1739433 – ICA HW token missing after the package update

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1739433 - ICA HW token missing after the package update

Summary: ICA HW token missing after the package update

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	opencryptoki
Sub Component:
Version:	8.1
Hardware:	s390x
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.1
Assignee:	Than Ngo
QA Contact:	Karel Srot
Docs Contact:
URL:
Whiteboard:
Depends On:	1706140
Blocks:	1624641 1654309 1660905 1710589
TreeView+	depends on / blocked

Reported:	2019-08-09 10:10 UTC by Karel Srot
Modified:	2019-11-05 22:04 UTC (History)
CC List:	9 users (show)
Fixed In Version:	opencryptoki-3.11.1-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1756956 (view as bug list)
Environment:
Last Closed:	2019-11-05 22:04:17 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	ovasik: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	179931	0	None	None	None	2019-08-20 08:44:19 UTC
Red Hat Product Errata	RHBA-2019:3524	0	None	None	None	2019-11-05 22:04:44 UTC

Description Karel Srot 2019-08-09 10:10:44 UTC

Description of problem:

I am not seeing IBM ICA token with opencryptoki-3.11.1-1.el8.s390x.

# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.10.0-3.el8.s390x
opencryptoki-ep11tok-3.10.0-3.el8.s390x
opencryptoki-libs-3.10.0-3.el8.s390x
opencryptoki-3.10.0-3.el8.s390x
opencryptoki-swtok-3.10.0-3.el8.s390x
opencryptoki-ccatok-3.10.0-3.el8.s390x
opencryptoki-icsftok-3.10.0-3.el8.s390x
opencryptoki-tpmtok-3.10.0-3.el8.s390x

# pkcsconf -t
Token #1 Info:
	Label: IBM ICA  PKCS #11               
	Manufacturer: IBM Corp.                       
	Model: IBM ICA         
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 04:52:00
Token #3 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 04:52:00

# yum update
# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.11.1-1.el8.s390x
opencryptoki-ep11tok-3.11.1-1.el8.s390x
opencryptoki-3.11.1-1.el8.s390x
opencryptoki-swtok-3.11.1-1.el8.s390x
opencryptoki-ccatok-3.11.1-1.el8.s390x
opencryptoki-icsftok-3.11.1-1.el8.s390x
opencryptoki-libs-3.11.1-1.el8.s390x
opencryptoki-tpmtok-3.11.1-1.el8.s390x
# pkcsconf -t
Token #3 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 2019080904530900

/var/log/messages contain
Aug  9 04:53:07 ibm-z-116 systemd[1]: Starting Daemon which manages cryptographic hardware tokens for the openCryptoki package...
Aug  9 04:53:07 ibm-z-116 pkcsslotd[3543]: PID File created
Aug  9 04:53:07 ibm-z-116 systemd[1]: Started Daemon which manages cryptographic hardware tokens for the openCryptoki package.
Aug  9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/cca_stdll/cca_specific.c token_specific_init: Error loading library: 'libcsulcca.so' [libcsulcca.so: cannot open shared object file: No such file or directory]
Aug  9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/ep11_stdll/ep11_specific.c ep11tok_init: Error loading shared library 'libep11.so' [libep11.so: cannot open shared object file: No such file or directory]

Even with opencryptoki-3.11.0-3.el8.s390x the token is missing.


 IBM Bug Proxy 2019-08-09 09:30:27 UTC

------- Comment From ifranzki.com 2019-08-09 05:27 EDT-------
You need to install the libica-devel packet, only that brings the symlink for libica.so with it.

(In reply to IBM Bug Proxy from comment #11)
> ------- Comment From ifranzki.com 2019-08-09 05:27 EDT-------
> You need to install the libica-devel packet, only that brings the symlink
> for libica.so with it.

Hm, this doesn't seem to be the right approach. Does the opencryptoki ICA module dlopen() libica?

Comment 2 IBM Bug Proxy 2019-08-09 10:41:08 UTC

------- Comment From ifranzki.com 2019-08-09 06:39 EDT-------
Yes, the ICA token does a dlopen() for libica.so.

Since the packaging is distribution specific, it is hard to find a way for upstream that works for all distros....

We should probably talk to Patrick Steuer (maintainer of openCryptoki) about this and if we want to change something upstream.

Comment 3 Dan Horák 2019-08-09 10:52:07 UTC

In the IBMCA engine we reference libica by its soname - https://github.com/opencryptoki/openssl-ibmca/commit/f4c9d610e39624be09ba4de36e29c60a478537e7 as a fix for https://github.com/opencryptoki/openssl-ibmca/issues/46 - I guess opencryptoki can do the same.

Comment 4 Karel Srot 2019-08-09 12:25:42 UTC

Or at least add the dependency on the libica-devel package so it would be pulled in with an update. For some reason libica-devel is present in BaseOS channel anyway.

Comment 5 IBM Bug Proxy 2019-08-13 07:00:32 UTC

------- Comment From ifranzki.com 2019-08-13 02:52 EDT-------
FYI: Please see pull request https://github.com/opencryptoki/opencryptoki/pull/245 to change the dlopen of libica to use the versioned name (i.e. libica.so.3). The PR should be merged soon. You can then pick the 2 commits. They should apply clean on top of OCK 3.11.1. I will let you know when the PR has been merged.

Comment 6 IBM Bug Proxy 2019-08-13 12:00:30 UTC

------- Comment From ifranzki.com 2019-08-13 07:56 EDT-------
The PR is now merged.
Please take the following 2 commits:
https://github.com/opencryptoki/opencryptoki/commit/73f05eb53f12197f081fd7ec75619c6ea3a39b2c
https://github.com/opencryptoki/opencryptoki/commit/7f4113ba8653b8b18a6f1af6ab1d8eb90987626d

Comment 19 errata-xmlrpc 2019-11-05 22:04:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3524

Note You need to log in before you can comment on or make changes to this bug.