Edit the Futurex PKCS #11 configuration file

The Futurex PKCS #11 library uses the Futurex PKCS #11 configuration file, fxpkcs11.cfg, to connect to the HSM. It enables you to modify certain configurations and set connection details. This section covers the <HSM> portion of the FXPKCS11configuration file, where you configure the connection details.

By default, the FXPKCS11 library looks for the configuration file in C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux. Alternatively, you can set the FXPKCS11_CFG environment variable to the location of the fxpkcs11.cfg file.

Open the fxpkcs11.cfg file in a text editor as an administrator and edit it accordingly.

None

<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]     </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               [hsm_ip_address]        </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>           /home/user/tls/root.pem        </PROD-TLS-CA>
#    <PROD-TLS-CA>           /home/user/tls/sub1.pem     </PROD-TLS-CA>
#    <PROD-TLS-CA>           /home/user/tls/sub2.pem     </PROD-TLS-CA>
    <PROD-TLS-KEY>          /home/user/tls/PKI.p12       </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>

Field	Description
`<SLOT>`	Leave it set to the default value of 0.
`<LABEL>`	Leave it set to the default value of Futurex.
`<CRYPTO-OPR>`	Specify the name of the identity created for the application partition.
`<CRYPTO-OPR-PASS>`	Specify the password of the identity configured in the <CRYPTO-OPR> field. You can use this to log the application into the HSM automatically if necessary.
`<ADDRESS>`	Specify the IP address of the HSM to which the PKCS #11 library should connect.
`<PROD-PORT>`	Set the port number of the HSM to which the FXPKCS11 library should connect.
`<PROD-TLS-ENABLED>`	Set the field to YES.
`<PROD-TLS-ANONYMOUS>`	Defines whether the FXPKCS11 library authenticates to the server.
`<PROD-TLS-KEY>`	Set the location of the client private key. We support the following formats for the TLS private key: PKCS #1 clear private keys PKCS #8 encrypted private keys a PKCS #12 file that contains the private key and certificates encrypted under a password. Because the <PROD-TLS-KEY> field in this example defines a PKCS #12 file, you do not need to define the signed client cert with the <PROD-TLS-CERT> tag, nor the CA certificates with one or more instances of the <PROD-TLS-CA> tag.
`<PROD-TLS-KEY-PASS>`	Set the password of the PKCS #12 file, if necessary.
`<FX-LOAD-BALANCE>`	If you use a Guardian to manage HSM devices in a cluster, set this field to YES. If you don’t use a Guardian, set it to NO

After you finish editing the fxpkcs11.cfg file, run the PKCS11Manager file to test the connection against the HSM, and check the fxpkcs11.log for errors and information. For more information, see the Futurex PKCS #11 technical reference found on the Futurex Portal.