How to Order

This page provides information about how to place an order for an IBM Cryptographic HSM.

IBM 4769 / CEX7S

IBM Systems offers high-end, high-performance hardware security modules (HSMs) which provide a flexible solution suitable for high-security processing and cryptographic operations to address your cryptographic needs.

It is available on these platforms:
  • IBM Z® mainframes (z15® only) as FC 0898/0899 (CEX7S).
  • IBM Power Systems® as FC EJ35 / EJ37, and
  • Appropriate x64 servers as MTM 4769-001.

Order HSM

The IBM 4769 Cryptographic Coprocessor is the latest generation and fastest of the IBM hardware security module (HSM) family. This page describes how to order the HSM.

The IBM 4769 is currently available on:
  • IBM Z® family z15® mainframes, either on z/OS® or Linux® on IBM Z operating systems, ordered as a Crypto feature code (FC) 0898 or 0899 – Crypto Express 7S (CEX7S).
  • x64 servers as an IBM Z machine type-model (MTM), on Red Hat® Enterprise Linux (RHEL) 64-bit operating systems. Smart cards are required to manage the IBM 4769. See smart card information below for ordering smart cards and smart card readers.
  • IBM Power Systems™ POWER10® servers, either on IBM AIX®, IBM i®, or PowerLinux™ (RHEL or SLES) operating systems and IBM POWER9® servers, either on IBM AIX or IBM i operating systems. On IBM AIX and PowerLinux, smart cards are required to manage the IBM 4769. See smart card information below for ordering smart cards and smart card readers.
Note: FCs 0898/0899 are only available on z15 mainframes and requires Crypto FC 3863 (CPACF Enablement). CPACF stands for Central Processor Assist for Cryptographic Functions. CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and CEX7S through in-kernel cryptography APIs and, for Linux on IBM Z, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

Order a CEX7S for IBM Z

To place an order for the CEX7S feature, contact your IBM Customer Engineer. A minimum of 2 features is required per computer, with a maximum of 60.

Order a 4769-001 for x64

To place an order for a 4769-001, contact your Americas Call Centers, local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner, seeContact Cryptocards to contact the Cryptocards team.

Order a 4769 for Power Systems

To order the feature for IBM Power Systems (FC EJ35 or EJ37), see the IBM Power Systems website for information. The coprocessor and its software and firmware are obtained as features of the IBM Power Systems and not from this website.

Order smart cards and readers

On x64, IBM AIX, and PowerLinux, smart cards readers are required to manage and administer the IBM 4769.

  • Identiv smart card readers

    Smart card readers can be ordered from Identiv (SPR332 v2.0 Secure Class 2 PIN Pad Reader (link resides outside of ibm.com), part number 905127-1).
    Note: IBM cannot guarantee the quality of smart card readers from external sources. Two smart card readers are required because the smart card readers interact during some operations. You may want to consider purchasing one or two additional smart card readers for redundancy.

  • IBM smart cards

    IBM smart cards can be ordered from IBM (part number 00RY790, commonly known as blue smart cards). Contact your local IBM representative, your IBM Business Partner, IBM's Directory of worldwide contacts for information about ordering from IBM in your country. In North America, you can also use the IBM Maintenance Parts retail website (link resides outside of ibm.com) to order smart cards.

Note: Two readers and at least two smart cards are required.
  • Two readers are required because there are operations where smart card readers interact with each other.
  • A minimum of two smart cards are needed because you must have a Certificate Authority (CA) smart card and at least one TKE smart card. Please review the Calculate smart card quantity section for details.
If you need to set up your adapter prior to the arrival of your smart cards or readers, IBM provides a utility you can use to complete the setup. The packages for Linux and AIX users are both available for download on the IBM 4769 download site. On the site, choose 4769 Embedded Code Download and click Continue. Then choose the appropriate utility for your operating system.
Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.

Calculate smart card quantity

As stated above, the absolute minimum is two smart cards: one for the CA smart card and one for the TKE smart card.
Note: Although you can manage an HSM with one TKE smart card, this is not recommended. IBM recommends you manage HSMs using dual controls. That requires at least two, and up to five, TKE smart cards in addition to the CA smart card.
Due to the price of smart cards, IBM recommends consideration of the following when purchasing smart cards. These recommendations are to help you minimize smart card cost while maintaining an appropriate level of security. This table includes examples of security policies and the smart cards required to implement those policies (not an exhaustive list).
Dual Control for Crypto Module Administration Number of MK Part Holders CA Card *Always Required* Separate Test and Production Crypto Module Environments Make Backups of Smart Cards Total Smart Cards Required
No - 1 (not recommended) 0 - combine module administrator and MK part holder duties (not recommended) 1 No No 2
No - 1 (not recommended) 1 (not recommended) 1 No No 3
Yes - 2 3 1 No No 6
Yes - 2 2 1 No No 5
Yes - 2 3 1 No Yes 12
Yes - 2 2 1 No Yes 10
Yes - 2 3 1 Yes No 12
Yes - 2 2 1 Yes No 10
Yes - 2 3 1 Yes Yes 24
Yes - 2 2 1 Yes Yes 20

Contact us

Contact the Crypto team if you need additional assistance.

Some publications for the 4769 are available on the IBM Docs 4769 Cryptographic Coprocessor Page. Others are available for download on the IBM 4769 download site, including instructions for installing the 4769 in your server and for loading the coprocessor firmware.

Note: To access this site, you must obtain and log in with an IBMid. This process is quick and easy. Instructions are on the download site.