Edit the Futurex CNG configuration file

16min

the {{futurex}} cng library uses the {{futurex}} cng configuration file, fxcng cfg , to connect to the hsm it enables you to modify certain configurations and set connection details this section covers the \<hsm> portion of the fxcng config file where you set the connection details by default, the fxcng library looks for the configuration file at c \program files\futurex\fxcng\fxcng cfg alternatively, you can set the fxcng cfg environment variable to the location of the fxcng cfg file open the fxcng cfg file in a text editor as an administrator and edit it accordingly \<hsm> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# hsm crypto operator user name \<crypto opr> \[identity name] \</crypto opr> \# automatically login on session open \<crypto opr pass> \[identity password] \</crypto opr pass> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 9100 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \# windows certificate store \<prod tls engine> windows \</prod tls engine> \<prod tls win store> my \</prod tls win store> \<prod tls key> futurex cng \</prod tls key> \<prod tls ca> /path/to/tlsca pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/root pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub1 pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub2 pem \</prod tls ca> \# \<prod tls key> c \tls\clientpki p12 \</prod tls key> \# \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</hsm> field description \<slot> leave it set to the default value of 0 \<label> leave it set to the default value of futurex \<crypto opr> specify the name of the identity created for the application partition \<crypto opr pass> specify the password of the identity configured in the \<crypto opr> field you can use this to log the application into the hsm automatically if necessary \<address> specify the ip address of the hsm to which the fxcng library should connect \<prod port> set the port number of the hsm that the fxcng library should connect to \<prod tls enabled> set the field to yes \<prod tls anonymous> defines whether the fxpkcs11 library authenticates to the server \<prod tls engine> setting the define to windows specifies the tls connection certificate is saved in windows certificate store rather than the local file system \<prod tls win store> specifying my in this field tells the fxcng library to look for the tls client certificate in the personal windows certificate store \<prod tls key> specifies the common name of the tls client certificate \<prod tls ca> you can use multiple instances of this define to specify where to save the ca certificates in the file system fxcng does not pull cas from the windows certificate store \<fx load balance> if you use a guardian to manage hsm devices in a cluster, set this field to yes if you don't use a guardian, set it to no after you finish editing the fxcng cfg file, run the cnginstallutil file to test the connection against the hsm, and check the fxcng install log txt file for errors and information define integration specific configurations for the microsoft sql always encrypted integration, you must set the following defines in the \<config> section of the fxcng cfg file, as shown here \<forced asymmetric usage> sign | verify | encrypt | decrypt \</forced asymmetric usage>

Enable the EDSV multi-usage combination for asymmetric keys

Configure Microsoft SQL Always Encrypted