IBM 4769 custom programming

Custom software support

The 4769 HSM contains firmware to manage its specialized hardware and to control loading of additional software based on coprocessor-validated digital signatures. Software support includes the embedded Linux® operating system and special device drivers, which provide the platform for application support. Custom applications can be written to run within the HSM, using the internal APIs to perform cryptographic functions. Developing additional functions through User Defined Extensions (UDXs) using CCA as a starting point can be more economical and less time-consuming than creating an entirely new application.

Special key management functions and PIN processing routines are typical extensions.

When an application is substantially different from CCA, or is proprietary, a complete custom application can be built on the embedded Linux environment. Very different approaches to cryptographic processing or even non-cryptographic applications that require a secure processing environment can be developed for the HSM.

Programming custom applications

The 4769 HSM represents a specialized programming environment with its own tools, debug aids, and code release procedures. Rather than learn to create applications for this specialized environment, customers can obtain custom programming services through an experienced IBM team or through selected contractors. IBM is pleased to jointly develop specifications and quote on custom solutions. Please contact the Crypto team for additional information.

Alternatively, IBM offers a toolkit that you can use to create and debug custom applications yourself. Toolkit documentation is listed on the Library page and is available for download in PDF format from the IBM 4769 download site.

IBM Cryptographic Coprocessor Toolkit

IBM offers the Cryptographic Coprocessor Toolkit for the IBM 4769 PCIe Cryptographic Coprocessor. The Toolkit is available as a services offering on a custom contract basis. It can:

  • be used to create or extend the application program that performs within the hardware security module (HSM),
  • enable users to create entirely new applications for the HSM,
  • enable users to extend the functionality of IBM's CCA application program in the form of a user-defined extension (UDX),
  • authenticate programs, and
  • be used to interactively debug applications at the source level running in the HSM using its Interactive Code Analysis Tool (ICAT).


  1. A UDX must be deployed on a 4769 HSM installed on a supported server platform.
  2. The UDX development workstation is supported on certain 64-bit Red Hat® Enterprise Linux® (RHEL) operating systems.
  3. Toolkit coprocessor application code is compiled and linked using the GNU Compiler Collection (gcc).
  4. To learn more about the Toolkit, documentation is available for download in PDF format from the IBM 4769 download site.

Custom application programs are loaded in Segment 3 of the HSM, which is the highest level of the HSM's four memory segments. Firmware loaded in Segment 3 can take full advantage of the embedded Linux operating system to perform security-sensitive tasks, cryptographic operations, or both.

A Toolkit custom contract normally provides education on preparing programs to operate within the HSM, a copy of the Toolkit, follow-up support, and assignment of a unique identifier for user code and certification of code-sign keys. Frequently a contract provides consultation to hasten application development, and sometimes provides for initial development by IBM. As needed, IBM is typically able to bid on development of your custom solution or extension.

Availability of the Toolkit, as well as applications created or extended with it, is subject to the export regulations of the United States Government, and in some cases to the import regulations of other countries.

Please direct Toolkit or UDX inquiries to the Crypto team.

Toolkit sha256sums

Official sha256sums for the workstation 4769 Toolkits
7.2.55 (xSeries Linux)
cctk-7.2.55-20210810.xz: 5e837360495cd06e902e413ba4284fa87d5c2d0c850ef285259fb3906b89f1b5