PKCS#11 Tracer getting started guide

This guide explains how to use the SandboxAQ PKCS#11 Tracer to obtain a cryptography trace from a PKCS#11 application.

Prerequisites

Before using the PKCS#11 Tracer, make sure you’ve followed the installation instructions.

You’ll also need a PKCS#11 application that you can run in a terminal.

Tracing the application

To trace an application:

First, configure the application to use the PKCS#11 Tracer DLL (pkcs11_tracer.so) instead of its original DLL.

Next, configure the PKCS#11 Tracer to redirect PKCS#11 calls to the original DLL with the CS_DLL_TARGET environment variable:

export CS_DLL_TARGET=/path/to/real/dll

Navigate to a directory where you have write permissions and configure it to receive the generated traces:

export CS_OUTPUT_DIR=/path/to/trace/output/directory

Lastly, run the application from the command line:

./application

When your application has finished executing, the directory you chose earlier will contain the generated trace and log file(s):

/path/to/trace/output/directory
├── trace_2022-06-08-15-32-30-693-17920.cst.gz
└── log_2022-06-08-15-32-30-693-17920.log

Note

If the traced application is terminated abruptly, the resulting gzip file may be missing a trailer and appear to be corrupted. However, AQtive Guard should still be able to analyze the contents of the trace.

Upload the trace to AQtive Guard to run an analysis and generate a report. Refer to these instructions:

• Web Interface - Uploading a new trace
• API - Upload a trace using the API Client

Refer to Configuration in the PKCS#11 Tracer reference for a list of available parameters.