IBMCA engine restrictions

To avoid error messages when programming with OpenSSL and the IBMCA engine, you need to consider certain restrictions.

  • The CIPHER and DIGEST implementations of the IBMCA engine do not support the processing of messages in arbitrary chunk sizes. All chunks, except the final one, must be a multiple of the primitive's block size.
  • Normally, you use the IBMCA engine configured by an OpenSSL configuration file (see Configuring OpenSSL to use the IBMCA engine. You can use the OpenSSL command line tool to override the IBMCA engine configuration for one single call by specifying the -engine ibmca option. If you do so, you need to observe that starting with OpenSSL 3.0, no software fallbacks are used if a requested algorithm is not supported by the engine. Instead, an error message is issued.

    An example for such an algorithm not supported by the IBMCA engine is AES-256-CTR. If requested by an OpenSSL command line tool invocation with an IBMCA engine configured using the -engine ibmca option, an error about an unimplemented cipher is issued. You can avoid this by configuring the IBMCA engine in the OpenSSL configuration file. In this case, a software fallback is used.