Installation and configuration steps for Futurex Client Library (FXCL CNG) module.
The Futurex Client Library (FXCL) is a set of functions offered through either Java (Java Native Interface) or C++, which applications use to access cryptographic processing and key management functionality.
To maintain system security, install and operate only copies of FXCL that you get directly from Futurex. A member of the Solutions Architect team either provides the files or makes them available for download on the Futurex Portal or equivalent Futurex-operated file distribution platform.
Perform the following steps to install FXCL CNG:
1
Download or copy the fxcl-x.x.x-win64.zip file to the computer where you plan to run the Microsoft AD CS instance.
2
Unzip the file in any directory, then go to the fxcl-x.x.x-win64\bin folder.
3
Run the InstallCNG.bat file to install FXCL CNG. If the installation fails, copy all of the files in the bin\ folder to C:\Program Files\Futurex\fxcl\kmes\cng\, and change the cng.config.json file name to config.json.
Perform the following steps to configure FXCL CNG:
1
Create the C:\FX-Logs directory. The FXCL CNG configuration file settings send log output to the FXCL CNG logs in the FX-Logs\ directory.
2
Open the config.json file for editing, and make the following changes, as shown in the following sample file:
Parameter
Required configuration
log_file
Set the define to point to C:\FX-Logs\fxcl-cng.log
host
Set the define to point to the IP address and port of the network-connected KMES Series 3 device
Make the following changes in the Windows Store TLS settings section:
Parameter
Required configuration
win_cert_store
Set the define to point to the My, which corresponds with the Personal store
win_cert_name
Set the define to the Common/Subject Name of the AD CS certificate
win_ca_stores
Set the define to the Root store, which corresponds with the Trusted Root Certification Authorities store
win_use_crl
Set the define to true
None
{ // Enables output via DebugOutputString // (default: false) // Note that regardless of this setting, output is // placed in the debug view while loading the config. "enable_debug_view": false, // A file to place logs into. Optional. // If not provided, no log file is made. "log_file": "C:\\FX-LOGS\\fxcl-cng.log", // Level of logging to emit. Case insensitive. // possible values: None, Error, Info, Debug, Traffic (default: Info) "log_level": "traffic", // What kind of key storage unit is this? // possible values: kmes (default: kmes) // Not currently used, it always uses kmes. "driver": "kmes", // The host to connect to. Required. "host": "10.0.5.209:2001", // Windows Store TLS settings // To load from window store set fields(win_cert_store, win_cert_name, win_ca_stores, win_use_crl) // Windows store settings will have priority over loading from file settings // Windows store name with client certificate (Optional) "win_cert_store": "My", // Client certificate subject name in windows store (Optional) "win_cert_name": "ADCS", // Windows store with CA certificate (Optional) "win_ca_stores": "Root", // Load CRL from CA certificate in windows store (Optional) "win_use_crl": true}
The preceding sample file does not show the ca, p12, and p12_pass file TLS setting defines because the configuration procedure uses the Windows Store TLS authentication method. However, the Windows Store TLS settings take precedence if you define both.
Perform the following steps to test the connection between FXCL CNG and the KMES Series 3:
1
Open either the command prompt or PowerShell.
2
Run the following certutil command to test the connection between FXCL CNG and the KMES Series 3 by using the client TLS certificate configured for AD CS in the Windows Certificate Store:
