Trouble shooting with the IBMCA engine

Read about the trouble shooting and debug facilities when working with the IBMCA engine.

If the engine is configured properly, the commands openssl engine -c and openssl engine -tt ibmca return the following output, showing the supported algorithms and an error trace if the engine is not properly configured:


$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH, RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, 
AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, 
AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, 
SHA512, ED25519, ED448, X25519, X448]

$ openssl engine -tt ibmca
(ibmca) Ibmca hardware engine support
     [ available ]

Note: Even if you have configured the IBMCA engine to be used for selected algorithms only (see default_algorithms option in Configuration options for the IBMCA engine), the openssl engine -c command will anyway show all algorithms that are supported by the used libica variant (libica or libica-cex) and the current cryptographic hardware availability. The specifications with the default_algorithms option are not considered here. Nevertheless, OpenSSL only uses those algorithms that are enabled via the default_algorithms option (and that are supported by the IBMCA engine).