1756956 – ICA HW token missing after the package update

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1756956 - ICA HW token missing after the package update

Summary: ICA HW token missing after the package update

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	opencryptoki
Sub Component:
Version:	7.7
Hardware:	s390x
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	7.8
Assignee:	Than Ngo
QA Contact:	Karel Srot
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1689150 1754591 1769258
TreeView+	depends on / blocked

Reported:	2019-09-30 09:59 UTC by Karel Srot
Modified:	2020-03-31 20:08 UTC (History)
CC List:	11 users (show)
Fixed In Version:	opencryptoki-3.11.0-5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1739433
Clones:	1769258 (view as bug list)
Environment:
Last Closed:	2020-03-31 20:08:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	181704	0	None	None	None	2019-09-30 10:09:09 UTC
Red Hat Product Errata	RHBA-2020:1164	0	None	None	None	2020-03-31 20:08:53 UTC

Description Karel Srot 2019-09-30 09:59:10 UTC

Present also on RHEL-7.7.

+++ This bug was initially created as a clone of Bug #1739433 +++

Description of problem:

I am not seeing IBM ICA token with opencryptoki-3.11.1-1.el8.s390x.

# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.10.0-3.el8.s390x
opencryptoki-ep11tok-3.10.0-3.el8.s390x
opencryptoki-libs-3.10.0-3.el8.s390x
opencryptoki-3.10.0-3.el8.s390x
opencryptoki-swtok-3.10.0-3.el8.s390x
opencryptoki-ccatok-3.10.0-3.el8.s390x
opencryptoki-icsftok-3.10.0-3.el8.s390x
opencryptoki-tpmtok-3.10.0-3.el8.s390x

# pkcsconf -t
Token #1 Info:
	Label: IBM ICA  PKCS #11               
	Manufacturer: IBM Corp.                       
	Model: IBM ICA         
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 04:52:00
Token #3 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 04:52:00

# yum update
# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.11.1-1.el8.s390x
opencryptoki-ep11tok-3.11.1-1.el8.s390x
opencryptoki-3.11.1-1.el8.s390x
opencryptoki-swtok-3.11.1-1.el8.s390x
opencryptoki-ccatok-3.11.1-1.el8.s390x
opencryptoki-icsftok-3.11.1-1.el8.s390x
opencryptoki-libs-3.11.1-1.el8.s390x
opencryptoki-tpmtok-3.11.1-1.el8.s390x
# pkcsconf -t
Token #3 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 2019080904530900

/var/log/messages contain
Aug  9 04:53:07 ibm-z-116 systemd[1]: Starting Daemon which manages cryptographic hardware tokens for the openCryptoki package...
Aug  9 04:53:07 ibm-z-116 pkcsslotd[3543]: PID File created
Aug  9 04:53:07 ibm-z-116 systemd[1]: Started Daemon which manages cryptographic hardware tokens for the openCryptoki package.
Aug  9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/cca_stdll/cca_specific.c token_specific_init: Error loading library: 'libcsulcca.so' [libcsulcca.so: cannot open shared object file: No such file or directory]
Aug  9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/ep11_stdll/ep11_specific.c ep11tok_init: Error loading shared library 'libep11.so' [libep11.so: cannot open shared object file: No such file or directory]

Even with opencryptoki-3.11.0-3.el8.s390x the token is missing.


 IBM Bug Proxy 2019-08-09 09:30:27 UTC

------- Comment From ifranzki.com 2019-08-09 05:27 EDT-------
You need to install the libica-devel packet, only that brings the symlink for libica.so with it.

(In reply to IBM Bug Proxy from comment #11)
> ------- Comment From ifranzki.com 2019-08-09 05:27 EDT-------
> You need to install the libica-devel packet, only that brings the symlink
> for libica.so with it.

Hm, this doesn't seem to be the right approach. Does the opencryptoki ICA module dlopen() libica?

--- Additional comment from IBM Bug Proxy on 2019-08-09 10:41:08 UTC ---

------- Comment From ifranzki.com 2019-08-09 06:39 EDT-------
Yes, the ICA token does a dlopen() for libica.so.

Since the packaging is distribution specific, it is hard to find a way for upstream that works for all distros....

We should probably talk to Patrick Steuer (maintainer of openCryptoki) about this and if we want to change something upstream.

--- Additional comment from Dan Horák on 2019-08-09 10:52:07 UTC ---

In the IBMCA engine we reference libica by its soname - https://github.com/opencryptoki/openssl-ibmca/commit/f4c9d610e39624be09ba4de36e29c60a478537e7 as a fix for https://github.com/opencryptoki/openssl-ibmca/issues/46 - I guess opencryptoki can do the same.

--- Additional comment from Karel Srot on 2019-08-09 12:25:42 UTC ---

Or at least add the dependency on the libica-devel package so it would be pulled in with an update. For some reason libica-devel is present in BaseOS channel anyway.

--- Additional comment from IBM Bug Proxy on 2019-08-13 07:00:32 UTC ---

------- Comment From ifranzki.com 2019-08-13 02:52 EDT-------
FYI: Please see pull request https://github.com/opencryptoki/opencryptoki/pull/245 to change the dlopen of libica to use the versioned name (i.e. libica.so.3). The PR should be merged soon. You can then pick the 2 commits. They should apply clean on top of OCK 3.11.1. I will let you know when the PR has been merged.

--- Additional comment from IBM Bug Proxy on 2019-08-13 12:00:30 UTC ---

------- Comment From ifranzki.com 2019-08-13 07:56 EDT-------
The PR is now merged.
Please take the following 2 commits:
https://github.com/opencryptoki/opencryptoki/commit/73f05eb53f12197f081fd7ec75619c6ea3a39b2c
https://github.com/opencryptoki/opencryptoki/commit/7f4113ba8653b8b18a6f1af6ab1d8eb90987626d

Comment 5 Karel Srot 2019-09-30 10:03:52 UTC

Cleaning up Depends on filed copied over from the RHEL-8 bug.

Comment 6 Than Ngo 2019-09-30 10:14:24 UTC

it's fixed in opencryptoki-3.11.0-5

Comment 10 Filip Krska 2019-10-14 11:41:41 UTC

Hello Hanns-Joachim, the fix is verified and scheduled for release in RHEL 7.8. I've noticed Severity raised from your side... Do you require 7.7.Z-Stream release or release with 7.8 GA is OK?

Comment 11 Hanns-Joachim Uhl 2019-10-14 12:25:38 UTC

(In reply to Filip Krska from comment #10)
> Hello Hanns-Joachim, the fix is verified and scheduled for release in RHEL
> 7.8. I've noticed Severity raised from your side... Do you require
> 7.7.Z-Stream release or release with 7.8 GA is OK?
.
Hello Red Hat / Filip,
well observed ...
... yes, we are just checking whether the solution for this bugzilla is applicable 
in the customer situation for Red Hat Support Case 02493190 ...
... please stay tuned ...
Thanks for your attention and support.

Comment 12 IBM Bug Proxy 2019-10-29 16:50:25 UTC

------- Comment From hannsj_uhl.com 2019-10-29 12:49 EDT-------
Business justification / client impact statement for 7.7.z zstream:

Problem
The opencryptoki ICA token is not available for production environments when the libica library package is installed.

Impact to customer
The customer cannot use HW acceleration for cryptographic operations
via the ICA token, unless the customer installs the libica-devel package
in addition, which is unusual in production environments

Business justification
The upgrade path to RHEL7.7 is broken for production environments using the opencryptoki ICA token.

Comment 13 Hanns-Joachim Uhl 2019-10-29 16:58:52 UTC

(In reply to IBM Bug Proxy from comment #12)
> ------- Comment From hannsj_uhl.com 2019-10-29 12:49 EDT-------
> Business justification / client impact statement for 7.7.z zstream:
> 
> Problem
> The opencryptoki ICA token is not available for production environments when
> the libica library package is installed.
> 
> Impact to customer
> The customer cannot use HW acceleration for cryptographic operations
> via the ICA token, unless the customer installs the libica-devel package
> in addition, which is unusual in production environments
> 
> Business justification
> The upgrade path to RHEL7.7 is broken for production environments using the
> opencryptoki ICA token.
.
Hello Red Hat / Josh,
with the above business justification / client impact statement
I would like to ask you to request a 7.7.z zstream for the patches from this bugzilla
as soon as possible ...
Thanks in advance for your support.

Comment 15 Joshua Miller 2019-10-31 13:57:28 UTC

Hanns/IBM,

This bz has been denied as a candidate for z-stream as it has a workable workaround.  Eventhough it is a regression it does not meet the criteria currently being used to enter z-stream.  If you would like to enter data for a kb article to be written I can do that for you.  Thanks.

Comment 16 IBM Bug Proxy 2019-11-05 08:30:19 UTC

------- Comment From Christian.Rund.com 2019-11-05 03:27 EDT-------
(In reply to comment #12)
> Hanns/IBM,
> This bz has been denied as a candidate for z-stream as it has a workable
> workaround.  Eventhough it is a regression it does not meet the criteria
> currently being used to enter z-stream.  If you would like to enter data for
> a kb article to be written I can do that for you.  Thanks.

Hello Josh,

I would like to ask you resp. RedHat to accept a fix for a problem a customer reported.
In addition the 'workable workaround' requires to define the 'Optional' repository in addition for downloading and installing the package.

Please re-consider.

Thanks.

Comment 19 IBM Bug Proxy 2019-12-11 12:31:07 UTC

------- Comment From ifranzki.com 2019-12-11 06:54 EDT-------
I have successfully verified this on RHEL7.8 Snapshot 1.

After installing OCK 3.12.0 and libica-3.4.0-1 the ICA token is available. Please note that I did NOT install the libica-devel packet. So this confirms that the ICA token is able to load the ICA library without having the un-versioned shared object available.

Please set to VERIFIED.

Comment 21 errata-xmlrpc 2020-03-31 20:08:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1164

Note You need to log in before you can comment on or make changes to this bug.