Data protection
Protegrity Data Protection Pla...
Configure the FXPKCS11 module in Protegrity Data Protection Platform
4min
the protegrity documentation suite for 7 2 1 contains a guide named protegrity key management guide the appendix of the guide has a section describing the steps to use {{futurex}} devices or services as an hsm ( switching from soft hsm to futurex hsm ) configure the initial settings the protegrity data protection platform requires drivers supporting debian 9 with openssl version 1 0 2 for version 7 2 1 of the protegrity data protection platform {{futurex}} pkcs #11 module version 4 57 ( fxpkcs11 debian9 ssl1 0 4 57 ca22 tar ) contains a compliant driver (the file fxpkcs11/x64/openssl 1 0 x/libfxpkcs11 so in the tar archive) upload the server and client certificate files, client private key file, pkcs11 driver ( libfxpkcs11 so ), and fxpkcs11 cfg file to esa and move them into the /opt/protegrity/hsm/external directory protegrity recommends putting all files in a tgz archive after you upload and extract the files to /opt/protegrity/hsm/external , set the file permissions to 744 also, ensure that the file owner is service admin you must set the following environment variables in the /opt/protegrity/hsm/external/hsm env configuration file, as shown in the following example export pty pkcs11 library=${hsm dir}/libfxpkcs11 so export pty pkcs11 env key=fxpkcs11 cfg export pty pkcs11 env value=${hsm dir}/fxpkcs11 cfg export pty pkcs11 slot=\<slot id> after you complete the configuration, perform the following steps to restart the hsm gateway service on esa and set the crypto user pin in the esa web ui, go to system > services restart the hsm gateway service set the user pin for the esa to connect to the {{ch}} in the esa web ui, go to key management > hsm > hsm select \[ set user pin ] enter the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file a dialog box to set the user pin appears test the configuration the esa ui has built in functionality to verify the configuration the test checks for connectivity and authentication to the hsm (such as {{ch}} ) it also validates if the hsm generates random bytes to determine successful authentication and connection in the esa web ui, go to key management > hsm > hsm select \[ test ] the test hsm connection dialog box appears if the test succeeds, green icons appear for the tests performed select \[ ok ] activate the configuration perform the following steps to set the hsm as active in the esa web ui, go to key management > hsm > hsm select \[ set as active ] select \[ ok ] in the confirmation box