Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
If the ibmca engine for openssl and the HW is FIPS certified, then the engine
must set proper flag for its RSA implementation method. (This is the RSA_FLAG_FIPS_METHOD.)
If it is not certified, it means the ibmca engine simply has to be disabled and thus not used by the administrator in the FIPS mode.
Comment 11Gonzalo Muelas Serrano
2010-08-20 14:16:35 UTC
Hello,
at this point of time is openssl-ibmca and the underlying crypto HW not completely FIPS certified, but we are working on it. Till the work is finished we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via standard feature request) to RH a change of this setting as soon as we are with SW and HW FIPS certified.
Kind regards,
Gonzalo.
Comment 13RHEL Program Management
2011-01-07 16:04:21 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
(In reply to comment #11)
> at this point of time is openssl-ibmca and the underlying crypto HW not
> completely FIPS certified, but we are working on it. Till the work is finished
> we should have in RHEL fips_mode=no and ibmca engine on. IBM will request (via
> standard feature request) to RH a change of this setting as soon as we are with
> SW and HW FIPS certified.
Gonzalo, is there any progress in making the s390 specific crypto modules/libraries FIPS compatible?
Comment 16Gonzalo Muelas Serrano
2011-06-27 10:50:41 UTC
Dan, as far as I know, it still work in progress. As soon as we are with SW and HW FIPS certified we will submit a feature request to RH to change this setting.
Thank you for asking!
Gonzalo.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Created attachment 434657 [details] openssl configuration with enaled IBMCA module Description of problem: When testing on s390x in FIPS mode on RHEL6 openssl fails. The errors differ when CPACF enabled/disabled # prelink -u -a # rpm -q openssl openssl-1.0.0-4.el6.s390x # ./enable_cpacf # openssl speed rsa internal error loading RSA key number 0 2199029471344:error:0406A095:rsa routines:RSA_new_method:non fips method:rsa_lib.c:183: 2199029471344:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221: 2199029471344:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:404:Type=RSA # ./disable_cpacf # openssl speed rsa cmll_fblk.c(65): OpenSSL internal error, assertion failed: CAMELLIA Algorithm forbidden in FIPS mode Aborted (core dumped)