>>> On 5/3/2016 at 01:26 PM, Marcy Cortes <[email protected]> >>> wrote: > So SLES SP4 took package openCryptoki from 2.4 to 3.2. > > We're struggling try to set up a new instance of WAS IHS for ibmica. We > can see the slot with pkcsconf and have set the pins. GSK cannot see it > though. IBM says it's a linux problem, presumably with the openCryptoki > package.
I just recently inherited maintainership of that package. Lucky me. > pkcs11_startup seems to be gone, even though the init script still calls it. > The doc included with the package and on sourgeforge seems to be ancient. Ya think? :( > There is a new /etc/opencryptoki/opencryptoki.conf that needs to be used > instead but its contents and its man page don't give me any clue as to what > to put in there for IBMICA. Right. That might be in the libica2 package, but I'm not sure. > There doesn't seem to be a SLES 11 SP4 Device Drivers doc either out there > on developerworks. I recently asked IBM about that. They said, essentially, "yeah we didn't do one for SP4." :( > Has anyone set this up with WAS with openCryptoki 3.2? > > Our existing servers that migrated to SP4 are also throwing errors > continually, although they continue to work for some functions as the > counters in /proc/drives/z90crypt are being incremented. > They are getting these messages: > Apr 21 14:30:16 cpzew01a0004 httpd: cca_specific.c token_specific_init: > Error loading library: [libcsulcca.so: cannot open shared object file: No > such file or directory] I saw those same errors. According to a zJournal article by Reinhard Buendgen: "The CCA token provides secure key cryptography using the CryptoExpress CCA coprocessor. It requires the libcsulcca library to be installed and the z90crypt device driver to be loaded into the kernel. The CCA RPM containing the CCA library libcsulcca can be downloaded for free from http://www-03.ibm.com/security/cryptocards/pciecc/ordersoftware.shtml ." http://enterprisesystemsmedia.com/article/using-linux-on-system-z-hardware-cryptography-with-the-pkcs11-cryoptography/ It looks like it might do the job, but I have no idea if it's going to fix your real problem. > SUSE is working off the same doc as I have found and they too are > struggling. I bet. IBM doesn't make this stuff easy for anyone. Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
