> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Edit the Futurex PKCS #11 configuration file

> Instructions for editing the Futurex PKCS #11 configuration file (fxpkcs11.cfg) to set HSM connection parameters.

The Futurex PKCS #11 library uses the Futurex PKCS #11 configuration file, `fxpkcs11.cfg`, to connect to the HSM. It enables you to modify certain configurations and set connection details. This section covers the `<HSM>` portion of the **FXPKCS11** configuration file, where you configure the connection details.

<Note>
  By default, the FXPKCS11 library looks for the configuration file in `C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg` for Windows and `/etc/fxpkcs11.cfg` for Linux. Alternatively, you can set the FXPKCS11\_CFG environment variable to the location of the `fxpkcs11.cfg` file.
</Note>

Open the `fxpkcs11.cfg` file in a text editor as an administrator and edit it accordingly.

```none expandable lines wrap title="None" theme={null}
<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]     </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               [hsm_ip_address]        </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>           /home/user/tls/root.pem        </PROD-TLS-CA>
#    <PROD-TLS-CA>           /home/user/tls/sub1.pem     </PROD-TLS-CA>
#    <PROD-TLS-CA>           /home/user/tls/sub2.pem     </PROD-TLS-CA>
    <PROD-TLS-KEY>          /home/user/tls/PKI.p12       </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>
```

<table>
  <thead>
    <tr>
      <th><em><strong>Field</strong></em></th>
      <th><em><strong>Description</strong></em></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>\<SLOT></code></td>
      <td>Leave it set to the default value of <strong>0</strong>.</td>
    </tr>

    <tr>
      <td><code>\<LABEL></code></td>
      <td>Leave it set to the default value of <strong>Futurex</strong>.</td>
    </tr>

    <tr>
      <td><code>\<CRYPTO-OPR></code></td>
      <td>Specify the name of the<strong> identity</strong> created for the application partition.</td>
    </tr>

    <tr>
      <td><code>\<CRYPTO-OPR-PASS></code></td>
      <td>Specify the password of the identity configured in the <code>\<CRYPTO-OPR></code> field. You can use this to log the application into the HSM automatically if necessary.</td>
    </tr>

    <tr>
      <td><code>\<ADDRESS></code></td>
      <td>Specify the <strong>IP address</strong> of the HSM to which the PKCS #11 library should connect.</td>
    </tr>

    <tr>
      <td><code>\<PROD-PORT></code></td>
      <td>Set the port number of the HSM to which the FXPKCS11 library should connect.</td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-ENABLED></code></td>
      <td>Set the field to <strong>YES</strong>. </td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-ANONYMOUS></code></td>
      <td>Defines whether the<strong> FXPKCS11</strong> library authenticates to the server.</td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-KEY></code></td>
      <td>Set the location of the client private key. We support the following formats for the TLS private key:<ul><li> <strong>PKCS #1</strong> clear private keys</li><li><strong>PKCS #8</strong> encrypted private keys</li><li>a <strong>PKCS #12</strong> file that contains the private key and certificates encrypted under a password.</li></ul><Note>Because the <code>\<PROD-TLS-KEY></code> field in this example defines a PKCS #12 file, you do not need to define the signed client cert with the <code>\<PROD-TLS-CERT></code> tag, nor the CA certificates with one or more instances of the <code>\<PROD-TLS-CA></code> tag.<br /></Note></td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-KEY-PASS></code></td>
      <td>Set the password of the PKCS #12 file, if necessary.</td>
    </tr>

    <tr>
      <td><code>\<FX-LOAD-BALANCE></code></td>
      <td>If you use a Guardian to manage HSM devices in a cluster, set this field to <strong>YES</strong>. <br />If you don't use a Guardian, set it to <strong>NO</strong></td>
    </tr>
  </tbody>
</table>

After you finish editing the `fxpkcs11.cfg` file, run the `PKCS11Manager` file to test the connection against the HSM, and check the `fxpkcs11.log` for errors and information. For more information, see the Futurex PKCS #11 technical reference found on the Futurex Portal.