Learn about the specifications, requirements, and installation
notes for the 4764 PCI-X Cryptographic Coprocessor.
The adapter for the PCI-X Cryptographic
Coprocessor provides applications with cryptographic processing
capability and a means to securely store cryptographic keys. Cryptographic
functions available include encryption for keeping data confidential,
message digests and message authentication codes for ensuring that
data has not been changed, and digital signature generation and verification
for authentication. In addition, the coprocessor provides basic services
for financial PIN, EMV, and SET applications. The coprocessor also
can serve as an accelerator to accelerate the establishment of new
SSL sessions.
The adapter is designed to meet FIPS PUB 140-2
Security Level 4 requirements.
Specifications and requirements
- Item
- Description
- FRU number
- 41U0442* or 12R6540**
- * Designed to comply
with RoHS requirement.
** Not designed to
comply with the RoHS requirement.
- Battery kit
- 41V1061, kit contains two batteries and a battery tray.
- Adapter type
- Short, 64-bit, 3.3 v, PCI version 2.2, PCI-X version 1.0
- Placement information
- For system-specific
adapter placement information, see the PCI adapter placement for machine types 82xx and 91xx or the PCI adapter placement for machine type 94xx topic collections.
- Environmental requirements
Attention: The PCI-X Cryptographic Coprocessor must
be shipped, stored, and used within the following environmental specifications.
If these specifications are not met, the 4764 tamper sensors can be
activated and render the 4764 permanently inoperable.
Shipping
Ship
the adapter in the original packaging (moisture barrier bag with desiccant
and thermally insulated box with gel packs).
- Temperature when shipping: +5 degrees F (-15 degrees C) to +140
degrees F (+60 degrees C)
- Pressure when shipping: minimum 550 mbar, maximum 1039 mbar
- Humidity when shipping: 5% to 100% RH
Storage
Store the adapter
in sealed moisture barrier bag with desiccant.
- Temperature in storage: +38.8 degrees F (+1 degrees C) to +140
degrees F (+60 degrees C)
- Pressure in storage: minimum 700 mbar, maximum 1039 mbar
- Humidity in storage: 5% to 80% RH
Operation (ambient in system) - Temperature while operating: +50 degrees F (+10 degrees C) to
+104 degrees F (+40 degrees C)
- Humidity while operating: 8% to 80% RH
- Altitude while operating: maximum 7000 feet, equivalent to 768
mbar
- Handling requirements
- Each PCI-X Cryptographic Coprocessor is shipped from the factory
with a certified device key. This electronic key, which is stored
in the adapter's battery-powered and protected memory, digitally signs
status messages to confirm that the PCI Cryptographic Coprocessor
is genuine and that no tampering has occurred.
If any of the secure
module's tamper sensors are triggered by tampering or by accident,
the PCI-X Cryptographic Coprocessor erases all data in the protected
memory, including the certified device key. Incorrect removal of the
batteries triggers the tamper sensors and destroys the certified device
keys. The PCI Cryptographic Coprocessor cannot operate without the
certified device keys. To protect the keys, follow the guidelines
given in the documentation provided with the coprocessor.
Attention: The batteries keep the coprocessor powered on even
when it is not installed in a system. When handling, installing, or
removing the adapter, do not let the adapter circuits come in contact
with any conductive surface or tools. Doing so can render the adapter
permanently inoperable.
Do not remove the adapter's batteries.
Data in the protected memory is lost when battery power is removed.
For information about replacing the batteries, see Replacing the batteries.
Attention: While installing the coprocessor, observe the following
precautions:
- The coprocessor is always powered by the batteries, even when
it is not installed in the system.
- The battery power is necessary to keep the coprocessor operational.
- The loss of battery power or a voltage drop triggers a Tamper
Event and permanently renders the coprocessor inoperable.
- Any short on the battery power distribution circuits causes a
voltage drop and a Tamper Event.
- Do not lay the coprocessor on or cause the coprocessor to come
in contact with any conductive surface.
- Do not touch the coprocessor circuits with metal or conductive
tools.
- Use static-protective measures at all times when handling the
coprocessor.
- Operating system or partition requirements
- AIX 5L™ Version 5.2 with the 5200-09 Technology Level,
or later
- AIX 5L Version 5.3 with the 5300-05 Technology Level, or
later
If
you are installing a new feature, ensure that you have the software
required to support the new feature and that you determine if there
are any existing prerequisites. To do this, use
the IBM® Prerequisite Web site
at http://www-912.ibm.com/e_dir/eServerPrereq.nsf .
- Required software or drivers
- AIX®
devices.pci.1410e501 device driver package
Linux
No Linux support
- Required firmware
- CD form number LCD8-0477-00 contains functional firmware and
must be purchased with the adapter.
- PKCS11 support program installation
- The 4764 PCI-X Cryptographic Coprocessor PKCS#11 Support
Program Installation Manual is included on the CD that is
shipped with the adapter. The manual is contained in the csufx.xcrypto.man
file set.
- CCA support program installation
- The 4764
PCI-X Cryptographic Coprocessor CCA Support Program Installation Manual is included on the CD that is shipped
with the adapter. The manual is contained in the csufx.xcrypto.man
file set.
Preparing for installation
If
you are installing your operating system at this time, install your
adapter before you install the operating system. See Installing the adapter for instructions.
If
you are installing only the device driver for this adapter, install
your device driver software before you install the adapter. See Installing the device driver software for instructions.
Installing the device driver software
This
section explains how to install device driver software. The device
driver is provided for the following
AIX 5L technology levels:
- AIX 5L Version 5.2 with the 5200-09 Technology Level
- AIX 5L Version 5.3 with the 5300-05 Technology Level
To install device driver software, do the following steps:
- Log in to the system unit as root user.
- Insert the media containing the device driver software (for example;
CD) into the appropriate media device.
- Type the following System Management Interface Tool (SMIT) fast
path: smitty devinst
- Press Enter. The Install Additional Device Software menu highlights
the INPUT device or directory for software option.
- Select or type your input device
by doing one of the following actions:
- Press F4 to display the input device list and select the name
of the device (for example; CD-ROM) that you are using and press Enter.
- In the entry field, type the name of the input device you are
using and press Enter. The Install Additional Device Software window
highlights the SOFTWARE to install option.
- Press F4 to display the SOFTWARE to install window.
- Enter / to display the Find window.
- For the adapter, type the following device package name: devices.pci.1410e501
- Press Enter. The system finds and highlights this device driver
software.
- Press F7 to select the highlighted device driver software.
- Press Enter. The INSTALL ADDITIONAL DEVICE SOFTWARE menu displays.
The entry fields are automatically updated.
- Press Enter to accept the information. The ARE YOU SURE menu displays.
- Press Enter to accept the information. The COMMAND STATUS menu
displays.
- The term RUNNING is highlighted to indicate that the installation
and configuration command is in progress.
- When RUNNING changes to OK, scroll to the bottom of the page and
locate the Installation Summary.
- After a successful installation, SUCCESS displays in the Result
column of the Installation Summary at the bottom of the display.
- Remove the installation media from the drive.
- Press F10 to exit SMIT.
- Verify the device driver. See Verifying the device driver
- Install the adapter. See Installing the adapter.
Verifying the device driver
To
verify that the device driver for the adapter is installed, do the
following steps:
- If necessary, log in as root user.
- At the command line, enter: lslpp -l devices.pci.1410e501.rte
- Press Enter.
If the adapter device driver is installed, the following is an
example of the data that displays on your display:
Fileset |
Level |
State |
Description |
Path: /usr/lib/objrepos devices.pci.1410e501.rte |
5.2.0.95 |
COMMITTED |
Cryptographic Coprocessor |
Verify that the file sets devices.pci.1410e501.rte
are at level 5.2.0.95 or later.
If no data displays on your
display, the adapter device driver did not install correctly. Reinstall
the driver.
Installing the adapter
Attention: While installing the coprocessor, observe the following
precautions:
- The coprocessor is always powered by the batteries, even when
it is not installed in the system.
- The battery power is necessary to keep the coprocessor operational.
- The loss of battery power or a voltage drop triggers a Tamper
Event and permanently renders the coprocessor inoperable.
- Any short on the battery power distribution circuits causes a
voltage drop and a Tamper Event.
- Do not lay the coprocessor on or cause the coprocessor to come
in contact with any conductive surface.
- Do not touch the coprocessor circuits with metal or conductive
tools.
- Use static-protective measures at all times when handling the
coprocessor.
For instructions
on how to install PCI adapters, refer to the PCI adapters topic.
After
you have installed the adapter, verify the adapter installation.
Verifying the adapter installation
To verify
that your system unit recognizes the PCI adapter, do the following
steps:
- If necessary, log in as root user.
- At the command line, type: lsdev -Cs pci
- Press Enter.
A list of PCI devices displays. If the adapter is installed
correctly, an Available status for each port indicates that the adapter
is installed and ready to use. If the message on your display indicates
that any of the ports are DEFINED instead of AVAILABLE, shut down
the system and verify that the adapter was installed correctly. The
adapters appear as Crypt0, Crypt1, and so on.
Running coprocessor diagnostics
Diagnostics
are provided with the device driver software.
If
you remove a cryptographic adapter and do not replace it, and you
run diagnostics on the remaining cryptographic adapters, the results
might not be correct. As a result, always run the cfgmgr
-v command after removing a cryptographic adapter.
Replacing the batteries
Two
lithium batteries that are mounted on the adapter supply power to
the adapter's components, including protected memory. Support software
or application software can query the coprocessor to determine whether
the batteries need to be replaced. When the batteries need replacing,
have the procedure done by trained service providers using the 41V1061
Battery kit for the 4764.
CAUTION:
Only trained service personnel may
replace this battery. The battery contains lithium. To avoid possible
explosion, do not burn or charge the battery.
Do Not: - ___ Throw or immerse into water
- ___ Heat to more than 100 degrees C (212 degrees F)
- ___ Repair or disassemble
Exchange only with the IBM-approved part. Recycle or discard the battery
as instructed by local regulations. In the United
States, IBM has a process for the collection of this battery. For
information, call 1-800-426-4333. Have the IBM part number for the
battery unit available when you call. (C002)
The
Battery Replacement Kit includes:
- Two replacement batteries
- A battery tray with connecting wires
- Two sets of spare battery attention labels
To replace the batteries, follow these steps:
- Turn off the computer and all attached devices.
- Disconnect all cables, including the power cable.
CAUTION:
The battery is a nickel-cadmium battery.
To avoid possible explosion, do not burn. Exchange only with the IBM-approved part.
Recycle or discard the battery as instructed by local regulations.
In the United States, IBM has a process for the
collection of this battery. For information, call 1-800-426-4333.
Have the IBM part number for the battery unit available when you
call. (C005)
- Remove the cover from the expansion slots according to the directions
provided with your computer.
- Open the Battery Replacement Kit.
Attention: Electrostatic
discharge (ESD) can damage the card and its components. Wear an ESD
wrist strip while handling and installing the card, or take the following
precautions:
- Limit your movements, this helps prevent static electricity building
up around you.
- Prevent others from touching the card or other components.
- Handle the card by its edges only. Do not touch exposed circuitry
and components.
- Remove the card from the bus slot in the host computer.
- Insert one of the new batteries into the battery tray provided
with the kit. Align the + on the battery with the + on the battery
tray (the end with the red wire). Connect the tray wires to the J10
connector located near the RS-232 serial port, as shown in Figure 1. The connector is polarized to ensure
a proper connection.
Attention: Any loss of power erases
data stored in the card's protected memory. To prevent loss, ensure
that the battery tray contains a fresh battery and is attached to
the J10 connector.
- Remove the battery attention labels from the battery holders on
the card. These labels can be torn off and discarded. They are to
be replaced by the spare labels included in the kit.
- Remove the battery from the BT1 position. To eject the battery,
turn the coprocessor over and insert a small object, such as a screwdriver,
through the hole to eject the battery.
- Replace the battery in the BT1 position with a new battery.
- Replace the battery in the BT2 position with the battery in the
battery tray. The new battery already installed in the BT1 position
provides power to the adapter while you perform this step.
- Remove the battery holder from the J10 connector.
- Reapply the spare battery attention labels onto the holders on
the card covering the batteries.
- Reinstall the coprocessor into the PCI-X bus slot, and be sure
the card is fully seated.
- Replace the host computer's cover.
- Reconnect the power cable and any other cables you disconnected.
- Power on the computer. The card runs its power on self-test (POST).
- Reinstall the adapter.
Connectors
Table 1. Connectors
and jumpers on the PCI-X Cryptographic
CoprocessorConnectors |
Name of jumper |
Default position |
J7 |
PCI-X EEPROM write |
Jumper installed |
J8 |
External intrusion latch disable |
Jumper not installed |
J9 |
Battery disconnect wire |
Jumper (wire loop) installed |
J10 |
Temporary-battery connector |
Jumper not installed |
J11 |
External intrusion latch |
Jumper not installed |
Figure 1. Front side of the adapter
Figure 2. Back side of the adapter