4764 and 4758 Cryptographic Coprocessors

 

IBM® offers two Cryptographic Coprocessors, which are available on a variety of system models. Cryptographic Coprocessors contain hardware engines, which perform cryptographic operations used by i5/OS™ application programs and i5/OS SSL transactions.

The IBM 4764 Cryptographic Coprocessor is available on System i5™ and eServer™ i5 models as hardware feature code 4806. Depending on the model you have, the following table shows the maximum number of Cryptographic Coprocessors supported:

Table 1. Supported number of 4764 Cryptographic Coprocessors
System models Maximum per system Maximum per partition
System i5 Models 570 8/12/16W, 595 32 8
eServer i5 Models 520, 550, 570 2/4W 8 8

The IBM 4758-023 Cryptographic Coprocessor is available on System i5 and eServer i5 systems as hardware feature code 4801. Depending on the model you have, the following number of Cryptographic Coprocessors are supported:

Table 2. Supported number of 4758 Cryptographic Coprocessors
System models Maximum per system Maximum per partition
eServer Models 840, 870, 890 andSystem i5 Models 570 8/12/16W, 595 32 8
eServer Models 810, 820, 825, 830 and eServer i5 Models 520, 550, 570 2/4W 8 8
eServer i5 Model 800 4 4
eServer i5 Model 270 3 3

The Cryptographic Coprocessors can be used to augment your system in the following ways:

  • You can use a Cryptographic Coprocessor to implement a broad range of i5/OS based applications. Examples are applications for performing financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit (chip) based credit cards, and basic SET™ block processing. To do this, you or an applications provider must write an application program, using a security programming interface (SAPI) to access the security services of your Cryptographic Coprocessor. The SAPI for the Cryptographic Coprocessor conforms to IBM’s Common Cryptographic Architecture (CCA). The SAPI is contained in the CCA Cryptographic Service Provider (CCA CSP) which is delivered as i5/OS Option 35.

    To meet capacity and availability requirements, an application can control up to eight Coprocessors. The application must control access to individual Coprocessor by using the Cryptographic_Resource_Allocate (CSUACRA) and Cryptographic_Resource_Deallocate (CSUACRD) CCA APIs.

  • You can use a Cryptographic Coprocessor along with DCM to generate and store private keys associated with SSL digital certificates. A Cryptographic Coprocessor provides a performance assist enhancement by handling SSL private key processing during SSL session establishment.

  • When using multiple Coprocessors, DCM configuration gives you the following options for using hardware to generate and store the private key associated with a digital certificate.

    1. Private key generated in hardware and stored (i.e., retained) in hardware. With this option the private key never leaves the Coprocessor, and thus the private key cannot be used or shared with another Coprocessor. This means that you and your application have to manage multiple private keys and certificates.

    2. Private key generated in hardware and stored in software (i.e., stored in a key store file). This option allows a single private key to be shared amongst multiple Coprocessors. A requirement is that each Coprocessor must share the same master key—you can use “Clone master keys” to set up your Coprocessors to have the same master key. The private key is generated in one of the Coprocessors and is then saved in the key store file, encrypted under the master key of that Coprocessor. Any Coprocessor with an identical master key can use that private key.
See “Manage multiple Cryptographic Coprocessors” on page 175 for more information regarding the management of multiple cryptographic coprocessors. [Links to related pages here:]

  • Features: Cryptographic Coprocessors contain hardware engines, which perform cryptographic operations used by i5/OS application programs and i5/OS SSL transactions. Each IBM Cryptographic Coprocessor contains a tamper-resistant hardware security module (HSM) which provides secure storage for store master keys. The HSM is designed to meet FIPS 140 security requirements. To meet your capacity and high availability needs, multiple Cryptographic Coprocessors are supported. The features information describes in greater detail what the Cryptographic Coprocessors and CCA CSP have to offer.

  • Requirements: Your system must meet some requirements before you can install and use a Cryptographic Coprocessor. Use the requirements page to determine whether you are ready to install and use a Cryptographic Coprocessor on your system.

  • Cryptography concepts: Depending on your familiarity with cryptography, you may need more information about a term or concept. This page introduces you to some basic cryptographic concepts.

  • Related information: See Related information for additional sources of cryptography information recommended by IBM.

  • Cryptographic hardware concepts
    To better understand how to maximize your usage of cryptography and cryptographic hardware options with your system running the i5/OS operating system, this topic provides basic concepts regarding cryptographic hardware.

  • Features
    Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. You can use the Coprocessors with i5/OS SSL or with i5/OS application programs written by you or an application provider. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide a rich set of basic services for financial PIN, EMV, and SET applications.

  • Cryptographic Coprocessor scenarios
    To give you some ideas of how you can use this cryptographic hardware with your system running the i5/OS operating system, read these usage scenarios.

  • Planning for the Cryptographic Coprocessor
    This information is pertinent to those planning to install an IBM Cryptographic Coprocessor in their system running the i5/OS operating system.

  • Configuring the Cryptographic Coprocessor
    Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations. To configure the Cryptographic Coprocessor on your system running the i5/OS operating system, you can either use the Cryptographic Coprocessor configuration web–based utility or write your own application.

  • Migrating to the Cryptographic Coprocessor
    If you have worked with cryptography before, you may have a requirement to migrate from a previous cryptography product to the 4764 or 4758 Cryptographic Coprocessor.

  • Managing the Cryptographic Coprocessor
    After you set up your Cryptographic Coprocessor, you can begin writing programs to make use of your Cryptographic Coprocessor's cryptographic functions. This section is mainly for i5/OS application use of the Cryptographic Coprocessor.

 

Parent topic:

Cryptography

Related concepts
Cryptography concepts