diff --git a/openssh-8.7p1-ibmca.patch b/openssh-8.7p1-ibmca.patch
new file mode 100644
index 0000000..c9c12ee
--- /dev/null
+++ b/openssh-8.7p1-ibmca.patch
@@ -0,0 +1,12 @@
+--- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig	2022-04-12 15:47:03.815044607 +0200
++++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c	2022-04-12 15:48:12.464963511 +0200
+@@ -16,7 +16,7 @@
+ 
+ #include "includes.h"
+ 
+-#ifndef HAVE_CLOSEFROM
++#if (!defined HAVE_CLOSEFROM) || (defined __s390__)
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
+
diff --git a/openssh.spec b/openssh.spec
index d5050aa..d7f33b8 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 20
+%global openssh_rel 21
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -218,6 +218,9 @@ Patch981: openssh-8.7p1-recursive-scp.patch
 Patch982: openssh-8.7p1-minrsabits.patch
 # downstream only
 Patch983: openssh-8.7p1-evpgenkey.patch
+# downstream only, IBMCA tentative fix
+# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
+Patch984: openssh-8.7p1-ibmca.patch
 
 # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
 # upstream commits:
@@ -436,6 +439,7 @@ popd
 %patch981 -p1 -b .scp-sftpdirs
 %patch982 -p1 -b .minrsabits
 %patch983 -p1 -b .evpgenrsa
+%patch984 -p1 -b .ibmca
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -728,6 +732,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Aug 04 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-21
+- IBMCA workaround
+  Related: rhbz#1976202
+
 * Tue Jul 26 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-20 + 0.10.4-5
 - Fix openssh-8.7p1-scp-clears-file.patch
   Related: rhbz#2056884