Advanced Crypto Service Provider

A remote crypto services solution

With increasing focus on regulatory requirements such as PCI-DSS and PCI PIN Requirements, the need for access to cryptographic hardware in both distributed and mainframe environments has also increased. But cryptographic hardware is expensive, and so is the management of it, especially when the crypto hardware is in both distributed and mainframe environments. So how about centralizing the cryptographic capabilities - Or even better, begin the leveraging the full potential of already existing hardware?

ACSP is a remote crypto services solution that enables applications in distributed environments with access to cryptographic hardware over the network. ACSP enables cost effective use of available cryptographic capacity, easy deployment of cryptographic services, and easier key management because the cryptographic key material is centralized and thereby easier to manage.


The IBM DKMS ACSP solution consists of two components, a server component and client component. The client exposes the standard IBM CCA interface or a PKCS#11 interface mapped to CCA. The client provides the business application with a transparent access to the cryptographic services on a centrally managed server equipped with cryptographic hardware.


ACSP Client

The ACSP Client exposes the standard IBM CCA interface, a PKCS#11 interface and a JCE provider to the business applications. The IBM CCA interface is available as a Java and C interface.

ACSP Server

On arrival of a new request from a business application, the ACSP server schedules and performs the operation in the hardware, subsequently the response is transferred back to the requesting application via ACSP. All operations coming through the server are monitored so statistics can be made and acted upon. The server runs on all platforms supporting IBM cryptographic hardware:

Application development and test

Application developers can write their applications on windows or linux platforms calling the right CCA crypto functions that exist on system z. When the application is tested it can be deployed on z without changing the crypto. This also means that the keys to be used can be generated by the system z key management system like EKMF/DKMS the right way from start. Further applications can be tested with the right access controls early in the process. Having the right functions and keys available is crucial –whereas performance doesn't really matter in this context.


ACSP is using a client and server authenticated TLS connection over TCP.

Performance and Load Balancing

ACSP imposes practically no reduction in crypto capacity compared to direct utilization. However the response time is influenced by network latency, so the actual performance depends on the quality of the network available. To reduce the impact of network latency it is possible to aggregate crypto commands that are logically called in sequence to one single command. With the ACSP Server installed on zOS on z Systems the ACSP Server (Java) workload can be handled by any ZIIP processors available.

Key Management

To fully leverage the advantage of having a centralized infrastructure for hardware based cryptography, an efficient key management system is needed to maintain and synchronize the key stores on the ACSP servers. The IBM EKMF Enterprise Key Management system is such a system. For more information about IBM EKMF, please refer to

Need More Info?

For more information, contact

Ready to buy?

Contact your local IBM representative or the IBM Crypto Competence Center Copenhagen directly at