diff --git a/.gitignore b/.gitignore
index 505ebb9..6ecbd3b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/v3.7.0.tar.gz
+SOURCES/v3.10.0.tar.gz
diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata
index 9bdf187..a3d1292 100644
--- a/.opencryptoki.metadata
+++ b/.opencryptoki.metadata
@@ -1 +1 @@
-9bc7d5796566c18583d6d4abb2e962d22bc8480e SOURCES/v3.7.0.tar.gz
+93908d16d61ec2c60aa0809378308d2d9e634d5f SOURCES/v3.10.0.tar.gz
diff --git a/SOURCES/opencryptoki-3.10-ica-token.patch b/SOURCES/opencryptoki-3.10-ica-token.patch
new file mode 100644
index 0000000..2a32d4c
--- /dev/null
+++ b/SOURCES/opencryptoki-3.10-ica-token.patch
@@ -0,0 +1,107 @@
+From 227ffdba6b919e18b03fed59b07e2c0212b40303 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 2 Aug 2018 14:48:47 +0200
+Subject: [PATCH 1/2] Fix bug with master key encryption with FIPS enabled
+ libica
+
+When running with a FIPS enabled libica, the ICA token fails to
+initialize, because the 3DES key derived from the user or SO pin is
+considered invalid because the first and the third part of the
+3DES key is the same.
+
+For clear key tokens, the token specific 3DES-CBC function is
+used for the master key encryption. In case of the ICA token,
+the ICA token specific 3DES-CBC function fails, because libica
+rejects the key when compiled with FIPS support. This leads to
+an error during token initialization.
+
+Instead of using the token specific 3DES-CBC function, the code
+now always falls back to the (OpenSSL) based software encryption
+function, as it is also done for secure key tokens.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/pkcs11/common/loadsave.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/usr/lib/pkcs11/common/loadsave.c b/usr/lib/pkcs11/common/loadsave.c
+index a593b932..a5532c9d 100644
+--- a/usr/lib/pkcs11/common/loadsave.c
++++ b/usr/lib/pkcs11/common/loadsave.c
+@@ -206,12 +206,14 @@ static CK_RV encrypt_data_with_clear_key(STDLL_TokData_t * tokdata,
+ 	/* If token doesn't have a specific key size that means that it uses a
+ 	 * clear key.
+ 	 */
+-	if (token_specific.token_keysize == 0) {
++    if (token_specific.token_keysize == 0 &&
++        token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) {
+ 		return encrypt_data(tokdata, key, keylen, iv, clear, clear_len,
+ 				    cipher, p_cipher_len);
+ 	}
+ 
+-	/* Fall back to a software alternative if key is secure. */
++    /* Fall back to a software alternative if key is secure, or
++     * if token's data store encryption algorithm is 3DES_CBC */
+ 	initial_vector = duplicate_initial_vector(iv);
+ 	if (initial_vector == NULL) {
+ 		TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+@@ -322,12 +324,14 @@ static CK_RV decrypt_data_with_clear_key(STDLL_TokData_t *tokdata,
+ 	/* If token doesn't have a specific key size that means that it uses a
+ 	 * clear key.
+ 	 */
+-	if (token_specific.token_keysize == 0) {
++    if (token_specific.token_keysize == 0 &&
++        token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) {
+ 		return decrypt_data(tokdata, key, keylen, iv, cipher,
+ 				    cipher_len, clear, p_clear_len);
+ 	}
+ 
+-	/* Fall back to a software alternative if key is secure. */
++    /* Fall back to a software alternative if key is secure, or
++     * if token's data store encryption algorithm is 3DES_CBC */
+ 	initial_vector = duplicate_initial_vector(iv);
+ 	if (initial_vector == NULL) {
+ 		TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+-- 
+2.17.1
+
+
+From 3e091d7ff34a56eac0b9a5e8eaf92e5a7cf11b7f Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Tue, 7 Aug 2018 14:45:05 +0200
+Subject: [PATCH 2/2] TESTCASE: Disable 3DES test vectors with non-FIPS
+ compliant keys
+
+The 3DES test vectors contain keys that are considered invalid
+by a FIPS enabled libica because the first, middle and/and third
+part of the 3DES key are the same.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ testcases/crypto/des3.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/testcases/crypto/des3.h b/testcases/crypto/des3.h
+index e1bb1038..1860778e 100644
+--- a/testcases/crypto/des3.h
++++ b/testcases/crypto/des3.h
+@@ -850,7 +850,16 @@ static struct des3_test_vector des3_ofb64_tv[] = {
+ 	}
+ };
+ 
++/*
++ * All above test vectors use keys that are not FIPS compliant.
++ * This will cause the testcase to fail when the token performs FIPS key
++ * checks.
++ */
++#ifdef NON_FIPS_COMPLIANT_TEST_VECTORS
+ # define NUM_OF_PUBLISHED_TESTSUITES	5
++#else
++# define NUM_OF_PUBLISHED_TESTSUITES    0
++#endif
+ 
+ struct published_test_suite_info published_test_suites[] = {
+ 	{
+-- 
+2.17.1
+
diff --git a/SOURCES/opencryptoki-3.2-conditional-manpages.patch b/SOURCES/opencryptoki-3.2-conditional-manpages.patch
deleted file mode 100644
index 0e15fdc..0000000
--- a/SOURCES/opencryptoki-3.2-conditional-manpages.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am
-index f2274d7..d98ae8c 100644
---- a/man/man1/Makefile.am
-+++ b/man/man1/Makefile.am
-@@ -1,3 +1,12 @@
--man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1
-+man1_MANS=pkcsconf.1 pkcsicsf.1
-+
-+if ENABLE_PKCSEP11_MIGRATE
-+man1_MANS += pkcsep11_migrate.1
-+endif
-+
-+if ENABLE_CCATOK
-+man1_MANS += pkcscca.1
-+endif
-+
- EXTRA_DIST = $(man1_MANS)
- CLEANFILES = $(man1_MANS)
diff --git a/SOURCES/opencryptoki-3.4-fix-root-checks.patch b/SOURCES/opencryptoki-3.4-fix-root-checks.patch
deleted file mode 100644
index ba2b5c7..0000000
--- a/SOURCES/opencryptoki-3.4-fix-root-checks.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up opencryptoki/usr/lib/pkcs11/common/new_host.c.fix-root opencryptoki/usr/lib/pkcs11/common/new_host.c
-diff -up opencryptoki/usr/lib/pkcs11/common/utility.c.fix-root opencryptoki/usr/lib/pkcs11/common/utility.c
---- opencryptoki/usr/lib/pkcs11/common/utility.c.fix-root	2015-12-04 15:27:56.038413538 +0100
-+++ opencryptoki/usr/lib/pkcs11/common/utility.c	2015-12-04 15:28:02.557395798 +0100
-@@ -1122,7 +1122,7 @@ CK_RV check_user_and_group()
- 	euid = geteuid();
- 
- 	/* Root or effective Root is ok */
--	if (uid == 0 && euid == 0)
-+	if (uid == 0 || euid == 0)
- 		return CKR_OK;
- 
- 	/*
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index 49a7ac1..3d83028 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -2,18 +2,15 @@
 
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
-Version:		3.7.0
-Release:		1%{?dist}
+Version:		3.10.0
+Release:		2%{?dist}
 License:		CPL
 Group:			System Environment/Base
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz
 Source1:		%{name}-tmpfiles.conf
-# do not install pkcsep11_migrate.1 and pkcscca.1 when it's not enabled
-# https://bugzilla.redhat.com/show_bug.cgi?id=732756
-# https://bugzilla.redhat.com/show_bug.cgi?id=1122505#c8
-Patch0:			%{name}-3.4-fix-root-checks.patch
-Patch1:			%{name}-3.2-conditional-manpages.patch
+
+Patch0:			opencryptoki-3.10-ica-token.patch
 
 Requires(pre):		shadow-utils coreutils sed
 BuildRequires:		openssl-devel
@@ -180,8 +177,7 @@ configured with Enterprise PKCS#11 (EP11) firmware.
 
 %prep
 %setup -q -n %{name}-%{version}
-%patch0 -p1 -b .fix-root
-%patch1 -p1 -b .man
+%patch0 -p1 -b .ica
 
 # Upstream tarball has unnecessary executable perms set on the sources
 find . -name '*.[ch]' -print0 | xargs -0 chmod -x
@@ -258,8 +254,8 @@ exit 0
 
 
 %files
-%doc ChangeLog FAQ README
-%doc doc/openCryptoki-HOWTO.pdf
+%doc ChangeLog FAQ README.md
+%doc doc/opencryptoki-howto.md
 %doc doc/README.token_data
 %dir %{_sysconfdir}/%{name}
 %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
@@ -324,7 +320,6 @@ exit 0
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
 
 %files ccatok
-%doc doc/README-IBM_CCA_users
 %doc doc/README.cca_stdll
 %{_sbindir}/pkcscca
 %{_mandir}/man1/pkcscca.1*
@@ -336,8 +331,11 @@ exit 0
 %files ep11tok
 %doc doc/README.ep11_stdll
 %config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
+%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
 %{_sbindir}/pkcsep11_migrate
+%{_sbindir}/pkcsep11_session
 %{_mandir}/man1/pkcsep11_migrate.1.*
+%{_mandir}/man1/pkcsep11_session.1*
 %{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
 %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
@@ -346,6 +344,15 @@ exit 0
 
 
 %changelog
+* Thu Aug 23 2018 Sinny Kumari <skumari@redhat.com> - 3.10.0-2
+- Resolves: #1613743 - ICA Token specific des3 cbc encrypt failed - token not available
+
+* Fri Jun 22 2018 Sinny Kumari <skumari@redhat.com> - 3.10.0-1
+- Rebase to 3.10.0
+- Resolves: #1519383 - openCryptoki token for EP11 - crucial enhancements for s390x
+- Remove opencryptoki-3.4-fix-root-checks.patch, fixed in 3.9.0
+- Remove opencryptoki-3.2-conditional-manpages.patch, fixed in 3.9.0
+
 * Tue Oct 03 2017 Sinny Kumari <skumari@redhat.com> - 3.7.0-1
 - RHBZ#1456520 - Rebase opencryptoki to 3.7.0
 - Include libitm-devel as BuildRequires