Configure the Futurex PKCS #11 library in Curity
Perform the following tasks to configure Curity:
- Enable and configure the HSM.
- Configure the key stored on the HSM in Curity for TLS.
- Verify key usage.
- Verify key usage - Web browser.
The following sections explain the necessary steps for these actions:
Log in to the Curity Admin portal.
In the left-hand menu, go to General.
Scroll down to the Hardware Security Module section.
Enable the Hardware Security Module configuration by selecting the toggle.
In Library, enter the full path to the libfxpkcs11.so file on your system. (for example, /usr/local/bin/fxpkcs11/libfxpkcs11.so)
In the Slot drop-down list, select slot-id.
If it's not selected, select the Include Compatibility Attributes checkbox.
Set the Slot ID to the slot configured in your fxpkcs11.cfg file (typically slot 0).
In the upper-right corner of the Curity Admin portal, select Facilities > Keys and Cryptography > TLS.
Hover over Server SSL Keys and select the plus symbol to configure a new Server SSL Key.
In the New SSL Server Certificate window, enter the name of the key. This name is the alias you provided in the Java keystore command. (In our example, CurityDemo).
Leave the Type set to asymmetric and select [ Use from HSM ].
In the second Type drop-down list, select RSA. Leave the Key Size set to 2048, and select [ OK ].
Select System at the top of the Curity Admin Portal UI, and select a Runtime Deployment.
In the General tab, set the TLS Server KeyStore to your key and select [ Close ].
Select the Changes drop-down option at the top of the Curity Admin Portal, and select Commit. Enter a comment as needed, and select [ OK ].
The server restarts and applies the changes.
To verify that the Curity Runtime Deployment is using the key for TLS connections, run the following command:
The following example shows a sample command:
The command response displays information on your certificate, which is stored on the HSM.
To verify the correct key usage, browse to the endpoint in a web browser, such as Firefox, as shown in the following example URL:
If you use a self signed certificate, you receive a TLS warning. Bypass this warning by selecting Advanced > Accept the risk and continue.
In the URL bar at the top of the browser, select the lock icon to the left. In the opened window, select View Certificate to confirm that your certificate is presented during the connection to the Curity endpoint.