Edit the Futurex CNG configuration file

16min
The  CNG library uses the  CNG configuration file, fxcng.cfg, to connect to the HSM. It enables you to modify certain configurations and set connection details. This section covers the <HSM> portion of the FXCNG config file where you set the connection details.
By default, the FXCNG library looks for the configuration file at C:\Program Files\Futurex\fxcng\fxcng.cfg. Alternatively, you can set the FXCNG_CFG environment variable to the location of the fxcng.cfg file.
Open the fxcng.cfg file in a text editor as an administrator and edit it accordingly.
Text
<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]     </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.30               </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    # Windows Certificate Store
    <PROD-TLS-ENGINE>       WINDOWS                </PROD-TLS-ENGINE>
    <PROD-TLS-WIN-STORE>    My                     </PROD-TLS-WIN-STORE>
    <PROD-TLS-KEY>          Futurex CNG         </PROD-TLS-KEY>
    <PROD-TLS-CA>           /path/to/TlsCa.pem     </PROD-TLS-CA>

#    <PROD-TLS-CA>          /home/user/tls/root.pem  </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub1.pem  </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub2.pem  </PROD-TLS-CA>
#    <PROD-TLS-KEY>          C:\TLS\ClientPKI.p12    </PROD-TLS-KEY>
#    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>
<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]     </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.30               </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    # Windows Certificate Store
    <PROD-TLS-ENGINE>       WINDOWS                </PROD-TLS-ENGINE>
    <PROD-TLS-WIN-STORE>    My                     </PROD-TLS-WIN-STORE>
    <PROD-TLS-KEY>          Futurex CNG         </PROD-TLS-KEY>
    <PROD-TLS-CA>           /path/to/TlsCa.pem     </PROD-TLS-CA>

#    <PROD-TLS-CA>          /home/user/tls/root.pem  </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub1.pem  </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub2.pem  </PROD-TLS-CA>
#    <PROD-TLS-KEY>          C:\TLS\ClientPKI.p12    </PROD-TLS-KEY>
#    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>
﻿
Field
Description
﻿
<SLOT>
Leave it set to the default value of 0.
﻿
<LABEL>
Leave it set to the default value of Futurex.
﻿
<CRYPTO-OPR>
Specify the name of the identity created for the application partition.
﻿
<CRYPTO-OPR-PASS>
Specify the password of the identity configured in the <CRYPTO-OPR> field. You can use this to log the application into the HSM automatically if necessary.
﻿
<ADDRESS>
Specify the IP address of the HSM to which the FXCNG library should connect.
﻿
<PROD-PORT>
Set the port number of the HSM that the FXCNG library should connect to.
﻿
<PROD-TLS-ENABLED>
Set the field to YES. 
﻿
<PROD-TLS-ANONYMOUS>
Defines whether the FXPKCS11 library authenticates to the server.
﻿
<PROD-TLS-ENGINE>
Setting the define to WINDOWS specifies the TLS connection certificate is saved in Windows Certificate Store rather than the local file system.
﻿
<PROD-TLS-WIN-STORE>
Specifying My in this field tells the FXCNG library to look for the TLS client certificate in the Personal Windows Certificate Store.
﻿
<PROD-TLS-KEY>
Specifies the Common Name of the TLS client certificate.
﻿
<PROD-TLS-CA>
You can use multiple instances of this define to specify where to save the CA certificates in the file system. FXCNG does not pull CAs from the Windows Certificate Store.
﻿
<FX-LOAD-BALANCE>
If you use a Guardian to manage HSM devices in a cluster, set this field to YES. 
If you don't use a Guardian, set it to NO
﻿
After you finish editing the fxcng.cfg file, run the CNGInstallUtil file to test the connection against the HSM, and check the FxCNG-Install-Log.txt file for errors and information.
Define integration-specific configurations
For the Microsoft SQL Always Encrypted integration, you must set the following defines in the <CONFIG> section of the fxcng.cfg file, as shown here:
Text
<FORCED-ASYMMETRIC-USAGE> SIGN | VERIFY | ENCRYPT | DECRYPT </FORCED-ASYMMETRIC-USAGE>
<FORCED-ASYMMETRIC-USAGE> SIGN | VERIFY | ENCRYPT | DECRYPT </FORCED-ASYMMETRIC-USAGE>
﻿
﻿
Updated 26 Aug 2024
Did this page help you?
Enable the EDSV multi-usage combination for asymmetric keys
Configure Microsoft SQL Always Encrypted