Skip to main content
The Protegrity documentation suite for 7.2.1 contains a guide named Protegrity Key Management Guide. The appendix of the guide has a section describing the steps to use Futurex devices or services as an HSM (Switching from Soft HSM to Futurex HSM).

Configure the initial settings

The Protegrity Data Protection Platform requires drivers supporting Debian 9 with OpenSSL version 1.0.2 for version 7.2.1 of the Protegrity Data Protection Platform. Futurex PKCS #11 module version 4.57 (fxpkcs11-debian9-ssl1.0-4.57-ca22.tar) contains a compliant driver (the file fxpkcs11/x64/OpenSSL-1.0.x/libfxpkcs11.so in the tar archive). Upload the server and client certificate files, client private key file, pkcs11 driver (libfxpkcs11.so), and fxpkcs11.cfg file to ESA and move them into the /opt/protegrity/hsm/external directory. Protegrity recommends putting all files in a tgz archive. After you upload and extract the files to /opt/protegrity/hsm/external, set the file permissions to 744. Also, ensure that the file owner is service_admin. You must set the following environment variables in the /opt/protegrity/hsm/external/hsm.env configuration file, as shown in the following example:
Text
export PTY_PKCS11_LIBRARY=${HSM_DIR}/libfxpkcs11.so
export PTY_PKCS11_ENV_KEY=FXPKCS11_CFG
export PTY_PKCS11_ENV_VALUE=${HSM_DIR}/fxpkcs11.cfg
export PTY_PKCS11_SLOT=<slot_id>
After you complete the configuration, perform the following steps to restart the HSM Gateway service on ESA and set the crypto user PIN:
1
In the ESA Web UI, go to System > Services.
2
Restart the HSM Gateway service.
3
Set the User PIN for the ESA to connect to the CryptoHub.
  • In the ESA Web UI, go to Key Management > HSM > HSM.
  • Select [ Set User PIN ].
  • Enter the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
4
A dialog box to set the User PIN appears.

Test the configuration

The ESA UI has built-in functionality to verify the configuration. The test checks for connectivity and authentication to the HSM (such as CryptoHub). It also validates if the HSM generates random bytes to determine successful authentication and connection.
1
In the ESA Web UI, go to Key Management > HSM > HSM.
2
Select [ Test ].
The Test HSM Connection dialog box appears. If the test succeeds, green icons appear for the tests performed.
3
Select [ OK ].

Activate the configuration

Perform the following steps to set the HSM as active:
1
In the ESA Web UI, go to Key Management> HSM > HSM.
2
Select [ Set As Active ].
3
Select [ OK ] in the confirmation box.