Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section offers a quick reference to key prerequisites and high-level implementation steps. For basic testing procedures for the integration, see Validate and test.

Pre-implementation

Ensure your environment complies with the following requirements:
  • Install dependencies
    • OpenSC (from source or with package manager under opensc)
    • OpenVPN Access Server
    • Python 3.6 and newer
      • Python library asn1crypto
  • Check OpenSSL version (v3.0 or newer)
  • Admin privileges on the Vectera Plus

Implementation

You can complete most tasks in this section by using either Excrypt Manager or FXCLI. The exception is the second option of task 7 (Create connection certificates for mutual authentication), for which you must use FXCLI.You can optionally complete steps 4 through 6 by using the Guardian Series 3 (see the applicable guide for configuring HSMs for PKCS #11 integrations by using the Guardian Series 3).
If you use a virtual HSM for the integration, you must connect to it over the network through FXCLI, the Excrypt Touch, or the Guardian Series 3.
  • Install Futurex PKCS #11 module (FXPKCS11)
  • Install Futurex Commande Line Interface (FXCLI)
  • Configure Vectera:
    • Connect to the HSM with a USB to enable Excrypt Manager or FXCLI
    • Confirm Command Primary Mode is General Purpose (GP), and PKCS #11 feature is enabled
    • Configure HSM’s network
    • Load FTK, PMK, and BEK major keys
    • Configure the transaction processing connection
    • Create a new application partition for the integration
    • Create a new identity and give it access to the newly created application partition
    • Configure TLS with either server-side or mutual authentication
  • Edit the FXPKCS11 configuration file
  • Install and configure pkcs11-provider
  • Prepare Cryptographic material for Access Server
    • Set Access Server in external PKI mode
    • (Optional) Create server CA
    • Generate server certificate and key
    • Generate client certificate and key
  • Configure Access Server and setup a test client
    • Generate tls_auth key
    • Generate Diffie-Hellman parameters
    • Import certificate and key files to Access Server
    • Configure test client on Access Server admin UI
    • Generate and download a server-locked profile for the client
    • Install the profile and P12 file to OpenVPN Connect v3 application

Post-implementation

After you complete the integration, perform the following tasks to validate it:
  • Using OpenVPN Connect application, validate the connection by connecting to the VPN using the certificate and P12 file.