Enabling and disabling PKCS#11 trace logging

There are two levels of trace logging:

  • vTrace logging, which is internal instrumentation of the Venafi libraries.
  • PKCS11Spy, which will display all traffic between the PKCS11 library and the Trust Protection Platform server.

Enabling vTrace Logging

pkcs11config trace --file=c:\temp\trace- --output=stdout
					
SUCCESS: Trace logging will now be recorded to c:\temp\trace-<pid>.log files
SUCCESS: Console trace logging will now be recorded to stdout

NOTE  This will enable trace logging to both a log file and to the console. Use a combination of the enable/disable and the console/log parameters to disable or enable individual options.

Configuring PKCS11 Spy

To use venafipkcs11spy (possibly at the direction of Customer Support to troubleshoot issues), configure the product that is using the Venafi code signing client to point to venafipkcs11spy instead of venafipkcs11. Once you no longer need the API trace, set it back to the venafipkcs11 library.

IMPORTANT  Running your product pointed to venafipkcs11spy will expose any secrets that are being encrypted or decrypted. Only use it for troubleshooting, not for production data.

pkcs11config trace --pkcs11=c:\temp\pkcs11.log --module=path_to_library
					
SUCCESS: PKCS#11 API logging will now be recorded to c:\temp\pkcs11.log
SUCCESS: PKCS#11 library path set to path_to_library

NOTE  When using a system that has been properly installed it is not necessary to provide the 'module' parameter as it will assume a default installation location.

Disabling Console Logging

pkcs11config trace --console --disable

Disabling File Logging

pkcs11config trace --log --disable

Disabling both File Logging and Console Logging

pkcs11config trace --disable

To see a list of all trace options, see trace options.