|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
openCryptoki FAQ - Kent Yoder <yoder1@us.ibm.com>
|
|
Packit |
8681c6 |
-----------------------------------------------------------------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
1. Q. All openCryptoki applications are returning CKR_TOKEN_NOT_PRESENT,
|
|
Packit |
8681c6 |
even though the token is there, and its STDLL is in the right place.
|
|
Packit |
8681c6 |
What's the problem?
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
A1. The user who's executing the application is probably not a member
|
|
Packit |
8681c6 |
of the pkcs11 group.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
A2. Check that the device driver for your hardware token is loaded.
|
|
Packit |
8681c6 |
(`lsmod` in Linux).
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
A3. If you're doing development, this error will also be returned of your
|
|
Packit |
8681c6 |
token's STDLL has unresolved symbols in it. Enable debugging and
|
|
Packit |
8681c6 |
check the debug log to find out what symbols are undefined.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Q. When C_Initialize() gets called by my app, openCryptoki returns
|
|
Packit |
8681c6 |
CKR_HOST_MEMORY, even though I've got lots of free memory. What's
|
|
Packit |
8681c6 |
the problem?
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
A1. CKR_HOST_MEMORY is returned also if openCryptoki cannot attach
|
|
Packit |
8681c6 |
to shared memory. This can happen if:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
a1. The user who's executing the application is not a member of
|
|
Packit |
8681c6 |
the pkcs11 group.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
a2. pkcsslotd is not running.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Q. pkcsconf is returning:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Error getting token info: 0x2
|
|
Packit |
8681c6 |
This is CKR_HOST_MEMORY, see question 2.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Error getting token info: 0x3
|
|
Packit |
8681c6 |
The slot ID you're providing is invalid.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Q. How can I get the complete debug logs from openCryptoki?
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
A. In opencryptoki version 3.3, tracing was introduced. There is no
|
|
Packit |
8681c6 |
longer a need to compile opencryptoki with debug enabled via
|
|
Packit |
8681c6 |
"configure --enable-debug" to debug problems. Trace messages are
|
|
Packit |
8681c6 |
enabled via the environment variable, OPENCRYPTOKI_TRACE_LEVEL=<level>.
|
|
Packit |
8681c6 |
Set this environment variable to one of several trace levels available:
|
|
Packit |
8681c6 |
1 - log error messages
|
|
Packit |
8681c6 |
2 - log warning messages
|
|
Packit |
8681c6 |
3 - log informational messages
|
|
Packit |
8681c6 |
4 - log development debug messages; these messages may help debug
|
|
Packit |
8681c6 |
while developing pkcs#11 applications.
|
|
Packit |
8681c6 |
5 - debug messages that are useful to opencryptoki developers;
|
|
Packit |
8681c6 |
this level must be enabled via --enable-debug option in the
|
|
Packit |
8681c6 |
configure script.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Note: Trace messages increase as the trace level increases.
|
|
Packit |
8681c6 |
In other words, trace level 4 includes all the messages from
|
|
Packit |
8681c6 |
trace levels 1, 2 and 3.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
An additional level 5 is included for those implementing new
|
|
Packit |
8681c6 |
features into opencryptoki source code. This level 5 allows for more
|
|
Packit |
8681c6 |
debug output. Level 5 is enabled when compiling opencryptoki
|
|
Packit |
8681c6 |
source code using "configure --enable-debug" and exporting
|
|
Packit |
8681c6 |
OPENCRYPTOKI_TRACE_LEVEL=5.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
All trace output is logged into trace.<pid> file in the
|
|
Packit |
8681c6 |
/var/log/opencryptoki directory. A trace file is created per
|
|
Packit |
8681c6 |
process.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Prior to opencryptoki version 3.3, opencryptoki had to be compiled
|
|
Packit |
8681c6 |
with debugging enabled, i.e configure --enable-debug. Debug messages
|
|
Packit |
8681c6 |
were then logged to the file specified with the
|
|
Packit |
8681c6 |
OPENCRYPTOKI_DEBUG_FILE environment variable. If the environment
|
|
Packit |
8681c6 |
variable was not set, then opencryptoki debug messages were not logged.
|
|
Packit |
8681c6 |
Debugging does not have to be enabled for syslog messages to be
|
|
Packit |
8681c6 |
logged. Syslog messages are logged according to the system's syslog
|
|
Packit |
8681c6 |
configuration.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
For versions of openCryptoki starting with openCryptoki-2.0 and before
|
|
Packit |
8681c6 |
openCryptoki-2.4, define the environment variable PKCS11_API_LOG_DEBUG=1
|
|
Packit |
8681c6 |
(in versions of openCryptoki before 2.0, define
|
|
Packit |
8681c6 |
AIX_PKCS11_API_LOG_DEBUG=1).
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Also, apparently by default syslogd does not have an entry in
|
|
Packit |
8681c6 |
/etc/syslogd.conf for debug messages, so even if you have debug
|
|
Packit |
8681c6 |
messages enabled in your openCryptoki compile, you'll not get them in
|
|
Packit |
8681c6 |
the system log until you edit /etc/syslogd.conf and restart syslogd.
|
|
Packit |
8681c6 |
Add an entry in /etc/syslogd.conf such as:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
# vi /etc/syslogd.conf
|
|
Packit |
8681c6 |
---
|
|
Packit |
8681c6 |
[...]
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
*.debug /var/log/debuglog
|
|
Packit |
8681c6 |
---
|
|
Packit |
8681c6 |
# killall -HUP syslogd
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Now, when openCryptoki is configured with the --enable-debug
|
|
Packit |
8681c6 |
option (or if you install the -debug rpms), /var/log/debuglog
|
|
Packit |
8681c6 |
will receive its debugging messages.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
-----------------------------------------------------------------------------
|
|
Packit |
8681c6 |
openCryptoki FAQ
|