DataPower Appliances & HSMs

I’ve been in a couple of shops that have used the HSM module option of DataPower for FIPS 140-2 v2 or v3 compliance.  An HSM is a Hardware Security Module.  My understanding is that there is a short list of IBM customers that are using this technology.  I thought collecting all the information and links I have about the DataPower HSM would be helpful to someone researching the topic.

The HSM module feature is available in XS40s, XI50s, XG45s, and XI52s.  It may be available in other members of the DataPower family, but I haven’t used them.

I’ve talked with people who claim that a certain company’s HSM product is used in DataPower appliances, but I haven’t been able to find any information online to corroborate it; so, I’m not posting it here.

The HSM manual that I’ve seen is here.  There should be newer versions for more recent firmware revisions; however, I don’t believe much has changed since 3.8.x.

An IBM FAQ on the topic is here.

Additional information for correctly ordering a DataPower appliance with the HSM module can be found here.  Note, that the HSM module option is only available at initial ordering.  It can not be added later.

A general discussion of HSMs can be found here.

The FIPS 140-2 standard is a NIST specification for cryptographic technology.  DataPower is compliant with this specification.  I believe the FIPS 140-2 spec refers to “Level 2” and “Level 3” rather than v2 and v3.

Typically, DataPower RBM would be configured (based upon a remote user store such as LDAP) to allow a Security Administrator role to perform operations upon an HSM module.

If your organization is researching this feature of DataPower or attempting to deploy DataPower with it, I am available for consulting opportunities.