Enabling the logging support while running the EP11 token
Read about the tasks how to run the EP11 token with enabled logging support.
You can enable logging support by setting the environment variable
OPENCRYPTOKI_TRACE_LEVEL. If the environment variable is not set, logging is
disabled by default.
| Log level | Description |
|---|---|
| 1 | Log error messages. |
| 2 | Log warning messages. |
| 3 | Log informational messages. |
| 4 | Log development debug messages. These messages may help debug while developing PKCS #11 applications. |
| 5 | Log debug messages that are useful to openCryptoki developers. This level must be enabled via
option --enable-debug in the configure script. |
If a log level > 0 is defined in the environment variable
OPENCRYPTOKI_TRACE_LEVEL, then log entries are written to file
/var/log/opencryptoki/trace.<pid>. In this file name specification,
<pid> denotes the ID of the running process that uses the EP11 token.
The log file is created with ownership user, and group pkcs11, and permission 640 (user: read, write; group: read only; others: nothing). For every application, which is using openCryptoki with the EP11 token, a new log file is created during token initialization. Prerequisite for a working EP11 stack is the existence of the EP11 coprocessor card and an appropriate device driver with EP11 support.
A log level > 3 is only recommended for developers.
How to avoid common mistakes
- Do not configure or use an EP11 token before the master key is set on the associated adapters. Otherwise, token initialization fails and an appropriate syslog message is issued.
- Do not let a user invoke openCryptoki who does not belong to the pkcs11 group. Be aware that adding a user to a new group does not change the group membership of users that were logged in before.