Trouble shooting with the IBMCA provider

Edit online

Read about the trouble shooting and debug facilities when working with the IBMCA provider.

If the provider is configured properly, the openssl list -providers command returns the following output: 


$ openssl list -providers 
Providers: 
  default 
    name: OpenSSL Default Provider
    version: 3.0.1 
    status: active 
  ibmca 
    name: ibmca 
    version: 2.3.0 
    status: active

List the cryptographic methods implemented by the activated providers as follows:


$ openssl list -key-managers
...
   Name: IBMCA RSA implementation
     Type: Provider Algorithm
     IDs: { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ ibmca
   Name: IBMCA DH implementation
     Type: Provider Algorithm
     IDs: { 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ ibmca
   Name: IBMCA EC implementation
     Type: Provider Algorithm
     IDs: { 1.2.840.10045.2.1, EC, id-ecPublicKey } @ ibmca
   Name: IBMCA RSA-PSS implementation
     Type: Provider Algorithm
     IDs: { 1.2.840.113549.1.1.10, RSA-PSS, RSASSA-PSS, rsassaPss } @ ibmca
   Name: IBMCA DHX implementation
     Type: Provider Algorithm
     IDs: { 1.2.840.10046.2.1, dhpublicnumber, DHX, X9.42 DH } @ ibmca
...
$ openssl list -signature-algorithms
...
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ ibmca
  ECDSA @ ibmca
...
$ openssl list -asymcipher-algorithms
...
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ ibmca
...
$ openssl list -key-exchange-algorithms
...
  { 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ ibmca
  ECDH @ ibmca
....

You can set the following environment variables to obtain debug information:

IBMCA_DEBUG
If $IBMCA_DEBUG is set to stderr, debug output to stderr for the IBMCA provider is enabled. If it is set to on, the debug output is written into a trace file in <debug-path>/trace-<provider-name>.<pid>, where <debug-path> is the path name of a directory to where the debug files are written (default: /tmp), <provider-name> is the name of the IBMCA provider from the identity option, and <pid> is the process ID of the current process.
IBMCA_DEBUG_PATH
Sets the directory path to where debug files are written when debug is enabled via the debug = yes configuration option or via environment variable IBMCA_DEBUG=on. The user under which the application that uses the IBMCA provider runs, must have write access to that directory.