IBM 4767 User manual
4767 PCIe Cryptographic Coprocessor
Installation Manual
IBM
Note
Before using this information and the product it supports, read the information in “Safety and environmental notices” on
page ix and in “Notices” on page 13. Also read IBM Systems Environmental Notices and User Guide, Z125-5823, and IBM
Systems Safety Notices, G229-9054.
First Edition, April 2016
This edition describes installation of the IBM 4767-002 PCIe Cryptographic Coprocessor.
This and other publications related to the IBM 4767-002 PCIe Cryptographic Coprocessor can be obtained in PDF
format from http://www.ibm.com/security/cryptocards.
Readers' comments can be communicated to IBM by using the product support link on the product website at:
http://www.ibm.com/security/cryptocards.
When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any
way it believes appropriate without incurring any obligation to you.
© Copyright IBM Corporation 2016.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures ............... v
Tables ............... vii
Safety and environmental notices ... ix
Safety notices .............. ix
World trade safety information ........ xi
Environmental notices ........... xi
Product recycling and disposal ....... xi
Battery return program .......... xii
About this document ........ xv
How this manual is organized ........ xv
Where to find more information ....... xv
Chapter 1. Introduction ........ 1
Contents of the coprocessor package ...... 1
Special considerations for handling and storage... 1
Storage ............... 2
Temperature ............. 2
Batteries ............... 2
Requirements and specifications ........ 2
Hardware requirement .......... 2
Software requirement .......... 2
Power requirements ........... 2
Environmental specifications ........ 3
Physical dimensions ........... 3
Chapter 2. Installing the coprocessor .. 5
Chapter 3. Replacing coprocessor
batteries .............. 7
Chapter 4. Transporting a coprocessor 11
Handling the coprocessor.......... 11
Traveling with a coprocessor......... 11
Traveling internationally with a coprocessor ... 12
Shipping a coprocessor .......... 12
Notices .............. 13
Trademarks .............. 14
Electronic emissions ........... 14
Glossary .............. 19
Index ............... 21
© Copyright IBM Corp. 2016 iii
iv 4767 PCIe Installation
vi 4767 PCIe Installation
viii 4767 PCIe Installation
Safety and environmental notices
Pay close attention to these safety and environmental notices, to ensure safe
handling and disposal of the IBM 4767-002 PCIe Cryptographic Coprocessor and
its batteries.
Safety notices
For safety information in your national language, refer to the IBM Systems Safety
Notices, G229-9054, included in the publications package shipped with the product.
Safety notices may be printed throughout this guide. DANGER notices warn you
of conditions or procedures that can result in death or severe personal injury.
CAUTION notices warn you of conditions or procedures that can cause personal
injury that is neither lethal nor extremely hazardous. Attention notices warn you
of conditions or procedures that can cause damage to machines, equipment, or
programs.
The following DANGER notices appear in this manual:
© Copyright IBM Corp. 2016 ix
Table 1. Danger Notices
Danger Notice D005
DANGER: When working on or around the system, observe the following precautions:
Electrical voltage and current from power, telephone, and communication cables are
hazardous. To avoid a shock hazard:
vIf IBM supplied a power cord(s), connect power to this unit only with the IBM provided
power cord. Do not use the IBM provided power cord for any other product.
vDo not open or service any power supply assembly.
vDo not connect or disconnect any cables or perform installation, maintenance, or
reconfiguration of this product during an electrical storm.
vThe product might be equipped with multiple power cords. To remove all hazardous
voltages, disconnect all power cords.
vConnect all power cords to a properly wired and grounded electrical outlet. Ensure that
the outlet supplies proper voltage and phase rotation according to the system rating
plate.
vConnect any equipment that will be attached to this product to properly wired outlets.
vWhen possible, use one hand only to connect or disconnect signal cables.
vNever turn on any equipment when there is evidence of fire, water, or structural
damage.
vDo not attempt to switch on power to the machine until all possible unsafe conditions
are corrected.
vAssume that an electrical safety hazard is present. Perform all continuity, grounding, and
power checks specified during the subsystem installation procedures to ensure that the
machine meets safety requirements.
vDo not continue with the inspection if any unsafe conditions are present.
vDisconnect the attached power cords, telecommunications systems, networks, and
modems before you open the device covers, unless instructed otherwise in the
installation and configuration procedures.
vConnect and disconnect cables as described in the following procedures when installing,
moving, or opening covers on this product or attached devices.
To disconnect:
1. Turn off everything (unless instructed otherwise).
2. Remove the power cords from the outlets.
3. Remove the signal cables from the connectors.
4. Remove all cables from the devices.
To connect:
1. Turn off everything (unless instructed otherwise).
2. Attach all cables to the devices.
3. Attach the signal cables to the connectors.
4. Attach the power cords to the outlets.
5. Turn on the devices.
vSharp edges, corners and joints may be present in and around the system. Use care
when handling equipment to avoid cuts, scrapes and pinching. (D005)
The following CAUTION notices appear in this manual:
Table 2. Caution Notices
Caution Notice C002
CAUTION: Only trained service personnel may replace this battery. The battery contains
lithium. To avoid possible explosion, do not burn or charge the battery.
Do not: Throw or immerse into water, heat to more than 100°C (212°F), repair or
disassemble. (C002)
x4767 PCIe Installation
World trade safety information
Several countries require the safety information contained in product publications
to be presented in their national languages. If this requirement applies to your
country, safety information documentation is included in the publications package
(such as in printed documentation, on DVD, or as part of the product) shipped
with the product. The documentation contains the safety information in your
national language with references to the U.S. English source. Before using a U.S.
English publication to install, operate, or service this product, you must first
become familiar with the related safety information documentation. You should
also refer to the safety information documentation any time you do not clearly
understand any safety information in the U.S. English publications. Replacement or
additional copies of safety information documentation can be obtained by calling
the IBM Hotline at 1-800-300-8751.
Environmental notices
For environmental information in your national language, refer to the IBM Systems
Environmental Notices and User Guide, Z125-5823, available from the IBM
Knowledge Center found at: http://www.ibm.com/support/knowledgecenter.
Product recycling and disposal
This unit must be recycled or discarded according to applicable local and national
regulations. IBM encourages owners of information technology (IT) equipment to
responsibly recycle their equipment when it is no longer needed. IBM offers a
variety of product return programs and services in several countries to assist
equipment owners in recycling their IT products. Information on IBM product
recycling offerings can be found at: http://www.ibm.com/ibm/environment/products/
index.shtml (C1).
Esta unidad debe reciclarse o desecharse de acuerdo con lo establecido en la
normativa nacional o local aplicable. IBM®a los propietarios de equipos de
tecnología de la información (TI) que reciclen responsablemente sus equipos
cuando éstrecomiendaos ya no les sean útiles. IBM dispone de una serie de
programas y servicios de devolución de productos en varios países, a fin de
ayudar a los propietarios de equipos a reciclar sus productos de TI. Se puede
encontrar información sobre las ofertas de reciclado de productos de IBM en el
sitio web de IBM: http://www.ibm.com/ibm/environment/products/index.shtml. (C1.1)
Notice: These marks on Products apply to countries within the European Union
(EU), Buenos Aires Province, Iceland, India, Nigeria, Norway, and other
jurisdictions requiring this symbol and corresponding product take-back programs.
(C2)
Appliances are labeled in accordance with European Union Directives 2002/96/EC
and 2012/19/EU concerning waste electrical and electronic equipment (WEEE),
Iceland Regulation Number 1104 on Electrical and Electronic Equipment Waste and
Safety and environmental notices xi
Norway Regulations on the Recovery and Treatment of Waste. These requirements
determine the framework for the return and recycling of used appliances as
applicable throughout these countries. This label is applied to various products to
indicate that the product is not to be thrown away, but rather reclaimed upon
end-of-life per the requirements. (C3)
In accordance with the European Waste Electrical and Electronic Equipment
(WEEE) Directive, Norway Regulations on the Recovery and Treatment of Waste,
and other legal requirements in jurisdictions requiring the above product mark or
an electrical and electronic equipment (EEE) take-back program, EEE is to be
collected separately and to be reused, recycled, or recovered at end-of-life. Users of
EEE with the above WEEE marking must not dispose of end-of-life EEE as
unsorted municipal waste, but use the collection framework available to customers
for the return, recycling, and recovery of WEEE. Customer participation is
important to minimize any potential effects of EEE on the environment and human
health due to the potential presence of hazardous substances in EEE. For proper
collection and treatment, contact your local IBM representative. (C4)
For the European Union:
Battery return program
This product may contain a sealed lead acid, nickel cadmium, nickel metal
hydride, lithium, or lithium ion battery. Consult your user manual or service
manual for specific battery information. The battery must be recycled or disposed
of properly. Recycling facilities may not be available in your area. For information
on disposal of batteries outside the United States, go to the Product stewardship
website at http://www.ibm.com/ibm/environment/products/index.shtml or contact your
local waste disposal facility.
In the United States, IBM has established a return process for reuse, recycling, or
proper disposal of used IBM sealed lead acid, nickel cadmium, nickel metal
hydride, and battery packs from IBM equipment. For information on proper
disposal of these batteries, contact IBM at 1-800-426-4333. Have the IBM part
number listed on the battery available prior to your call.
In Taiwan, the following applies:
xii 4767 PCIe Installation
Please recycle batteries
For the European Union:
Notice: This mark applies only to countries within the European Union (EU) and
Norway.
Batteries or packaging for batteries are labeled in accordance with European
Directive 2006/66/EC concerning batteries and accumulators and waste batteries
and accumulators. The Directive determines the framework for the return and
recycling of used batteries and accumulators as applicable throughout the
European Union. This label is applied to various batteries to indicate that the
battery is not to be thrown away, but rather reclaimed upon end of life per this
Directive.
Les batteries ou emballages pour batteries sont étiquetés conformément aux direc-
tives européennes 2006/66/EC, norme relative aux batteries et accumulateurs en
usage et aux batteries et accumulateurs usés. Les directives déterminent la marche
à suivre en vigueur dans l'Union Européenne pour le retour et le recyclage des batte-
ries et accumulateurs usés. Cette étiquette est appliquée sur diverses batteries pour
indiquer que la batterie ne doit pas être mise au rebut mais plutôt récupérée en fin
de cycle de vie selon cette norme.
In accordance with the European Directive 2006/66/EC, batteries and accumulators
are labeled to indicate that they are to be collected separately and recycled at end
of life. The label on the battery may also include a chemical symbol for the metal
concerned in the battery (Pb for lead, Hg for mercury and Cd for cadmium). Users
of batteries and accumulators must not dispose of batteries and accumulators as
unsorted municipal waste, but use the collection framework available to customers
for the return, recycling and treatment of batteries and accumulators. Customer
Safety and environmental notices xiii
participation is important to minimize any potential effects of batteries and
accumulators on the environment and human health due to the potential presence
of hazardous substances. For proper collection and treatment, contact your local
IBM representative.
For California:
Perchlorate Material - special handling may apply.
See http://www.dtsc.ca.gov/hazardouswaste/perchlorate.
The foregoing notice is provided in accordance with California Code of
Regulations Title 22, Division 4.5 Chapter 33. Best Management Practices for
Perchlorate Materials. This product, part or both may include a lithium manganese
dioxide battery which contains a perchlorate substance.
xiv 4767 PCIe Installation
About this document
This manual is written for personnel installing the IBM 4767-002 PCIe
Cryptographic Coprocessor hardware. The coprocessor is a hardware security
module (HSM).
How this manual is organized
This manual is organized as follows:
v“Safety and environmental notices” on page ix describes important general
safety and environmental information.
vChapter 1, “Introduction,” on page 1, describes the contents of the coprocessor
packages; shipping, handling, and storage considerations; and requirements and
specifications of the IBM 4767-002 PCIe Cryptographic Coprocessor.
vChapter 2, “Installing the coprocessor,” on page 5, describes the procedure to
physically install the IBM 4767-002 PCIe Cryptographic Coprocessor.
vChapter 3, “Replacing coprocessor batteries,” on page 7, describes the way to
replace the batteries on the IBM 4767-002 PCIe Cryptographic Coprocessor.
vChapter 4, “Transporting a coprocessor,” on page 11 provides guidance for
shipping or traveling with the IBM 4767-002 PCIe Cryptographic Coprocessor.
v“Notices” on page 13 contains notices for various countries, trademark
information, and information about the product warranty extended by IBM.
A glossary and an index complete the manual.
Where to find more information
Visit the IBM product website at http://www.ibm.com/security/cryptocards to obtain
IBM 4767-related publications. This and other publications are available as Adobe
PDF files that you can read and print with the Adobe Acrobat Reader.
Before installing a coprocessor, check the Approved x86 servers list on the IBM
product website for the approved server list:
http://www.ibm.com/security/cryptocards
Click on the HSM 4767 link in the left sidebar, then click on the Approved x86
servers link in the left sidebar.
© Copyright IBM Corp. 2016 xv
xvi 4767 PCIe Installation
Chapter 1. Introduction
This section details the contents of the IBM 4767-002 PCIe Cryptographic
Coprocessor package, special considerations for handling and storage, and
coprocessor requirements and specifications.
The coprocessor uses dedicated hardware to process cryptographic keys,
certificates, and bulk data. These cryptographic functions are performed within a
tamper-resistant module that is validated to the Federal Information Processing
Standard (FIPS) PUB 140-2 Level 4, as established by the National Institute of
Standards and Technology. This is a standard of detecting and responding to
unauthorized attempts at physical access and security compromise due to
environmental conditions such as voltage and temperature.
Before installing a coprocessor, check the IBM product website for the list of
IBM-approved x86 servers. Refer to “Where to find more information” on page xv.
You can install the coprocessor, a standard height, half-length PCIe adapter card,
only in an IBM-approved x86 server. Refer to “Where to find more information” on
page xv.
Contents of the coprocessor package
Your IBM 4767-002 PCIe Cryptographic Coprocessor coprocessor package includes
the following items:
vThe IBM 4767-002 PCIe Cryptographic Coprocessor
vIBM License Agreement for Machine Code (Contains Form Z125-5468-06),
SC28-6872-03 (multi-language)
vIBM License Agreement for Machine Code Addendum for Cryptography (Contains Form
Z125-8449-01), GC27-2635-00 (multi-language)
vIBM Systems Safety Notices, G299-9054-08
vIBM 4767 and 4765 PCIe Cryptographic Coprocessor Statement of Limited Warranty -
Warranty Information flyer, SC23-6884-01
vNotice to Users of the IBM 4767-002 PCIe Cryptographic Coprocessor, PN
01EL550.
If any item is missing or damaged, contact your local IBM representative.
Special considerations for handling and storage
Each coprocessor is shipped from the factory with a certified device key. This
electronic key, which is stored in the card's battery-backed protected memory,
digitally signs test messages to confirm that the coprocessor is genuine and that no
tampering has occurred.
Note: If any of the secure module’s tamper sensors is triggered by tampering or
accident, the coprocessor erases (zeroizes) all data in the protected memory,
destroying the device key. This renders the coprocessor permanently inoperable,
and there is no recovery from this situation.
© Copyright IBM Corp. 2016 1
The coprocessor cannot operate without the device key. To protect the key, follow
these temperature and battery guidelines:
Storage
It is recommended that an uninstalled coprocessor be kept in its original protective
packaging material. Save this packaging material for future use, especially if the
coprocessor must be transported to another location.
Temperature
Do not expose the coprocessor to temperatures outside the limits in Table 3 on
page 3.
Batteries
Do not remove battery power from the coprocessor. Data in the protected memory
is lost (zeroized) when battery power is removed, rendering the coprocessor
permanently inoperable. For information about replacing the batteries without
erasing the protected memory, see Chapter 3, “Replacing coprocessor batteries,” on
page 7.
Requirements and specifications
The requirements and specification for the coprocessor consist of the necessary
hardware and software, environmental requirements, and physical characteristics.
Hardware requirement
The coprocessor must be installed in a select x86 server from the list of
IBM-approved x86 servers. See notes below. No additional hardware or cabling is
required.
Notes:
1. The full speed USB 2.0 Type A connector is for development use only. It
is not intended for customer use.
2. The two RJ45 connectors are blocked. They are not intended for
customer use.
Software requirement
The coprocessor requires support software, for example, the IBM 4767 CCA
Support Program, for both the host machine and for its internal firmware.
Operating system support is determined by the support software. This publication
does not discuss the installation of support software. For information about the
latest software features available, visit the product website at:
http://www.ibm.com/security/cryptocards
Power requirements
The power requirements for the IBM 4767-002 PCIe Cryptographic Coprocessor
are:
v+12 volt PCIe domain: 20.13 watts maximum
v+3.3 volt PCIe domain: 3.31 watts maximum (including USB external load)
vOn-board batteries: batteries dead less than 2.4 volts; low-battery warning less
than 2.75 volts
24767 PCIe Installation
Environmental specifications
The environmental specifications for the IBM 4767-002 PCIe Cryptographic
Coprocessor are shown in Table 3.
Table 3. Operating, storage, and shipping environmental specifications
Operating
environment Storage environment
Shipping
environment
Temperature +10°C - +35°C
(+50°F - +95°F)
+1°C - +60°C
(+33.8°F - +140°F)
-34°C - +60°C
(-29.2°F - +140°F)
Relative humidity 8 - 80% 5 - 80% 5 - 100%
Wet bulb < +27.0°C (+80.6°F) < +29.0°C (+84.2°F) < +29.0°C (+84.2°F)
Pressure (minimum) 700 mbar (maximum
altitude 10 000 feet)
700 mbar 550 mbar
Physical dimensions
vThe coprocessor is a standard height, half-length PCIe adapter card
v4.376 inches by 6.6 inches (111.15 mm by 167.65 mm).
Chapter 1. Introduction 3
44767 PCIe Installation
Table of contents
Other IBM Computer Hardware manuals
IBM
IBM QLogic 4Gb Fibre Channel Expansion Card User manual
IBM
IBM International ISDN User manual
IBM
IBM 7311-D11 Use and care manual
IBM
IBM Power S1014 User manual
IBM
IBM p5 550 Installation guide
IBM
IBM 55PUS8118 SCSI-2 User manual
IBM
IBM eserver 7210 Manual
IBM
IBM eserver 225 Series User manual
IBM
IBM SA23-1325-01 Guide
IBM
IBM WebSphere DataPower 7198 User manual
IBM
IBM POWERPC 970MP Installation and operating instructions
IBM
IBM 0367 User manual
IBM
IBM Power System 5105-22E User manual
IBM
IBM AIX HACMP SG24-5131-00 Instructions for use
IBM
IBM 6611 User manual
IBM
IBM iSeries 5075 User instructions
IBM
IBM 9332 User manual
IBM
IBM 5280 Manual
IBM
IBM 19K4543 User manual
IBM
IBM 4764 User manual
