Edit the Futurex PKCS #11 configuration file to connect the library to the Vectera Plus HSM.
The default configuration file location on Linux is /etc/fxpkcs11.cfg. To use a custom location, set the FXPKCS11_CFG environment variable.
<HSM>
<SLOT>0</SLOT>
<LABEL>Futurex</LABEL>
<CRYPTO-OPR>[identity_name]</CRYPTO-OPR>
<CRYPTO-OPR-PASS>[identity_password]</CRYPTO-OPR-PASS>
<ADDRESS>[hsm_ip_address]</ADDRESS>
<PROD-PORT>9100</PROD-PORT>
<PROD-TLS-ENABLED>YES</PROD-TLS-ENABLED>
<PROD-TLS-ANONYMOUS>NO</PROD-TLS-ANONYMOUS>
<PROD-TLS-CA>[ca_cert_path]</PROD-TLS-CA>
<PROD-TLS-KEY>[pkcs12_path]</PROD-TLS-KEY>
<PROD-TLS-KEY-PASS>[pkcs12_password]</PROD-TLS-KEY-PASS>
<FX-LOAD-BALANCE>NO</FX-LOAD-BALANCE>
</HSM>
| Field | Description |
|---|
| SLOT | Slot number (default: 0) |
| LABEL | Label for the HSM slot (default: Futurex) |
| CRYPTO-OPR | Identity name created on the Vectera Plus |
| CRYPTO-OPR-PASS | Password for the identity |
| ADDRESS | IP address or hostname of the Vectera Plus |
| PROD-PORT | Excrypt port (default: 9100) |
| PROD-TLS-ENABLED | Enable TLS (YES or NO) |
| PROD-TLS-ANONYMOUS | Anonymous TLS mode (YES or NO) |
| PROD-TLS-CA | Path to the CA certificate chain file |
| PROD-TLS-KEY | Path to the client PKCS #12 file |
| PROD-TLS-KEY-PASS | Password for the PKCS #12 file |
| FX-LOAD-BALANCE | Enable load balancing (YES or NO) |
Ensure the ADSS Server process user (typically root) has read permissions on the configuration file, PKCS #12 file, and CA certificate chain file. The paths must be absolute.
Add special defines for FIPS mode
If the Vectera Plus operates in FIPS mode, add the following defines to the configuration file:
<CRYPTO-OPR2>[second_identity_name]</CRYPTO-OPR2>
<FORCED-ASYMMETRIC-USAGE>SIGN | VERIFY</FORCED-ASYMMETRIC-USAGE>
<KEY-REQUIRE-LOGIN>NO</KEY-REQUIRE-LOGIN>
