Start of change4769 Cryptographic CoprocessorEnd of change

IBM® offers Cryptographic Coprocessors, which are available on a variety of system models. Cryptographic Coprocessors contain hardware engines, which perform cryptographic operations used by IBM i application programs and IBM i TLS transactions.

Note: Start of changeThe IBM 4767 Cryptographic Coprocessor is no longer available but it is still supported.End of change

Start of changeThe 4769 Cryptographic Coprocessor is available on the Power 9 model as hardware feature EJ35 or EJ37.End of change

Cryptographic Coprocessors can be used to augment your system in the following ways:
  • You can use a Cryptographic Coprocessor to implement a broad range of IBM i based applications. Examples are applications for performing financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit (chip) based credit cards, and basic SET block processing. To do this, you or an applications provider must write an application program, using a security programming interface (SAPI) to access the security services of your Cryptographic Coprocessor. The SAPI for the Cryptographic Coprocessor conforms to IBM's Common Cryptographic Architecture (CCA). The SAPI is contained in the CCA Cryptographic Service Provider (CCA CSP) which is delivered as IBM i Option 35.

    To meet capacity and availability requirements, an application can control up to eight Coprocessors. The application must control access to individual Coprocessor by using the Cryptographic_Resource_Allocate (CSUACRA) and Cryptographic_Resource_Deallocate (CSUACRD) CCA APIs.

  • You can use a Cryptographic Coprocessor along with DCM to generate and store private keys associated with TLS digital certificates. A Cryptographic Coprocessor provides a performance assist enhancement by handling TLS private key processing during TLS session establishment.
  • When using multiple Coprocessors, DCM configuration gives you the following options for using hardware to generate and store the private key associated with a digital certificate.
    • The private key is generated in hardware and stored (that is retained) in hardware. With this option the private key never leaves the Coprocessor, and thus the private key cannot be used or shared with another Coprocessor. This means that you and your application have to manage multiple private keys and certificates.
    • The private key is generated in hardware and stored in software (that is stored in a keystore file). This option allows a single private key to be shared among multiple Coprocessors. A requirement is that each Coprocessor must share the same master key. You can use the Clone master keys page to set up your Coprocessors to have the same master key. The private key is generated in one of the Coprocessors and is then saved in the keystore file, encrypted under the master key of that Coprocessor. Any Coprocessor with an identical master key can use that private key.
  • The IBMJCECCAI5OS implementation extends Java™ Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) to add the capability to use hardware cryptography by using the IBM Common Cryptographic Architecture (CCA) interfaces. This new provider takes advantage of hardware cryptography within the existing JCE architecture and gives Java 2 programmers the significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. As the complexities of hardware cryptography are taken care of within the normal JCE, advanced security and performance using hardware cryptographic devices are made easily available. The IBMJCECCAI5OS provider plugs into the JCE framework in the same manner as the current providers. For hardware requests, the CCA APIs are called by the new native methods. The IBMJCECCAI5OS stores CCA RSA key labels in a new Java keystore type of JCECCAI5OSKS.
  • Features: Cryptographic Coprocessors contain hardware engines, which perform cryptographic operations used by IBM i application programs and TLS transactions. Each IBM Cryptographic Coprocessor contains a tamper-resistant hardware security module (HSM) which provides secure storage for store master keys. The HSM is designed to meet FIPS 140 security requirements. To meet your capacity and high availability needs, multiple Cryptographic Coprocessors are supported. The features information describes in greater detail what the Cryptographic Coprocessors and CCA CSP have to offer.
  • Requirements: Your system must meet some requirements before you can install and use a Cryptographic Coprocessor. Use the requirements page to determine whether you are ready to install and use a Cryptographic Coprocessor on your system.
  • Cryptography hardware concepts: Depending on your familiarity with cryptography, you may need more information about a term or concept. This page explains some basic concepts regarding the cryptographic hardware available for your system, enabling you to better understand how to maximize your usage of cryptography and cryptographic hardware options with your system.
  • Related information: See Related information for additional sources of cryptography information recommended by IBM.