Bug 1739433 - ICA HW token missing after the package update
Summary: ICA HW token missing after the package update
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: opencryptoki
Version: 8.1
Hardware: s390x
OS: Linux
high
high
Target Milestone: rc
: 8.1
Assignee: Than Ngo
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On: 1706140
Blocks: 1624641 1654309 1660905 1710589
TreeView+ depends on / blocked
 
Reported: 2019-08-09 10:10 UTC by Karel Srot
Modified: 2019-11-05 22:04 UTC (History)
9 users (show)

Fixed In Version: opencryptoki-3.11.1-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1756956 (view as bug list)
Environment:
Last Closed: 2019-11-05 22:04:17 UTC
Type: Bug
Target Upstream Version:
ovasik: needinfo+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 179931 0 None None None 2019-08-20 08:44:19 UTC
Red Hat Product Errata RHBA-2019:3524 0 None None None 2019-11-05 22:04:44 UTC

Description Karel Srot 2019-08-09 10:10:44 UTC
Description of problem:

I am not seeing IBM ICA token with opencryptoki-3.11.1-1.el8.s390x.

# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.10.0-3.el8.s390x
opencryptoki-ep11tok-3.10.0-3.el8.s390x
opencryptoki-libs-3.10.0-3.el8.s390x
opencryptoki-3.10.0-3.el8.s390x
opencryptoki-swtok-3.10.0-3.el8.s390x
opencryptoki-ccatok-3.10.0-3.el8.s390x
opencryptoki-icsftok-3.10.0-3.el8.s390x
opencryptoki-tpmtok-3.10.0-3.el8.s390x

# pkcsconf -t
Token #1 Info:
	Label: IBM ICA  PKCS #11               
	Manufacturer: IBM Corp.                       
	Model: IBM ICA         
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 04:52:00
Token #3 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 04:52:00

# yum update
# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.11.1-1.el8.s390x
opencryptoki-ep11tok-3.11.1-1.el8.s390x
opencryptoki-3.11.1-1.el8.s390x
opencryptoki-swtok-3.11.1-1.el8.s390x
opencryptoki-ccatok-3.11.1-1.el8.s390x
opencryptoki-icsftok-3.11.1-1.el8.s390x
opencryptoki-libs-3.11.1-1.el8.s390x
opencryptoki-tpmtok-3.11.1-1.el8.s390x
# pkcsconf -t
Token #3 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 2019080904530900

/var/log/messages contain
Aug  9 04:53:07 ibm-z-116 systemd[1]: Starting Daemon which manages cryptographic hardware tokens for the openCryptoki package...
Aug  9 04:53:07 ibm-z-116 pkcsslotd[3543]: PID File created
Aug  9 04:53:07 ibm-z-116 systemd[1]: Started Daemon which manages cryptographic hardware tokens for the openCryptoki package.
Aug  9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/cca_stdll/cca_specific.c token_specific_init: Error loading library: 'libcsulcca.so' [libcsulcca.so: cannot open shared object file: No such file or directory]
Aug  9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/ep11_stdll/ep11_specific.c ep11tok_init: Error loading shared library 'libep11.so' [libep11.so: cannot open shared object file: No such file or directory]

Even with opencryptoki-3.11.0-3.el8.s390x the token is missing.


 IBM Bug Proxy 2019-08-09 09:30:27 UTC

------- Comment From ifranzki@de.ibm.com 2019-08-09 05:27 EDT-------
You need to install the libica-devel packet, only that brings the symlink for libica.so with it.

(In reply to IBM Bug Proxy from comment #11)
> ------- Comment From ifranzki@de.ibm.com 2019-08-09 05:27 EDT-------
> You need to install the libica-devel packet, only that brings the symlink
> for libica.so with it.

Hm, this doesn't seem to be the right approach. Does the opencryptoki ICA module dlopen() libica?

Comment 2 IBM Bug Proxy 2019-08-09 10:41:08 UTC
------- Comment From ifranzki@de.ibm.com 2019-08-09 06:39 EDT-------
Yes, the ICA token does a dlopen() for libica.so.

Since the packaging is distribution specific, it is hard to find a way for upstream that works for all distros....

We should probably talk to Patrick Steuer (maintainer of openCryptoki) about this and if we want to change something upstream.

Comment 3 Dan Horák 2019-08-09 10:52:07 UTC
In the IBMCA engine we reference libica by its soname - https://github.com/opencryptoki/openssl-ibmca/commit/f4c9d610e39624be09ba4de36e29c60a478537e7 as a fix for https://github.com/opencryptoki/openssl-ibmca/issues/46 - I guess opencryptoki can do the same.

Comment 4 Karel Srot 2019-08-09 12:25:42 UTC
Or at least add the dependency on the libica-devel package so it would be pulled in with an update. For some reason libica-devel is present in BaseOS channel anyway.

Comment 5 IBM Bug Proxy 2019-08-13 07:00:32 UTC
------- Comment From ifranzki@de.ibm.com 2019-08-13 02:52 EDT-------
FYI: Please see pull request https://github.com/opencryptoki/opencryptoki/pull/245 to change the dlopen of libica to use the versioned name (i.e. libica.so.3). The PR should be merged soon. You can then pick the 2 commits. They should apply clean on top of OCK 3.11.1. I will let you know when the PR has been merged.

Comment 6 IBM Bug Proxy 2019-08-13 12:00:30 UTC
------- Comment From ifranzki@de.ibm.com 2019-08-13 07:56 EDT-------
The PR is now merged.
Please take the following 2 commits:
https://github.com/opencryptoki/opencryptoki/commit/73f05eb53f12197f081fd7ec75619c6ea3a39b2c
https://github.com/opencryptoki/opencryptoki/commit/7f4113ba8653b8b18a6f1af6ab1d8eb90987626d

Comment 19 errata-xmlrpc 2019-11-05 22:04:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3524


Note You need to log in before you can comment on or make changes to this bug.