Initial setup - Futurex Documentation

This section provides instructions for performing the minimum initial setup tasks required for all payment-related use cases on Futurex HSMs. You can make these configurations by using either Excrypt Manager or Futurex Client Tools (FXCLI).

FXCLI (required)
- Available for all operating systems
- You can use this tool to perform all initial setup tasks, but you must use it to configure TLS mutual authentication between the HSM and the payment application you are integrating.
Excrypt Manager (optional)
- Available only for Windows
- This tool provides a GUI option for performing most initial configurations on the HSM.

Install FXCLI

Choose one of the following operating systems and perform the instructions:

Windows

Perform the following steps to install FXCLI on Windows:

The FXTools installation package includes FXCLI. The easiest way to install FXCLI on Windows is by installing FXTools. You can download FXTools from the Futurex Portal.

To install FXCLI, run the Futurex Tools installer as an administrator and follow the prompts in the setup wizard to complete the installation.

By default, all tools are installed on the system. The user can overwrite and choose not to install certain modules. The modules include:

Module	Description
Futurex Client Tools	Command Line Interface (CLI) and associated SDK for both Java and C,
Futurex CNG Module	The Microsoft Next Generation Cryptographic Library.
Futurex Cryptographic Service Provider (CSP)	The Legacy Microsoft Cryptographic Libary.
Futurex EKM Module	The Microsoft Enterprise Key Management library.
Futurex PKCS #11 Module	The Futurex PKCS #11 library and associated tools.
Futurex Secure Access Client	The Client used to connect an Excrypt Touch to a local laptop through USB with a remote Futurex device.

After starting the installation, all noted services are installed. If the Futurex Secure Access Client was selected, the Futurex Excrypt Touch driver is also installed. This application might start minimized or run in the background.

Linux

Perform the following steps to install FXCLI on Linux:

Download the appropriate FXCLI package files for your system from the Futurex Portal.

If the system is 64-bit, select from the files marked amd64. If the system is 32-bit, select from the files marked i386.

If running an OpenSSL version in the 1.0.x branch, select from the files marked ssl1.0. If running an OpenSSL version in the 1.1.x branch, select from the files marked ssl1.1.We offer the following features in FXCLI:

Java Software Development Kit (java)
HSM command line interface (cli-hsm)
KMES command line interface (cli-kmes)
Software Development Kit headers (devel)
YAML parser used to parse bash output (cli-fxparse)

To install an rpm package, run the following command in a terminal:

Shell

sudo rpm -ivh [fxcl-xxxx.rpm]

To install a deb package, run the following command in a terminal:

Shell

sudo dpkg -i [fxcl-xxxx.deb]

To run FXCLI and enter the HSM FXCLI prompt, run the following command in a terminal:

Shell

fxcli-hsm

After entering the FXCLI prompt, you can run help to list all of the available FXCLI commands.

To configure your HSM, you can use Excrypt Manager, a Windows application that provides a GUI-based method, or FXCLI, a command-line-based method that you can install on all platforms. Keep the following considerations in mind:

If you configure the Vectera Plus from a Linux computer, you can skip this section. If you configure it from a Windows computer, perform the FXCLI installation steps in the next section because FXCLI is the only method that you can use to configure TLS certificates in a later section.
Install Excrypt Manager on the workstation on which you plan to configure the HSM.
If you plan to use a Virtual HSM for the integration, you must perform all configurations by using either FXCLI, the Excrypt Touch, or the Guardian Series 3.
The Excrypt Manager version must be from the 4.4.x branch or later to be compatible with the HSM firmware, which must be 7.2.x.x or later.

Perform the following steps to install Excrypt Manager in Windows:

To install Excrypt Manager, run the Excrypt Manager installer as an administrator and follow the prompts in the setup wizard to complete the installation.

The installation wizard prompts you to specify where you want to install Excrypt Manager. The default location is C:\Program Files\Futurex\Excrypt Manager\. After choosing a location, select [ Install ].

Connect and Log In

For both Excrypt Manager and FXCLI, you must connect your laptop to the front USB port on the HSM. The initial login process described in this section uses the default Admin identities to log in under dual control.

User #1	User #2
User ID: Admin1	User ID: Admin2
Password: safe	Password: safe

Log in and connect

Select the appropriate method and follow the instructions:

Use Excrypt Manager
Use FXCLI

Open Excrypt Manager and select [ Refresh ] in the lower-right corner of the Connection menu. Then, select USB Connection and select [ Connect ].

You must change the default Admin passwords for both of your default Admin identities (Admin1 and Admin2) to load the major keys onto the HSM. To do so through Excrypt Manager, perform the following instructions:

Open the Identity Management menu, select the first default Admin identity (Admin1), and select [ Change Password ].
Enter the old password and enter the new password twice.
Select [ OK ].
Perform the same steps for the second default Admin identity (Admin2).

Start the FXCLI application and run the following commands:

FXCLI

  connect usb
  login user

The login command prompts for the username and password. You must run the command twice using both default Admin identities.

You must change the default Admin passwords for both the default Admin Identities to load the major keys onto the HSM. Use the following FXCLI commands to change the passwords for each default Admin Identity:

FXCLI

  user change-password -u Admin1
  user change-password -u Admin2

The preceding user change-password commands prompt you to enter the old and new passwords.

Configure the network

For this step, you must log in with an identity that has a role with permissions Communication:Network Settings. You can use the default Administrator role and Admin identities.

Choose one of the following methods to configure the network:

Excrypt Manager

To use Excrypt Manager to configure the network, go to the Configuration menu and modify the IP address configuration as needed.

FXCLI

To use FXCLI to configure the network, run the network interface modify FXCLI command to set an IP address for the HSM. The following example shows the command syntax:

FXCLI

  network interface modify --interface Ethernet1 --ip 10.221.0.10 --netmask 255.255.255.0 --gateway 10.221.0.1

At this point during the HSM configuration, consider the following:

Except for the final section, which covers creating connection certificates for mutual authentication, you can complete the remaining HSM configurations in this section by using the Guardian Series 3 (see the applicable guide for configuring HSMs for PKCS #11 integrations using the Guardian Series 3).
If you are performing the configuration on the HSM directly but plan to add it to a Guardian later, you might have to synchronize the HSM after you add it to a device group on the Guardian.
If your use case requires configuration through a CLI, then you should manage the HSMs directly.

Load major keys

The HSM requires you to load an MFK (Master File Key) before use. Depending on the intended use, you can also load a PMK (Platform Master Key), KEK (Key Encryption Key), and FTK (Futurex Token Key) at this point. The HSM enables you to load some major keys through M of N fragmentation or a key wizard. With M of N key fragmentation, you can define the number of required key officers for a key ceremony that is less than the total number of key officers available. This helps maintain security while dramatically reducing the inconvenience of coordinating busy schedules around key ceremonies. Choose the appropriate method and perform the instructions to load major keys:

Use Excrypt Manager
Use FXCLI

Go to the Key Management menu and select [ Load ] next to the relevant key.You can load keys through M of N fragmentation or a key wizard. If this is the first HSM in a cluster, we recommend that you generate the key and save it to smart cards as M of N fragments.

If this is the first HSM you are setting up, you need to generate a random major key. Optionally, you can simultaneously load the generated key onto a smart card using the -m and -n flags.

FXCLI

  majorkey random --mfk -m [number_from_2_to_9] -n [number_from_2_to_9]

If you’re setting up a second HSM that you’re setting up in a cluster, then you load the major key from smart cards by using the following command:

FXCLI

  majorkey recombine --key mfk

Documentation Index

​Install FXCLI

​Windows

​Linux

​Connect and Log In

​Log in and connect

​Configure the network

​Excrypt Manager

​FXCLI

​Load major keys

Install FXCLI

Windows

Linux

Connect and Log In

Log in and connect

Configure the network

Excrypt Manager

FXCLI

Load major keys