To configure TLS authentication, choose one of the following methods:

We recommend option 2, mutual authentication.

Option 1 | Enable server-side authentication

We recommend mutually authenticating to the HSM using client certificates, but the 

 also supports server-side authentication. The following steps outline the process for enabling server-side authentication.

Choose one of the following methods to enable server-side authentication:

Option 2 | Create connection certificates for mutual authentication

As mentioned previously, we recommend mutually authenticating to the HSM by using client certificates, and the system enforces mutual authentication by default. The following example shows how to use FXCLI to generate a CA to sign the HSM server certificate and a client certificate. Then, it shows how to generate the client keys and CSR by using OpenSSL.

Create a new identity and associate it with the newly created application partition

Configure TLS authentication

ampersand

exclamation_mark

binary_val

diebold

tr-34_rkl

mac_hash

Enabled by default on all Vectera Series HSMs and available as an add-on license for Excrypt Series

general_purpose

data_encrypt

mobile_payment

Supports domestic and int'l. message formats for PIN translation, verification, and key management

Excrypt_ui

p2pe

Equal_sign

Enabled on all Futurex HSMs, regardless of their license or mode.

Core_license

Number_sign

utility

card_verification

authentication

key_management

RKMS3

SKI3

Ambiguous_PIN

Enables protecting a stronger key with a weaker key.

Key_Strength_Bypass

Enables payments-related commands per the AS2805 messaging standard, as defined by AusPayNet.

Australian_Command_Set

Enables the Europay Mastercard Visa (EMV) issuance command set.

EMV_Issuing

Enables Format Preserving Encryption (FPE) FF1 functionality.

FPEFF1

Enables Point-to-Point Encryption (P2PE) functionality. 

P2PE

Enabled by default on all Excrypt Series HSMs and as an add-on license for Vectera Series HSMs.

Financial_Processing

Allows the HSM to use host card emulation commands.

Host_Card_Emulation

Allows the HSM to support commands that will directly output the clear shared secret value.

Clear_Shared_Secret

Enables a host HSM to distribute allowed keys to another HSM.

HSM_key_distribution

Only required if using a Clear PIN rather than a PIN Block.

CPIN

Enables Format Preserving Encryption (FPE) functionality.

Enables Post-Quantum Cryptography (PQC) commands and functionality.

Enables commands requiring Elliptic Curve Cryptography (ECC) functionality.

Enables the Europay Mastercard Visa (EMV) acquiring command set. 

EMV_Acquiring

Enables commands requiring RSA functionality.

key_slot_index

Tilde

Asterisk

t_keyslot

ascii_int

Special_character

uuid_val

ascii_sta

base64

variable

alphanumeric

boolean

binary

integer

numeric

ascii

hexadecimal

alphabetic

base64_value

CH-HSMEX

CH-HSME

CH-HSMP

percent

semicolon

alphabetic_value

numeric_value

bdks

alphanum_value

ascii_exc

hex_value

Guard

test

Vectera

ESSP

Futurex

Edit the Futurex PKCS #11 configuration file

HSM Integration Guides

HSM Integration Guides overview

Before you start

Install Futurex PKCS #11 (FXPKCS11)

Install Excrypt Manager (If using Windows)

Install Futurex Command Line Interface (FXCLI)

Configure the Vectera Plus

Install Dogtag Certificate System  and deploy the subsystem

Dogtag Certificate System

Configure the EJBCA server

Test the EJBCA server

EJBCA

ISC - Linux

ISC - Windows

CertAgent integrations

Install Futurex CNG and FXCLI by using FXTools

Install Excrypt Manager

Edit the Futurex CNG configuration file

Install and configure Active Directory Certificate Services

AD CS operations with FXCNG

Appendix: Migrate an existing CA key from software storage to the HSM

Microsoft ADCS

Install RHCS and deploy the subsystem

Red Hat Certificate System (RHCS)

Certificate Authority

Generate a key pair and certificate on the Vectera Plus

Import certificates into Windows Certificate Store and associate them with the private keys

Appendix: Migrate a key from software storage to the Vectera Plus

Microsoft Windows Certificate Store

Install Excrypt Manager (If using windows)

Configure Venafi TPP to use the Vectera Plus

View the keys and certificates that Venafi TPP created on the HSM

Venafi Control Plane for Machine Identities

Certificate management

Install Axway Server and configure Futurex PKCS #11 Library with Axway VA Server

Test CRL signing

Axway VA

Certificate validation

Configure the JAVA_HOME environment variable

Configure SunPKCS11 to use the Futurex PKCS #11 module

Edit the Futurex PKCS #11 Configuration File

Create a Java keystore

Sign APKs with Android APKSigner by using Futurex PKCS #11

Android APKSigner

Create Java KeyStore

Jarsigner command examples

Java Jarsigner

Installing Excrypt Manager

Create a code-signing certificate

Import certificates into Windows Certificate Store

Associate a private key with a certificate

Test Microsoft SignTool commands

Microsoft SignTool

Code signing

Configure the Futurex PKCS #11 library in vSEC:CMS

Create an Operator Service Key Store in an HSM

Appendix: Generate a new master key and restore or migrate keys to a new HSM

Verasec vSEC:CMS

Credential management

Install and configure OpenSSL engine

Configure Apache HTTP Server

Apache HTTP Server

Configure Nginx Server

NGINX

Test OpenSSL engine

OpenSSL Engine

Steps to configure the Futurex PKCS #11 Library with the Protegrity Data Security Platform

Protegrity

Install the Zettaset XCrypt Full Disk deployment prerequisites

Configure the inventory file

Manually zeroize old data

Install Zettaset XCrypt Full Disk

Zettaset XCrypt Full Disk

Data protection

Install Futurex CNG (FXCNG)

Configure Microsoft SQL Always Encrypted

Microsoft SQL Server Always Encrypted

Install Futurex EKM (FXEKM) and FXCLI using FXTools

Configure the FXEKM file

Configuring EKM on the SQL Server

Enabling TDE on SQL Server by using EKM

Microsoft SQL Server TDE

Integration overview

Setting up the Oracle environment and the Futurex PKCS #11 Library

Generate a TDE Master Encryption Key on the Vectera Plus

Open the wallet or hardware keystore

Oracle Database TDE (12c)

Configuring the Futurex PKCS #11 Library in Oracle

Opening the wallet or hardware keystore

Appendix: Migrate from a software keystore to an HSM keystore

Oracle Database TDE (19c)

Database

Install Excrypt Manager (Windows only)

Configure Adobe Acrobat for signing

Adobe Acrobat Sign

Digital signing

Configure Bind 9

BIND

Configuring the Check Point Security Gateway application to connect to the Vectera Plus