When the system is in FIPS mode, newer libica versions may prevent AES-GCM from being used with an external IV. FIPS requires that the AES-GCM IV is created libica internally via an approved random source.
The IBMCA engine can not support the internal generation of the AES-GCM IV, because the engine API for AES-GCM does not allow this. Applications using OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an external IV.
Enable the use of external AES-GCM IVs for libica, if the used libica library supports this. Newer libica versions support to allow external AES-GCM IVs via function ica_allow_external_gcm_iv_in_fips_mode().
When the system is in FIPS mode, newer libica versions may prevent AES-GCM from being used with an external IV. FIPS requires that the AES-GCM IV is created libica internally via an approved random source.
The IBMCA engine can not support the internal generation of the AES-GCM IV, because the engine API for AES-GCM does not allow this. Applications using OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an external IV.
Enable the use of external AES-GCM IVs for libica, if the used libica library supports this. Newer libica versions support to allow external AES-GCM IVs via function ica_allow_external_gcm_iv_in_fips_mode().