Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Present also on RHEL-7.7.
+++ This bug was initially created as a clone of Bug #1739433 +++
Description of problem:
I am not seeing IBM ICA token with opencryptoki-3.11.1-1.el8.s390x.
# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.10.0-3.el8.s390x
opencryptoki-ep11tok-3.10.0-3.el8.s390x
opencryptoki-libs-3.10.0-3.el8.s390x
opencryptoki-3.10.0-3.el8.s390x
opencryptoki-swtok-3.10.0-3.el8.s390x
opencryptoki-ccatok-3.10.0-3.el8.s390x
opencryptoki-icsftok-3.10.0-3.el8.s390x
opencryptoki-tpmtok-3.10.0-3.el8.s390x
# pkcsconf -t
Token #1 Info:
Label: IBM ICA PKCS #11
Manufacturer: IBM Corp.
Model: IBM ICA
Serial Number: 123
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 04:52:00
Token #3 Info:
Label: IBM OS PKCS#11
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial Number: 123
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 04:52:00
# yum update
# rpm -qa | grep opencryptoki
opencryptoki-icatok-3.11.1-1.el8.s390x
opencryptoki-ep11tok-3.11.1-1.el8.s390x
opencryptoki-3.11.1-1.el8.s390x
opencryptoki-swtok-3.11.1-1.el8.s390x
opencryptoki-ccatok-3.11.1-1.el8.s390x
opencryptoki-icsftok-3.11.1-1.el8.s390x
opencryptoki-libs-3.11.1-1.el8.s390x
opencryptoki-tpmtok-3.11.1-1.el8.s390x
# pkcsconf -t
Token #3 Info:
Label: IBM OS PKCS#11
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial Number: 123
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 2019080904530900
/var/log/messages contain
Aug 9 04:53:07 ibm-z-116 systemd[1]: Starting Daemon which manages cryptographic hardware tokens for the openCryptoki package...
Aug 9 04:53:07 ibm-z-116 pkcsslotd[3543]: PID File created
Aug 9 04:53:07 ibm-z-116 systemd[1]: Started Daemon which manages cryptographic hardware tokens for the openCryptoki package.
Aug 9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/cca_stdll/cca_specific.c token_specific_init: Error loading library: 'libcsulcca.so' [libcsulcca.so: cannot open shared object file: No such file or directory]
Aug 9 04:53:09 ibm-z-116 pkcsconf[3545]: usr/lib/ep11_stdll/ep11_specific.c ep11tok_init: Error loading shared library 'libep11.so' [libep11.so: cannot open shared object file: No such file or directory]
Even with opencryptoki-3.11.0-3.el8.s390x the token is missing.
IBM Bug Proxy 2019-08-09 09:30:27 UTC
------- Comment From ifranzki.com 2019-08-09 05:27 EDT-------
You need to install the libica-devel packet, only that brings the symlink for libica.so with it.
(In reply to IBM Bug Proxy from comment #11)
> ------- Comment From ifranzki.com 2019-08-09 05:27 EDT-------
> You need to install the libica-devel packet, only that brings the symlink
> for libica.so with it.
Hm, this doesn't seem to be the right approach. Does the opencryptoki ICA module dlopen() libica?
--- Additional comment from IBM Bug Proxy on 2019-08-09 10:41:08 UTC ---
------- Comment From ifranzki.com 2019-08-09 06:39 EDT-------
Yes, the ICA token does a dlopen() for libica.so.
Since the packaging is distribution specific, it is hard to find a way for upstream that works for all distros....
We should probably talk to Patrick Steuer (maintainer of openCryptoki) about this and if we want to change something upstream.
--- Additional comment from Dan HorĂ¡k on 2019-08-09 10:52:07 UTC ---
In the IBMCA engine we reference libica by its soname - https://github.com/opencryptoki/openssl-ibmca/commit/f4c9d610e39624be09ba4de36e29c60a478537e7 as a fix for https://github.com/opencryptoki/openssl-ibmca/issues/46 - I guess opencryptoki can do the same.
--- Additional comment from Karel Srot on 2019-08-09 12:25:42 UTC ---
Or at least add the dependency on the libica-devel package so it would be pulled in with an update. For some reason libica-devel is present in BaseOS channel anyway.
--- Additional comment from IBM Bug Proxy on 2019-08-13 07:00:32 UTC ---
------- Comment From ifranzki.com 2019-08-13 02:52 EDT-------
FYI: Please see pull request https://github.com/opencryptoki/opencryptoki/pull/245 to change the dlopen of libica to use the versioned name (i.e. libica.so.3). The PR should be merged soon. You can then pick the 2 commits. They should apply clean on top of OCK 3.11.1. I will let you know when the PR has been merged.
--- Additional comment from IBM Bug Proxy on 2019-08-13 12:00:30 UTC ---
------- Comment From ifranzki.com 2019-08-13 07:56 EDT-------
The PR is now merged.
Please take the following 2 commits:
https://github.com/opencryptoki/opencryptoki/commit/73f05eb53f12197f081fd7ec75619c6ea3a39b2chttps://github.com/opencryptoki/opencryptoki/commit/7f4113ba8653b8b18a6f1af6ab1d8eb90987626d
Hello Hanns-Joachim, the fix is verified and scheduled for release in RHEL 7.8. I've noticed Severity raised from your side... Do you require 7.7.Z-Stream release or release with 7.8 GA is OK?
Comment 11Hanns-Joachim Uhl
2019-10-14 12:25:38 UTC
(In reply to Filip Krska from comment #10)
> Hello Hanns-Joachim, the fix is verified and scheduled for release in RHEL
> 7.8. I've noticed Severity raised from your side... Do you require
> 7.7.Z-Stream release or release with 7.8 GA is OK?
.
Hello Red Hat / Filip,
well observed ...
... yes, we are just checking whether the solution for this bugzilla is applicable
in the customer situation for Red Hat Support Case 02493190 ...
... please stay tuned ...
Thanks for your attention and support.
------- Comment From hannsj_uhl.com 2019-10-29 12:49 EDT-------
Business justification / client impact statement for 7.7.z zstream:
Problem
The opencryptoki ICA token is not available for production environments when the libica library package is installed.
Impact to customer
The customer cannot use HW acceleration for cryptographic operations
via the ICA token, unless the customer installs the libica-devel package
in addition, which is unusual in production environments
Business justification
The upgrade path to RHEL7.7 is broken for production environments using the opencryptoki ICA token.
Comment 13Hanns-Joachim Uhl
2019-10-29 16:58:52 UTC
(In reply to IBM Bug Proxy from comment #12)
> ------- Comment From hannsj_uhl.com 2019-10-29 12:49 EDT-------
> Business justification / client impact statement for 7.7.z zstream:
>
> Problem
> The opencryptoki ICA token is not available for production environments when
> the libica library package is installed.
>
> Impact to customer
> The customer cannot use HW acceleration for cryptographic operations
> via the ICA token, unless the customer installs the libica-devel package
> in addition, which is unusual in production environments
>
> Business justification
> The upgrade path to RHEL7.7 is broken for production environments using the
> opencryptoki ICA token.
.
Hello Red Hat / Josh,
with the above business justification / client impact statement
I would like to ask you to request a 7.7.z zstream for the patches from this bugzilla
as soon as possible ...
Thanks in advance for your support.
Hanns/IBM,
This bz has been denied as a candidate for z-stream as it has a workable workaround. Eventhough it is a regression it does not meet the criteria currently being used to enter z-stream. If you would like to enter data for a kb article to be written I can do that for you. Thanks.
------- Comment From Christian.Rund.com 2019-11-05 03:27 EDT-------
(In reply to comment #12)
> Hanns/IBM,
> This bz has been denied as a candidate for z-stream as it has a workable
> workaround. Eventhough it is a regression it does not meet the criteria
> currently being used to enter z-stream. If you would like to enter data for
> a kb article to be written I can do that for you. Thanks.
Hello Josh,
I would like to ask you resp. RedHat to accept a fix for a problem a customer reported.
In addition the 'workable workaround' requires to define the 'Optional' repository in addition for downloading and installing the package.
Please re-consider.
Thanks.
------- Comment From ifranzki.com 2019-12-11 06:54 EDT-------
I have successfully verified this on RHEL7.8 Snapshot 1.
After installing OCK 3.12.0 and libica-3.4.0-1 the ICA token is available. Please note that I did NOT install the libica-devel packet. So this confirms that the ICA token is able to load the ICA library without having the un-versioned shared object available.
Please set to VERIFIED.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:1164