forked from opencryptoki/opencryptoki
-
Notifications
You must be signed in to change notification settings - Fork 0
/
FAQ
104 lines (78 loc) · 4.06 KB
/
FAQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
openCryptoki FAQ - Kent Yoder <[email protected]>
-----------------------------------------------------------------------------
1. Q. All openCryptoki applications are returning CKR_TOKEN_NOT_PRESENT,
even though the token is there, and its STDLL is in the right place.
What's the problem?
A1. The user who's executing the application is probably not a member
of the pkcs11 group.
A2. Check that the device driver for your hardware token is loaded.
(`lsmod` in Linux).
A3. If you're doing development, this error will also be returned of your
token's STDLL has unresolved symbols in it. Enable debugging and
check the debug log to find out what symbols are undefined.
2. Q. When C_Initialize() gets called by my app, openCryptoki returns
CKR_HOST_MEMORY, even though I've got lots of free memory. What's
the problem?
A1. CKR_HOST_MEMORY is returned also if openCryptoki cannot attach
to shared memory. This can happen if:
a1. The user who's executing the application is not a member of
the pkcs11 group.
a2. pkcsslotd is not running.
3. Q. pkcsconf is returning:
Error getting token info: 0x2
This is CKR_HOST_MEMORY, see question 2.
Error getting token info: 0x3
The slot ID you're providing is invalid.
4. Q. How can I get the complete debug logs from openCryptoki?
A. In opencryptoki version 3.3, tracing was introduced. There is no
longer a need to compile opencryptoki with debug enabled via
"configure --enable-debug" to debug problems. Trace messages are
enabled via the environment variable, OPENCRYPTOKI_TRACE_LEVEL=<level>.
Set this environment variable to one of several trace levels available:
1 - log error messages
2 - log warning messages
3 - log informational messages
4 - log development debug messages; these messages may help debug
while developing pkcs#11 applications.
5 - debug messages that are useful to opencryptoki developers;
this level must be enabled via --enable-debug option in the
configure script.
Note: Trace messages increase as the trace level increases.
In other words, trace level 4 includes all the messages from
trace levels 1, 2 and 3.
An additional level 5 is included for those implementing new
features into opencryptoki source code. This level 5 allows for more
debug output. Level 5 is enabled when compiling opencryptoki
source code using "configure --enable-debug" and exporting
OPENCRYPTOKI_TRACE_LEVEL=5.
All trace output is logged into trace.<pid> file in the
/var/log/opencryptoki directory. A trace file is created per
process.
Prior to opencryptoki version 3.3, opencryptoki had to be compiled
with debugging enabled, i.e configure --enable-debug. Debug messages
were then logged to the file specified with the
OPENCRYPTOKI_DEBUG_FILE environment variable. If the environment
variable was not set, then opencryptoki debug messages were not logged.
Debugging does not have to be enabled for syslog messages to be
logged. Syslog messages are logged according to the system's syslog
configuration.
For versions of openCryptoki starting with openCryptoki-2.0 and before
openCryptoki-2.4, define the environment variable PKCS11_API_LOG_DEBUG=1
(in versions of openCryptoki before 2.0, define
AIX_PKCS11_API_LOG_DEBUG=1).
Also, apparently by default syslogd does not have an entry in
/etc/syslogd.conf for debug messages, so even if you have debug
messages enabled in your openCryptoki compile, you'll not get them in
the system log until you edit /etc/syslogd.conf and restart syslogd.
Add an entry in /etc/syslogd.conf such as:
# vi /etc/syslogd.conf
---
[...]
*.debug /var/log/debuglog
---
# killall -HUP syslogd
Now, when openCryptoki is configured with the --enable-debug
option (or if you install the -debug rpms), /var/log/debuglog
will receive its debugging messages.
-----------------------------------------------------------------------------
openCryptoki FAQ