Skip to main content
The fxpkcs11.cfg file enables you to set the FXPKCS #11 library to connect to the KMES Series 3. To edit the file, run a text editor as an Administrator on Windows or root on Linux and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the <KMS> section of the file. Our PKCS #11 library expects to find the PKCS #11 config file in a specific location (C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux). Still, you can override that location by using the FXPKCS11_CFG environment variable. To configure the fxpkcs11.cfg file, edit the following sections:
None
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            crypto1                 </CRYPTO-OPR>

    # Key group name
    #<KEYGROUP-NAME>        keygroup1               </KEYGROUP-NAME>
    
    # Asymmetric key group name
    <ASYM-KEYGROUP-NAME>    asymkeygroup1           </ASYM-KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               [kmes_ip_address]       </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /connection_certs/root_tls_cert.pem        </PROD-TLS-CA>
    <PROD-TLS-CERT>         /connection_certs/signed_fxpkcs11_tls_cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /connection_certs/fxpkcs11_tls_privatekey.pem   </PROD-TLS-KEY>
    # <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
FieldDescription
<SLOT>Leave it set to the default value of 0.
<CRYPTO-OPR>Specify the name of the identity created on the KMES.
<KEYGROUP-NAME>Define the symmetric key group name for this integration.
<ASYM-KEYGROUP-NAME>Define the asymmetric key group name for this integration.
<ADDRESS>Specify the IP address of the KMES to which the PKCS #11 library should connect.
<LOG-FILE>Set the path of the PKCS #11 log file.
<PROD-PORT>Set the PKCS #11 library to connect to the default Host API port on the KMES, port 2001.
<PROD-TLS-ENABLED>Set the field to YES. The only way to connect to the Host API port on the KMES is over TLS.
<PROD-TLS-ANONYMOUS>Set this value to NO because you connect to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the KMES.
<PROD-TLS-CA>Define the location of the CA certificates with one or more instances of this tag. In this example, there is only one CA certificate.
<PROD-TLS-CERT>Set the location of the signed client certificate.
<PROD-TLS-KEY>Set the location of the client private key. Supported formats for the TLS private key are PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.
<PROD-TLS-KEY-PASS>Set the password of the PKCS #12 file, if necessary.
<FX-LOAD-BALANCE>Set this field to YES if you use a Guardian to manage KMES Series 3 devices in a cluster. If you don’t use a Guardian, set it to NO.
After you finish editing the fxpkcs11.cfg file, run the PKCS11Manager file to test the connection against the KMES and check the fxpkcs11.log for errors and information. For more information, refer to the Futurex PKCS #11 technical reference on the Futurex Portal.

Special defines required for this integration

In the <CONFIG> section, add the following definition so that** FXPKCS11** does not prompt for a password during the SSH connection attempt:
You don’t need to enter a password during the connection attempt because the FXPKCS11 library is already logged in to the KMES Series 3 with the configured user at that point.
None
<REQUIRE-LOGIN-FLAG>        NO          </REQUIRE-LOGIN-FLAG>