CEX6S adapter

Download CCA / EP11 software packages

Obtain CCA or EP11 software for the IBM PCIeCC3 (CEX6S) for IBM Z servers running Linux® on this software-package selection page.

IBM PCIeCC3 software

With the purchase of an IBM PCIeCC3 HSM, you also receive IBM’s Common Cryptographic Architecture (CCA) and IBM's Enterprise PKCS #11 (EP11). CCA is described here, and EP11 is described here. A comparison of the capabilities of CCA and EP11 is provided here to help customers choose the product that fits their needs.


IBM CCA provides a comprehensive set of cryptographic functions, including the common AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support.  In addition, CCA features extensive functions for key management and many functions of special interest to the banking and finance industry. Changes and extensions to CCA are described in the "Revision history" section of the IBM CCA Basic Services Reference and Guide.
CCA and the 4767 HSM hardware have been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.

CCA includes these capabilities:

Cryptographic algorithms, including:

  • Symmetric key algorithms: AES (128/192/256 bit), Triple-DES (112/162 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
  • Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
  • Hashing algorithms: SHA-1, SHA-2 (224 - 512), MD5, RIPEMD-160, MDC
  • HMAC using SHA-1 or SHA-2
  • Hardware-based prime number generator


Financial cryptography support, including:

  • Designed for HSM certification of Payment Card Industry (PCI) PIN Transaction Security standard (PTS)
    • PCI compliant “mode”
      • DES keys can be Compliance Tagged
      • PCI HSM Key Restrictions enforced for all tagged keys
      • HSM functions restricted to PCI HSM permitted set for tagged keys
    • Audit log secured by the HSM
    • Migration and Warning Modes to support transition to full compliance mode
      • Determine which functions in your application are not PCI HSM compliant
      • Determine which of your keys are not PCI HSM compliant
    • Non-disruptive secure mode transition
      • Keep Master Keys (MKs)
      • Keep running your application
    • Manufactured in an environment compliant with PCI HSM requirements
    • Firmware that enforces compliance
  • Sophisticated key typing and key usage control
  • PIN processing
  • EMV smart card personalization and transaction processing
  • ATM remote key distribution
  • X.509 certificate native support backed by internal Public Key Infrastructure (PKI)
  • Key derivation
  • TR-31 key block support
  • Derived Unique Key Per Transaction (DUKPT)


Relevant standards that are supported (not a complete list):

  • Designed to meet the requirements of PCI PTS HSM Modular Derived Test Requirements, v3.0, June 2016, PCI Security Standards Council LLC
  • Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
  • Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
  • Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
  • Random number generation: NIST SP 800-90A
  • Hashing and HMAC: NIST FIPS 180, NIST FIPS 198
CCA Diagram


EP11 is specifically designed for customers seeking support for open standards and enhanced security. 

The EP11 library provides an interface very similar to the industry-standard PKCS #11 API. Existing applications using PKCS #11 will benefit from using EP11 as they can be migrated easily to IBM z and by that benefit from enhanced security using secure key cryptography.

EP11 provides many interesting additions to the PKCS #11 with Login Sessions, attribute bound keys and different operational modes. More information about the EP11 Library can be found in the Enterprise PKCS #11 (EP11) Library structure document. 

EP11 (BSI-DSZ-CC-1094) has been certified to meet the requirements of the BSI (Federal Office for Information Security in Germany) for conformance with common criteria in version 3.1 (rev. 4) with Evaluation Assurance Level (EAL) 4.

View the IBM EP11 common criteria certificate here.

EP11 includes these capabilities:

Cryptographic algorithms, including:

  • Hashing and MAC algorithms: SHA-1, SHA-2 (up to SHA-512), HMAC, CMAC
  • Symmetric Key algorithms: AES (128/192/256 bit) and TDES 
  • RSA (up to 4096 bit) with PKCS #1/SHA-256, PSS SHA-256 padding or with self-hashing or or OAEP with SHA-1
  • EC-DSA/DH for key agreement protocols (NIST Prime curves to 521 bits, Brainpool curves to 512 bits and the Secpk256k1 curve) 
  • Hardware-based Digital Random Number Generator (DRNG)

EP11 is based on the Public-Key Cryptography Standard #11 v2.20. This includes: 

  • Key/Key Pair Generation
  • Encrypt/Decrypt
  • Key Wrap/Unwrap
  • Key Derivation
  • Digest, Sign and Verify operations
  • Get random number
  • Mechanism List and Info operations

EP11 extensions to the PKCS #11 standard:

  • Bulk encryption and decryption, sign, verify, and hash operations
  • Secure administration interface with the help of the Trusted Key Entry (TKE) console
  • Enhanced protection of keys through the use of attribute bound keys
  • Support for session bound keys, which are bound onto a specific user
  • System audit messages
  • Allowing multi-tenancy by storing secrets outside the HSM in wrapped/MACed form only, thus allowing a large number of users
  • Reduced risk of misuse by using trusted public keys (SPKI)
  • Control points and operational modes allow for fine-granular control of policy and compliance

Among the standards supported are:

  • Key management and related standards FIPS 197, NIST SP 800-67 Revision 1, FIPS 186-4, NIST SP 800-38A, RFC 3447, ANSI X9.63-2001
  • Random Number Generation according to ISO 18031 and NIST SP 800-90A Revision 1
  • EP11 provides modes compliant to FIPS 140-2 and BSI-CC
ep11 Diagram