Data protection
Protegrity Data Protection Pla...
Configure the FXPKCS11 module in Protegrity Data Protection Platform
4min
the protegrity documentation suite for 7 2 1 contains a guide named protegrity key management guide the appendix of the guide has a section describing the steps to use futurex as an hsm ( switching from soft hsm to futurex hsm ) configure the initial settings the protegrity data protection platform requires drivers supporting debian 9 with openssl version 1 0 2 for version 7 2 1 of the protegrity data protection platform {{futurex}} pkcs #11 module version 4 57 ( fxpkcs11 debian9 ssl1 0 4 57 ca22 tar ) contains a compliant driver (the file fxpkcs11/x64/openssl 1 0 x/libfxpkcs11 so in the tar archive) upoad the server and client certificate files, client private key file, pkcs11 driver ( libfxpkcs11 so ), and fxpkcs11 cfg file to esa and move them into the /opt/protegrity/hsm/external directory protegrity recommends putting all files in a tgz archive after you upload and extract the files to /opt/protegrity/hsm/external , set the file permissions to 744 also ensure that the file owner is service admin the following environment variables need to be set in the /opt/protegrity/hsm/external/hsm env configuration file an example is provided below export pty pkcs11 library=${hsm dir}/libfxpkcs11 so export pty pkcs11 env key=fxpkcs11 cfg export pty pkcs11 env value=${hsm dir}/fxpkcs11 cfg export pty pkcs11 slot=\<slot id> after youcomplete the configuration , restart the hsm gateway service on esa and set the crypto user pin in the esa web ui, navigate to system > services restart the hsm gateway service set the user pin for the esa to connect to the {{ch}} in the esa web ui, go to key management > hsm > hsm select \[ set user pin ] enter the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file a dialog box to set the user pin appears test the configuration the esa ui has built in functionality to verify the configuration the test checks for connectivity and authentication to the hsm (i e , {{ch}} ) it also validates if the hsm generates random bytes to determine successful authentication and connection in the esa web ui, go to key management > hsm > hsm select \[ test ] the test hsm connection dialog box appears if the test succeeds, green icons appear for the tests performed select \[ ok ] activate the configuration set the hsm as active in the esa web ui, go to key management > hsm > hsm select \[ set as active ] select \[ ok ] in the confirmation box