Installing IBMCA from the source package

If you prefer, you can install IBMCA from the source package manually. The IBMCA package contains both, the IBMCA engine as well as the IBMCA provider. However, starting with OpenSSL 3.0, you should only use the IBMCA provider.

1. Download the IBMCA package from GitHub.

   https://github.com/opencryptoki/openssl-ibmca

2. Enter openssl version -m for the IBMCA provider or openssl version -e for the IBMCA engine to find the directory where the provider or engine is located, for example:

   
   Provider: (only for OpenSSL 3.0 or later)
   $ openssl version -m
   MODULESDIR: "/usr/lib64/ossl-modules"
   
   Engine:
   $ openssl version -e
   ENGINESDIR: "/usr/lib64/engines-3"

3. Change to the directory where you downloaded the source in step 1 and enter the following scripts and commands to build the module:
   for building both provider and engine:

   
   $ ./bootstrap.sh
   $ ./configure [--enable-debug] 
   $ make
   $ sudo make install 
   /* get the target location of the modules from step 2: */
   $ sudo mv /usr/local/lib/ibmca-provider.* /usr/lib64/ossl-modules/ 
   $ sudo mv /usr/local/lib/ibmca.* /usr/lib64/engines-3/     
   

   This will configure, build, and install the package in a default location, which is /usr/local/lib. It means that the provider module ibmca-provider.so and the engine module ibmca.so are installed in /usr/local/lib/. The modules are then moved to the desired locations.

   for building the provider only:

   
   $ ./bootstrap.sh 
   $ ./configure [--enable-debug] --disable-engine --libdir=/usr/lib64/ossl-modules 
                 --prefix=/usr     # see MODULESDIR output from step 2) 
   $ make
   $ sudo make install
   

   This will configure, build, and install the provider only in the desired provider location, which is in our example /usr/lib64/ossl-modules/.

   for building the engine only:

   
   $ ./bootstrap.sh
   $ ./configure [--enable-debug] --disable-provider --libdir=/usr/lib64/engines-3 
                 --prefix=/usr    # see ENGINESDIR output from step 2)  
   $ make
   $ sudo make install
   

   This will configure, build and install the engine only in the desired engine location, which is in our example /usr/lib64/engines-3.

   Additionally, at configure time, you can specify to build the IBMCA engine against the libica-cex version via the --with-libica-cex switch. If this switch is not specified, the engine uses the full version of libica by default. To specify the version of libica for the engine, use --with-libica-version=<version>. The default version is version 4 of libica. To build the engine against libica version 3, specify --with-libica-version=3 at configure time.

   The IBMCA provider uses the libica-cex module per default. To use the full version of libica, specify: --with-provider-libica-full. There is no functional difference in using the full libica library, except for ECC being accelerated using CPACF. Since libica version 4.0 or later, neither libica-cex, nor the full libica have SW fallbacks enabled. The full libica library additionally supports digests and symmetric ciphers, but those are not exploited by the IBMCA provider. This build-time option is meant for distributors that do not build the libica-cex library at all.

   The IBMCA provider always uses libica version 4.

   For the most current information about configuration options, see the README file in the GitHub repository.