Configure the FXPKCS11 module in Protegrity Data Protection Platform

4min
The Protegrity documentation suite for 7.2.1 contains a guide named Protegrity Key Management Guide. The appendix of the guide has a section describing the steps to use Futurex as an HSM (Switching from Soft HSM to Futurex HSM).
Configure the initial settings
The Protegrity Data Protection Platform requires drivers supporting Debian 9 with OpenSSL version 1.0.2 for version 7.2.1 of the Protegrity Data Protection Platform.  PKCS #11 module version 4.57 (fxpkcs11-debian9-ssl1.0-4.57-ca22.tar) contains a compliant driver (the file fxpkcs11/x64/OpenSSL-1.0.x/libfxpkcs11.so in the tar archive).
Upoad the server and client certificate files, client private key file, pkcs11 driver (libfxpkcs11.so), and fxpkcs11.cfg file to ESA and move them into the /opt/protegrity/hsm/external directory. Protegrity recommends putting all files in a tgz archive.
After you upload and extract the files to /opt/protegrity/hsm/external, set the file permissions to 744. Also ensure that the file owner is service_admin.
The following environment variables need to be set in the /opt/protegrity/hsm/external/hsm.env configuration file. An example is provided below:
Text
export PTY_PKCS11_LIBRARY=${HSM_DIR}/libfxpkcs11.so
export PTY_PKCS11_ENV_KEY=FXPKCS11_CFG
export PTY_PKCS11_ENV_VALUE=${HSM_DIR}/fxpkcs11.cfg
export PTY_PKCS11_SLOT=<slot_id>
export PTY_PKCS11_LIBRARY=${HSM_DIR}/libfxpkcs11.so
export PTY_PKCS11_ENV_KEY=FXPKCS11_CFG
export PTY_PKCS11_ENV_VALUE=${HSM_DIR}/fxpkcs11.cfg
export PTY_PKCS11_SLOT=<slot_id>
﻿
After youcomplete the configuration , restart the HSM Gateway service on ESA and set the crypto user PIN.
1
In the ESA Web UI, navigate to System > Services.
2
Restart the HSM Gateway service.
3
Set the User PIN for the ESA to connect to the .
In the ESA Web UI, go to Key Management > HSM > HSM.
Select [ Set User PIN ].
Enter the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
4
A dialog box to set the User PIN appears.
Test the configuration
The ESA UI has built-in functionality to verify the configuration. The test checks for connectivity and authentication to the HSM (i.e., ). It also validates if the HSM generates random bytes to determine successful authentication and connection.
1
In the ESA Web UI, go to Key Management > HSM > HSM.
2
Select [ Test ].
The Test HSM Connection dialog box appears. If the test succeeds, green icons appear for the tests performed.
3
Select [ OK ].
Activate the configuration
Set the HSM as active:
1
In the ESA Web UI, go to Key Management> HSM > HSM.
2
Select [ Set As Active ].
3
Select [ OK ] in the confirmation box.
﻿
﻿
﻿
﻿
﻿
Updated 09 Dec 2024
Did this page help you?
Install and configure FXPKCS11
Data storage