Skip to main content
This section explains how to integrate CryptoHub with the Password Safe product by installing the FxPKCS11 x64 and x86 drivers, along with the required configuration file, into the appropriate directory. These components enable the BeyondTrust configuration utility to communicate properly with CryptoHub.

Transferring the CryptoHub endpoint zip files to the U-Series Appliance

If you have a virtual U-Series Appliance, BeyondTrust locks it down significantly. For example, it does not include a browser, and many PowerShell commands are unavailable. One method for transferring files to the virtual appliance is wget, but we will leave it to the user to decide how they want to transfer the endpoint zip files to the machine running the U-Series Appliance.

Install FxPKCS11 on the Windows machine running the U-Series Appliance

Perform the following steps to install FxPKCS11 on the Windows machine that’s running the BeyondTrust U-Series Appliance:
Perform the steps below only for one of the two Endpoint zips that you downloaded from CryptoHub and transferred to the U-Series Appliance. For the other Endpoint zip, you only need to extract it and copy the fxpkcs11.dll file that is inside to the same directory as the rest of the files below. The result will be two different FxPKCS11 module files in the C:\Program Files\Futurex\fxpkcs11 directory. One should be named fxpkcs11.dll and the other you should re-name to fxpkcs11-x86.dll.
1
The zip files contain the following files:
PKCS11Manager.exeProgram to test the connection to the CryptoHub and perform basic functions through the FxPKCS11 module (login, RNG, etc.).
configTest.exeProgram to test configuration and connection to the CryptoHub.
fxpkcs11.dllThe Futurex PKCS #11 library file.
fxpkcs11.cfgPreconfigured FxPKCS11 configuration file for connecting/authenticating to CryptoHub.
client-cert.pemClient TLS certificate
client.p12Full Client PKI in encrypted PKCS #12 format (CA chain + client cert + client private key).
ca-chain.pemCA certificate bundle (Futurex Test CAs + auto-generated service CA)
CryptoHub 1234567890.cerAuto-generated self-signed CA certificate used to issue client endpoint TLS certs (number is random).
Futurex Test Root CA (ECC).cerECC Futurex Test Root CA for embedded Futurex Test TLS certs.
Futurex Test Root SSL CA.cerRSA Futurex Test Root CA for embedded Futurex Test TLS certs
2
Move all of the preceding FxPKCS11 files to C:\Program Files\Futurex\fxpkcs11. Create the Futurex\fxpkcs11 directory as an administrator.
3
The Futurex PKCS #11 module expects to find the FxPKCS11 configuration file (fxpkcs11.cfg) in the C:\Program Files\Futurex\fxpkcs11 directory by default.
4
To make sure that communication can be established between the U-Series Appliance and CryptoHub , run the PKCS11Manager program. If connection is successful, the Main Menu should appear.

Configure the FxPKCS11 library in BeyondInsight

1
On the U-Series Appliance, select the Windows symbol.
2
Select the BeyondTrust > BeyondInsight Configuration.
3
Select [ Yes ] on the User Account Control popup message.
4
On the right-hand side, select Configure HSM Credentials.
5
Select [ Edit ] on the top left side, then select [ Add New HSM Credential ].
6
Under 32-bit Driver Path, select “Click Here to Set 32-bit”.Navigate to the C:\Program Files\Futurex\fxpkcs11 folder and select the fxpkcs11-x86.dll file.
7
Under the 64-bit Driver Path, select “Click Here to Set 64-bit”.Navigate to the C:\Program Files\Futurex\fxpkcs11 folder and select the fxpkcs11.dll file.
8
The row in the Slot column should automatically be filled.
9
Enter a unique key name under Key Name.
10
Enter a description under Description.
11
If the user has changed the PIN/Password for the endpoint, enter it under the PIN column. If the user kept the default password for the endpoint, please follow the steps below:
  1. To attain the PIN value, open the Notepad application.
  2. Select File > Open....
  3. On the bottom right side, in the drop down menu with the default value Text Documents (*.txt), select All Files.
  4. Navigate to the fxpkcs11 folder.
  5. Select the fxpkcs11.cfg file.
  6. Scroll down and copy the value between <CRYPTO-OPR-PASS> and </CRYPTO-OPR-PASS>.
  7. Go back to theConfigure HSM Credentials window and paste in the value into the PIN field.
12
Select the [ Test Active Credential ] to test if BeyondInsight can successfully communicate with CryptoHub.
If the connection is successful, a text box should appear showing:
None
HSM connection successful.
13
Select [ Save and Close ].