Skip to main content
The Futurex Client Library (FXCL) is a set of functions, offered through either Java (Java Native Interface) or C++, which applications use to access cryptographic processing and key management functionality.

Install FXCL EKM

To maintain system security, install and operate only copies of FXCL that you get directly from Futurex. A member of the Solutions Architect team provides these files directly, or you can download them on the Futurex Portal or equivalent Futurex-operated file distribution platform. Perform the following steps to install FXCL Extensible Key Management (EKM):
1
Download or copy the fxcl-x.x.x-win64.zip file to the computer that runs the Microsoft SQL Server instance.
2
Unzip the file in any directory and go to the fxcl-x.x.x-win64\bin folder.
3
Copy ekm.config.json and libfxcl-ekm.dll to C:\Program Files\Futurex\fxcl\kmes\ekm\ and change the name of the ekm.config.json file to config.json.

Install Authenticode CA Certificate in Windows Certificate Store

1
Go to the C:\Program Files\Futurex\fxcl\kmes\ekm directory in File Explorer.
2
Right-click the libfxcl-ekm.dll file and select Properties.
3
Under Digital Signatures, select the “Futurex, L.P.” signer and click [ Details ].
4
Select [ View Certificate ]. You should see that the “Futurex, L.P.” certificate was issued by “Sectigo Public Code Signing CA EV R36”.
5
Select [ Install Certificate ]. This opens the Certificate Import Wizard.
6
Select Local Machine as the Store Location, then click [ Next ].
7
Select the “Automatically select the certificate store based on the type of certificate” option and click [ Next ].
8
Click [ Finish ]. You should see a confirmation message that the import was successful.

Configure FXCL EKM

Perform the following steps to configure FXCL EKM:
1
Create the C:\FX-Logs directory. The FXCL EKM configuration file outputs content to FXCL EKM logs to the C:\FX-Logs\ directory.
2
Open the config.json file for editing, and make the following changes:
ParameterRequired configuration
log_fileSet the define to point to the C:\FX-LOGS\fxcl-ekm.log directory
host Set the define to point to the IP and port of the network-connected KMES Series 3 device
In the Windows Store TLS settings section, make the following changes as shown in the following sample file:
ParameterRequired configuration
caSet the define to the location of a PEM file containing a list of trusted CA certificates.
p12Set the define to the location of a PKCS #12 file containing the Microsoft SQL Server client certificate and private key.
p12_passSet the define to the password the PKCS #12 file is encrypted under.
FXCL EKM version 1.8.32 added the ability to configure default key group names for symmetric and asymmetric operations. Users must manually create the key groups on the KMES before defining the default key group names in the FXCL EKM configuration file. If the configuration is set but the key group does not exist, the key creation commands in Enable TDE in Microsoft SQL Server by using EKM will fail.
JSON
{
    // Enables output via DebugOutputString
    // (default: false)
    // Note that regardless of this setting, output is
    // placed in the debug view while loading the config.
    "enable_debug_view": false,

    // Configures default key groups for symmetric and asymmetric operations (Optional)
    // "sym_key_group"  : "EKM Symmetric Keys",
    // "asym_key_group" : "EKM Asymmetric Keys",

    // A file to place logs into. Optional.
    // If not provided, no log file is made.
    "log_file": "C:\\Futurex\\fxcl.log",

    // Level of logging to emit. Case insensitive.
    // possible values: None, Error, Info, Debug, Traffic (default: Info)
    "log_level": "traffic",

    // What kind of key storage unit is this?
    // possible values: kmes (default: kmes)
    // Not currently used, it always uses kmes.
    "driver": "kmes",

    // The host to connect to. Required.
    "host": "10.60.6.10:2001",

    // A PEM file containing a list of trusted CA certificates. Required.
    "ca": "C:\\Certs\\Tree.pem",

    // A P12 file containing leaf certificate and key. Required.
    "p12": "C:\\Certs\\PKI.p12",

    // Password to unlock the P12 file. Optional.
    // If not given, assumes it doesn't need a password.
    "p12_pass": "safest",

    "_": ""
}