> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the transaction processing connection

> Configure transaction processing connection with required permissions.

<Note>
  For this step, you need to log in with an identity that has a role with the following permissions: Role:Add, Role:Assign All Permissions, Role:Modify, Keys:All Slots, and Command Settings:Excrypt. You can use the default Administrator role and Admin identities.
</Note>

<Note>
  This integration guide treats the terms application partition and role as synonymous.
</Note>

Before logging in to the HSM with an authenticated user, an application connects through a transaction processing connection to the transaction processing application partition. Therefore, you must take steps to configure the following items to harden this partition:

* It should not have access to the **All** **Slots** permissions.
* It should not have access to any key slots.
* Enable only the PKCS #11 communication commands.

Choose one of the following methods to configure the transaction processing connection:

## Excrypt Manager

Perform the following steps to configure a transaction processing connection on Excrypt Manager:

<Steps>
  <Step>
    Go to the **Application Partitions** menu, select the transaction processing application partition, and select **\[ Modify ]**.
  </Step>

  <Step>
    In the **Permissions** tab, leave the top-level **Keys** permission checked and uncheck the **All Slots** sub permission.
  </Step>

  <Step>
    In the **Key Slots** tab, ensure that the settings do not specify key ranges. By default, the transaction processing application partition can access the entire range of key slots on the HSM.
  </Step>

  <Step>
    In the **Commands** tab, make sure to enable only the following PKCS #11 Communication commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>ASYS</strong></td>
          <td>Generate signature using PKI private key</td>
        </tr>

        <tr>
          <td><strong>ECHO</strong></td>
          <td>Communication Test/Retrieve Version</td>
        </tr>

        <tr>
          <td><strong>GPKM</strong></td>
          <td>Retrieve key table information</td>
        </tr>

        <tr>
          <td><strong>GPKR</strong></td>
          <td>General-purpose key settings get (read-only)</td>
        </tr>

        <tr>
          <td><strong>GPKS</strong></td>
          <td>General-purpose key settings get/change</td>
        </tr>

        <tr>
          <td><strong>HASH</strong></td>
          <td>Retrieve device serial</td>
        </tr>

        <tr>
          <td><strong>PRMD</strong></td>
          <td>Retrieve HSM restrictions</td>
        </tr>

        <tr>
          <td><strong>RAND</strong></td>
          <td>Generate random data</td>
        </tr>

        <tr>
          <td><strong>STAT</strong></td>
          <td>HSM statistics</td>
        </tr>

        <tr>
          <td><strong>TIME</strong></td>
          <td>Set time</td>
        </tr>
      </tbody>
    </table>
  </Step>
</Steps>

## FXCLI

Run the following **role** **modify** FXCLI commands to remove all permissions and key ranges that are currently assigned to the **Transaction** **Processing** role and enable only the PKCS #11 Communication commands:

<Note>
  Because the Transaction Processing role was previously called the Anonymous role, the following commands specify Anonymous in the name field.
</Note>

```shell title="FXCLI" expandable lines wrap theme={null}
  role modify --name Anonymous --clear-perms --clear-key-ranges
```

```shell title="FXCLI" expandable lines wrap theme={null}
  role modify --name Anonymous --add-perm "Keys" --add-perm Excrypt:ASYS --add-perm Excrypt:ECHO --add-perm Excrypt:GPKM --add-perm Excrypt:GPKR --add-perm Excrypt:GPKS --add-perm Excrypt:HASH --add-perm Excrypt:PRMD --add-perm Excrypt:RAND --add-perm Excrypt:STAT --add-perm Excrypt:TIME
```
