IBM CEX6S / 4768 library

Product documentation for the IBM 4768 is available in PDF format. To view a PDF document, you need the Adobe® (Adobe Systems Incorporated) Reader®. If you don't have the Reader installed, you can download a complimentary copy from Adobe (link resides outside of

IBM 4768 availability

IBM Z mainframe. The IBM 4768 is available as feature code (FC) 0893 (Crypto Express6S, or CEX6S) on IBM Z mainframes (z14® only), either on z/OS® or Linux® on z Systems® operating systems.

On Linux on IBM Z, IBM offers a CCA API for the CEX6S and a PKCS #11 (EP11) API to the user.

Publications for these installations are discussed below.


The Secure Key Solution manual describes the capabilities of the security application programming interface (API) provided with the CCA Support Program.

Manuals by platform

Platform Manual
Linux on IBM Z IBM Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide (PDF, 7 MB)


Independent review of IBM custom key block formats

IBM CCA introduced the first proprietary TDES key block (also known as a key token) to be independently reviewed and confirmed to be compliant with Payment Card Industry (PCI) Security Standard Council (SSC) PIN Security key block requirements from September 2020.

The independent review report is publicly available as required by PCI SSC PIN requirement 18-3. It is posted on the IBM CryptoCards public download site (PDF, 1.1 MB).

For additional information, please see the May 6, 2021 news item on our News page.

CEX6S Enterprise PKCS #11 (EP11)

The EP11 manuals, which describe the library structure and capabilities of the cryptographic API provided with the EP11 Library for Linux on Z, as well as other details, are available on the IBM EP11 download site.

Note: to access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Related products

The IBM CPACF Enablement crypto feature

The IBM Central Processor Assist for Cryptographic Functions (CPACF) feature, IBM Z feature code 3863, provides hardware acceleration for 290-960 MB/sec bulk encryption rate, AES (128, 192, 256 bit), DES (DEA, TDEA2, TDEA3), SHA-1 (160 bit), and SHA-2 (224, 256, 384, 512 bit).

The IBM Cryptographic Coprocessor Facility (CCF)

The Cryptographic Coprocessor Facility (CCF) is an optional hardware feature that provides high-performance cryptographic capabilities for z/VM®, including DES, Triple-DES, RSA, and various finance-industry-specific cryptographic services. IBM zSeries servers, except the zSeries 990, offer the CCF feature.