Edit the Futurex CNG configuration file

The Futurex CNG library uses the fxcng.cfg configuration file to connect to the HSM. It enables you to modify certain configurations and set connection details. This section covers the <HSM> portion of the FXCNG config file, where you set the connection details.

By default, the FXCNG library looks for the configuration file at C:\Program Files\Futurex\fxcng\fxcng.cfg. Alternatively, you can set the FXCNG_CFG environment variable to the location of the fxcng.cfg file.

Open the fxcng.cfg file in a text editor as an administrator and edit it accordingly.

None

<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]     </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               [hsm_ip_address]        </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    # Windows Certificate Store
    <PROD-TLS-ENGINE>       WINDOWS                </PROD-TLS-ENGINE>
    <PROD-TLS-WIN-STORE>    My                     </PROD-TLS-WIN-STORE>
    <PROD-TLS-KEY>          Futurex CNG         </PROD-TLS-KEY>
    <PROD-TLS-CA>           /path/to/TlsCa.pem     </PROD-TLS-CA>

#    <PROD-TLS-CA>          /home/user/tls/root.pem  </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub1.pem  </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub2.pem  </PROD-TLS-CA>
#    <PROD-TLS-KEY>          C:\TLS\ClientPKI.p12    </PROD-TLS-KEY>
#    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>

Field	Description
`<SLOT>`	Leave it set to the default value of `0`.
`<LABEL>`	Leave it set to the default value of Futurex.
`<CRYPTO-OPR>`	Specify the name of the identity created for the application partition.
`<CRYPTO-OPR-PASS>`	Specify the password of the identity configured in the `<CRYPTO-OPR>` field. Use this to log the application into the HSM automatically if required.
`<ADDRESS>`	Specify the IP address of the HSM to which the FXCNG library should connect.
`<PROD-PORT>`	Set the port number of the HSM that the FXCNG library should connect to.
`<PROD-TLS-ENABLED>`	Set the field to YES.
`<PROD-TLS-ANONYMOUS>`	Defines whether the FXPKCS11 library authenticates to the server.
`<PROD-TLS-ENGINE>`	Setting the define to WINDOWS specifies that the TLS connection certificate is saved in the Windows Certificate Store rather than the local file system.
`<PROD-TLS-WIN-STORE>`	Specifying My in this field tells the FXCNG library to look for the TLS client certificate in the Personal Windows Certificate Store.
`<PROD-TLS-KEY>`	Specifies the Common Name of the TLS client certificate.
`<PROD-TLS-CA>`	You can use multiple instances of this define to specify where to save the CA certificate(s) in the file system. FXCNG does not pull CAs from the Windows Certificate Store.
`<FX-LOAD-BALANCE>`	Set this field to YES if you use a Guardian to manage HSM devices in a cluster. If you don’t use a Guardian, set it to NO

After you finish editing the fxcng.cfg file, run the CNGInstallUtil file to test the connection against the HSM, and check the FxCNG-Install-Log.txt file for errors and information.

Special define required for this integration

Add the following define to the <CONFIG> section of the FXCNG configuration file:

None

<LOGOUT-ON-SESSION-CLOSE> NO </LOGOUT-ON-SESSION-CLOSE>

​Special define required for this integration

Special define required for this integration