> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Edit the Futurex PKCS #11 configuration file

> Instructions for editing the fxpkcs11.cfg file to connect the FXPKCS #11 library to KMES Series 3.

The `fxpkcs11.cfg` file enables you to set the FXPKCS #11 library to connect to the KMES Series 3. To edit the file, run a text editor as an Administrator on Windows or as root on Linux, and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the `<KMS>` section of the file.

Our PKCS #11 library expects to find the PKCS #11 config file in a certain location `(C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg` for Windows and `/etc/fxpkcs11.cfg `for Linux), but you can override that location by using the **FXPKCS11\_CFG** environment variable.

To configure the `fxpkcs11.cfg` file, edit the following sections of the partial file sample:

```none expandable lines wrap title="None" theme={null}
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            crypto1                 </CRYPTO-OPR>

    # Key group name
    #<KEYGROUP-NAME>        keygroup1               </KEYGROUP-NAME>
    
    # Asymmetric key group name
    <ASYM-KEYGROUP-NAME>    asymkeygroup1           </ASYM-KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20 </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /connection_certs/root_tls_cert.pem        </PROD-TLS-CA>
    <PROD-TLS-CERT>         /connection_certs/signed_fxpkcs11_tls_cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /connection_certs/fxpkcs11_tls_privatekey.pem   </PROD-TLS-KEY>
    # <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
```

<table>
  <thead>
    <tr>
      <th><em><strong>Field</strong></em></th>
      <th><em><strong>Description</strong></em></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>\<SLOT></code></td>
      <td>Can leave set to the default value of <code>0</code>.</td>
    </tr>

    <tr>
      <td><code>\<CRYPTO-OPR></code></td>
      <td>Specify the name of the<strong> identity</strong> created on the KMES.</td>
    </tr>

    <tr>
      <td><code>\<KEYGROUP-NAME></code></td>
      <td>Comment out this field for this integration because Nginx needs to create only an asymmetric key pair on the KMES. You might use this field when an application needs to create symmetric keys on the KMES.</td>
    </tr>

    <tr>
      <td><code>\<ASYM-KEYGROUP-NAME></code></td>
      <td>Define the asymmetric key group name for this integration. The system adds the asymmetric key that Nginx creates on the KMES to a key group with the name you specify here.</td>
    </tr>

    <tr>
      <td><code>\<ADDRESS></code></td>
      <td>Specify the <strong>IP address</strong> of the KMES to which the PKCS #11 library should connect.</td>
    </tr>

    <tr>
      <td><code>\<LOG-FILE></code></td>
      <td>Set the path of the PKCS #11 log file.</td>
    </tr>

    <tr>
      <td><code>\<PROD-PORT></code></td>
      <td>Set the PKCS #11 library to connect to the default Host API port on the KMES, port <code>2001</code><strong>.</strong></td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-ENABLED></code></td>
      <td>Set the field to <code>YES</code>. The only way to connect to the Host API port on the KMES is over TLS.</td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-ANONYMOUS></code></td>
      <td>Set this value to <code>NO</code> because you're connecting to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the KMES. </td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-CA></code></td>
      <td>Define the location of the CA certificates with one or more instances of this tag. In this example, there is only one CA certificate.</td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-CERT></code></td>
      <td>Set the location of the signed client certificate.</td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-KEY></code></td>
      <td>Set the location of the client private key. Supported formats for the TLS private key are <strong>PKCS #1</strong> clear private keys, <strong>PKCS #8</strong> encrypted private keys, or a <strong>PKCS #12</strong> file that contains the private key and certificates encrypted under a password.</td>
    </tr>

    <tr>
      <td><code>\<PROD-TLS-KEY-PASS></code></td>
      <td>Set the password of the PKCS #12 file, if necessary.</td>
    </tr>

    <tr>
      <td><code>\<FX-LOAD-BALANCE></code></td>
      <td>Set this field to <code>YES</code> if you use a Guardian to manage KMES Series 3 devices in a cluster. If you don't use a Guardian, set it to <code>NO</code></td>
    </tr>
  </tbody>
</table>

You must add the following two define lines to the `<CONFIG>` section of the **FXPKCS11** configuration file for the Nginx integration:

```none expandable lines wrap title="None" theme={null}
<FORCED-ASYMMETRIC-USAGE> SIGN | VERIFY </FORCED-ASYMMETRIC-USAGE>
```

```none expandable lines wrap title="None" theme={null}
<UNIQUE-CONNECTIONS> YES </UNIQUE-CONNECTIONS>
```
