Order HSM

The IBM 4769 Cryptographic Coprocessor is the latest generation and fastest of the IBM hardware security module (HSM) family. This page describes how to order the HSM.

The IBM 4769 is currently available on:

  1. IBM Z® family z15® mainframes, either on z/OS® or Linux® on IBM Z operating systems, ordered as a Crypto feature code (FC) 0898 or 0899 – Crypto Express 7S (CEX7S).
  2. x64 servers as an IBM Z machine type-model (MTM), on Red Hat® Enterprise Linux (RHEL) 64-bit operating systems. Smart cards are required to manage the IBM 4769. See smart card information below for ordering smart cards and smart card readers.
  3. IBM Power Systems™ POWER10® servers, either on IBM AIX®, IBM i®, or PowerLinux™ (RHEL or SLES) operating systems and IBM POWER9® servers, either on IBM AIX or IBM i operating systems. On IBM AIX and PowerLinux, smart cards are required to manage the IBM 4769. See smart card information below for ordering smart cards and smart card readers.

Note: FCs 0898/0899 are only available on z15 mainframes and requires Crypto FC 3863 (CPACF Enablement). CPACF stands for Central Processor Assist for Cryptographic Functions. CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and CEX7S through in-kernel cryptography APIs and, for Linux on IBM Z, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

Top diagonal view IBM PCIeCC4 HSM two cards in adapter

Order a CEX7S for IBM Z

To place an order for the CEX7S feature, contact your IBM Customer Engineer. A minimum of 2 features is required per computer, with a maximum of 60.

Order a 4769-001 for x64

To place an order for a 4769-001, contact your Americas Call Centers, local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner, contact the Crypto team. You can also use the "Let's talk" button on this page.

Order a 4769 for Power Systems

To order the feature for IBM Power Systems (FC EJ35 or EJ37), see the IBM Power Systems website for information. The coprocessor and its software and firmware are obtained as features of the IBM Power Systems and not from this website.

Order smart cards and readers

On x64, IBM AIX, and PowerLinux, smart cards readers are required to manage and administer the IBM 4769.

  • Identiv smart card readers

    Smart card readers can be ordered from Identiv (SPR332 v2.0 Secure Class 2 PIN Pad Reader (link resides outside of ibm.com), part number 905127-1).
    • Note: IBM cannot guarantee the quality of smart card readers from external sources. Two smart card readers are required because the smart card readers interact during some operations. You may want to consider purchasing one or two additional smart card readers for redundancy.
       
  • IBM smart cards

    IBM smart cards can be ordered from IBM (part number 00RY790, commonly known as blue smart cards). Contact your local IBM representative, your IBM Business Partner, IBM's Directory of worldwide contacts for information about ordering from IBM in your country. In North America, you can also use the IBM Maintenance Parts retail website  (link resides outside of ibm.com) to order smart cards.

Note: Two readers and at least two smart cards are required.

  • Two readers are required because there are operations where smart card readers interact with each other.
  • A minimum of two smart cards are needed because you must have a Certificate Authority (CA) smart card and at least one TKE smart card. Please review the Calculate smart card quantity section for details.

If you need to set up your adapter prior to the arrival of your smart cards or readers, IBM provides a utility you can use to complete the setup. The packages for Linux and AIX users are both available for download on the IBM 4769 download site. In the site, choose 4769 Embedded Code Download and click Continue. Then choose the appropriate utility for your operating system.   


Note: to access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Calculate smart card quantity

As stated above, the absolute minimum is two smart cards: one for the CA smart card and one for the TKE smart card.

Important: Although you can manage an HSM with one TKE smart card, this is not recommended. IBM recommends you manage HSMs using dual controls. That requires at least two, and up to five, TKE smart cards in addition to the CA smart card.

Due to the price of smart cards, IBM recommends consideration of the following when purchasing smart cards. These recommendations are to help you minimize smart card cost while maintaining an appropriate level of security.

  • For each enterprise, you need one smart card for the CA smart card.
  • You need two smart cards for dual control user administration.
  • You also need one smart card (and key officer) for each Master Key (MK) part.
    • The minimum number of MK parts is two. IBM recommends two MK parts (and key officers) for test systems and three MK parts (and key officers) for production. For true separation of duties, one key officer should be assigned all of the first MK parts, the second key officer should be assigned all of the second MK parts, and the third key officer should be assigned all of the third MK parts. All of the first MK parts can be on the same smart card. The same is true for MK parts two and three.

Additionally:

  • One set of smart cards (CA + TKE cards) can manage multiple HSMs with the same or different MKs.
  • If your organization has more than one complete set of master keys (such as test and production keys), you must decide how much you want to separate the test and production MK parts from each other.
    • If your security policy requires different people to load the test and production MKs, you may want to keep the MK parts on different sets of TKE smart cards.  If you do this, you could create the TKE smart cards using different CA smart cards for an additional level of master key part separation.
    • If your security policy allows the same people to load test and production MKs, you may allow all the first MK parts to be on the same TKE smart card, all the second MK parts to be on the same TKE smart card, and all the third MK parts be on the same TKE smart card.
  • IBM recommends you back up every smart card. This means you need to purchase twice the number of smart cards required to administer your HSM.

For many cryptographic enterprises, these recommendations lead to the purchase of 12 smart cards.

Contact us

Contact the Crypto team if you need additional assistance.

Some publications for the 4769 are available on the 4769 Library page. Others are available for download on the IBM 4769 download site, including instructions for installing the 4769 in your server and for loading the coprocessor firmware.

Note: to access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.