Enabling and disabling PKCS#11 trace logging
There are two levels of trace logging:
- vTrace logging, which is internal instrumentation of the Venafi libraries.
- PKCS11Spy, which will display all traffic between the PKCS11 library and the Trust Protection Platform server.
Enabling vTrace Logging
pkcs11config trace --file=c:\temp\trace- --output=stdout
SUCCESS: Trace logging will now be recorded to c:\temp\trace-<pid>.log files
SUCCESS: Console trace logging will now be recorded to stdout
NOTE This will enable trace logging to both a log file and to the console. Use a combination of the enable/disable and the console/log parameters to disable or enable individual options.
Configuring PKCS11 Spy
To use venafipkcs11spy (possibly at the direction of Customer Support to troubleshoot issues), configure the product that is using the Venafi code signing client to point to venafipkcs11spy instead of venafipkcs11. Once you no longer need the API trace, set it back to the venafipkcs11 library.
IMPORTANT Running your product pointed to venafipkcs11spy will expose any secrets that are being encrypted or decrypted. Only use it for troubleshooting, not for production data.
pkcs11config trace --pkcs11=c:\temp\pkcs11.log --module=path_to_library
SUCCESS: PKCS#11 API logging will now be recorded to c:\temp\pkcs11.log
SUCCESS: PKCS#11 library path set to path_to_library
NOTE When using a system that has been properly installed it is not necessary to provide the 'module' parameter as it will assume a default installation location.
Disabling Console Logging
pkcs11config trace --console --disable
Disabling File Logging
pkcs11config trace --log --disable
Disabling both File Logging and Console Logging
pkcs11config trace --disable
To see a list of all trace options, see trace options.