in version 4.18 (BSI-DSZ-CC-1002) has been certified to meet the requirements of the BSI
    (Federal Office for Information Security in Germany) for conformance with common criteria in version 3.1 (rev. 4) with Evaluation Assurance Level (EAL) 4.  

    EP11 includes these capabilities:

    Cryptographic algorithms, including:

    • Hashing and MAC algorithms: SHA-1, SHA-2 (up to SHA-512), HMAC, CMAC
    • Symmetric Key algorithms: AES (128/192/256 bit) and TDES 
    • RSA (up to 4096 bit) with PKCS #1/SHA-256, PSS SHA-256 padding or with self-hashing
    • EC-DSA/DH for key agreement protocols (NIST Prime curves up to 521 bits and Brainpool curves up to 512 bits) 
    • Hardware-based Digital Random Number Generator (DRNG)

    EP11 is based on the Public-Key Cryptography Standard #11 v2.20. This includes: 

    • Key/Key Pair Generation
    • Encrypt/Decrypt
    • Key Wrap/Unwrap
    • Key Derivation
    • Digest, Sign and Verify operations
    • Get random number
    • Mechanism List and Info operations

    EP11 extensions to the PKCS #11 standard:

    • Bulk encryption and decryption, sign, verify, and hash operations
    • Secure administration interface with the help of the Trusted Key Entry (TKE) console
    • Enhanced protection of keys through the use of attribute bound keys
    • Support for session bound keys, which are bound onto a specific user
    • System audit messages
    • Allowing multi-tenancy by storing secrets outside the HSM in wrapped/MACed form only, thus allowing a large number of users
    • Reduced risk of misuse by using trusted public keys (SPKI)
    • Control points and operational modes allow for fine-granular control of policy and compliance

    Among the standards supported are:

    • Key management and related standards FIPS 197, NIST SP 800-67 Revision 1, FIPS 186-4, NIST SP 800-38A, RFC 3447, ANSI X9.63-2001
    • Random Number Generation according to ISO 18031 and NIST SP 800-90A Revision 1
    • EP11 provides modes compliant to FIPS 140-2 and BSI-CC
    4767_EP11