Skip to main content
The fxcsp.cfg file enables you to set the Futurex RSA CSP library to connect to the KMES Series 3. To edit the file, run a text editor as an Administrator on Windows or root on Linux and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the <KMS> section of the file. The Futurex RSA CSP module expects to find the config file in a certain location (C:\Program Files\Futurex\fxcsp\fxcsp.cfg). To configure the fxcsp.cfg file, edit the following sections of the partial file sample:
None
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            crypto1                 </CRYPTO-OPR>
    <CRYPTO-OPR-PASS>       password                </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.30 </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /home/futurex/tls/root.pem        </PROD-TLS-CA>
    <PROD-TLS-KEY>          /home/futurex/tls/signed_jarsigner_cert.p12   </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
ParameterDescription
<SLOT>Can leave it set to the default value of 0.
<CRYPTO-OPR>Specify the name of the identity created on the KMES.
<CRYPTO-OPR-PASS>Specify the password for the identity defined in <CRYPTO-OPR>.
<ADDRESS>Specify the IP address of the KMES to which the PKCS #11 library should connect.
<PROD-PORT>Set the PKCS #11 library to connect to the default Host API port on the KMES, port 2001.
<PROD-TLS-ENABLED>Set the field to YES. The only way to connect to the Host API port on the KMES is over TLS.
<PROD-TLS-ANONYMOUS>Set this value to NO because you’re connecting to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the KMES.
<PROD-TLS-CA>Define the location of the CA certificates with one or more instances of this tag. In this example, there is only one CA certificate.
<PROD-TLS-KEY>Set the location of the client private key. Supported formats for the TLS private key are PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.
<PROD-TLS-KEY-PASS>Set the password of the PKCS #12 file, if necessary.
<FX-LOAD-BALANCE>Set this field to YES if you use a Guardian to manage KMES Series 3 devices in a cluster. If you don’t use a Guardian, set it to NO.

Additional defines required for this integration

In the <CONFIG> section of the file, you must set <UNIQUE-CONNECTIONS> to YES.
None
<UNIQUE-CONNECTIONS>        YES            </UNIQUE-CONNECTIONS>
In the <CONFIG> section of the file, you must also add the following define:
None
# Override all key usage requests with specific values
<FORCED-SYMMETRIC-USAGE>   ENCRYPT | DECRYPT   </FORCED-SYMMETRIC-USAGE>
<FORCED-ASYMMETRIC-USAGE>  SIGN | VERIFY       </FORCED-ASYMMETRIC-USAGE>