Database
Microsoft SQL Server TDE
Configure the FXEKM file
13min
the {{futurex}} ekm library uses the ekm configuration file ( fxekm cfg ) to connect to the hsm it enables the user to modify certain configurations and set connection details this section covers the \<hsm> portion of the fxcng config file, where the connection details are set by default, the fxekm library looks for the configuration file at c \program files\futurex\fxekm\fxekm cfg alternatively, the fxekm cfg environment variable can be set to the location of the fxekm cfg file open the fxekm cfg file in a text editor as an administrator and edit it accordingly \<hsm> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# hsm crypto operator user name \<crypto opr> \[identity name] \</crypto opr> \# automatically login on session open \<crypto opr pass> \[identity password] \</crypto opr pass> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 9100 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \# \<prod tls ca> /home/user/tls/root pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub1 pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub2 pem \</prod tls ca> \<prod tls key> c \tls\clientpki p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</hsm> field description \<slot> leave set to the default value of 0 \<label> leave set to the default value of futurex \<crypto opr> specify the name of the identity created for the application partition \<crypto opr pass> specify the password of the identity configured in the \<crypto opr> field this can be used to log the application into the hsm automatically, if required \<address> specify the ip address of the hsm to which the fxekm library should connect \<prod port> set the port number of the hsm that the fxekm library should connect to \<prod tls enabled> set the field to yes \<prod tls anonymous> defines whether the fxekm library authenticates to the server \<prod tls key> set the location of the client private key supported formats for the tls private key include the following values pkcs #1 clear private keys pkcs #8 encrypted private keys a pkcs #12 file containing the private key and certificates encrypted under a password because the \<prod tls key> field in this example defines the pkcs #12 file, you don't need to define the signed client cert with the \<prod tls cert> tag, nor the ca certificates with one or more instances of the \<prod tls ca> tag \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> if you use a guardian to manage hsm devices in a cluster, set this field to yes if you don't use a guardian, set it to no for additional details, refer to the {{futurex}} ekm technical reference found on the {{futurex}} portal