Edit the Futurex PKCS #11 Configuration File
The Futurex PKCS #11 configuration file (i.e., fxpkcs11.cfg) is used by the Futurex PKCS #11 library to connect to the HSM. It enables the user to modify certain configurations and set connection details. This section covers the <HSM> portion of the FXPKCS11 config file, where the connection details are set.
By default, the FXPKCS11 library looks for the configuration file at C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux. Alternatively, the FXPKCS11_ CFG environment variable can be set to the location of the fxpkcs11.cfg file.
Open the fxpkcs11.cfg file in a text editor as an administrator and edit it accordingly.
Field
Description
<SLOT>
Leave set to the default value of 0.
<LABEL>
Leave set to the default value of Futurex.
<CRYPTO-OPR>
Specify the name of the identity created for the Application Partition..
<CRYPTO-OPR-PASS>
specify the password of the identity configured in the <CRYPTO-OPR> field. This can be used to log the application into the HSM automatically, if required.
<ADDRESS>
Specify the IP address of the HSM to which the PKCS #11 library should connect.
<PROD-PORT>
Set the port number of the HSM that the FXPKCS11 library should connect to.
<PROD-TLS-ENABLED>
Set the field to YES.
<PROD-TLS-ANONYMOUS>
Defines whether the FXPKCS11 library authenticates to the server.
<PROD-TLS-KEY>
Set the location of the client private key. Supported formats for the TLS private key are PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.
Because a PKCS #12 file is defined in the <PROD-TLS-KEY> field in this example, the signed client cert does not need to be defined with the <PROD-TLS-CERT> tag, nor do the CA cert/s need to be defined with one or more instances of the <PROD-TLS-CA> tag.
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file, if necessary.
<FX-LOAD-BALANCE>
Set this field to YES if you use a Guardian to manage HSM devices in a cluster. If you don't use a Guardian, set it to NO
After you finish editing the fxpkcs11.cfg file, run the PKCS11Manager file to test the connection against the HSM and check the fxpkcs11.log for errors and information. For more information, refer to the Futurex PKCS #11 technical reference found on the Futurex Portal.