Configure the FXEKM file

13min
The  EKM library uses the EKM configuration file (fxekm.cfg) to connect to the HSM. It enables the user to modify certain configurations and set connection details. This section covers the <HSM> portion of the FXCNG config file, where the connection details are set.
By default, the FXEKM library looks for the configuration file at C:\Program Files\Futurex\fxekm\fxekm.cfg. Alternatively, the FXEKM_CFG environment variable can be set to the location of the fxekm.cfg file.
Open the fxekm.cfg file in a text editor as an administrator and edit it accordingly.
Text
<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]                </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]             </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.30     </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>          /home/user/tls/root.pem        </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub1.pem     </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub2.pem     </PROD-TLS-CA>
    <PROD-TLS-KEY>          C:\TLS\ClientPKI.p12       </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>
<HSM>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # HSM crypto operator user name
    <CRYPTO-OPR>            [identity_name]                </CRYPTO-OPR>
    # Automatically login on session open
    <CRYPTO-OPR-PASS>       [identity_password]             </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.30     </ADDRESS>
    <PROD-PORT>             9100                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>          /home/user/tls/root.pem        </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub1.pem     </PROD-TLS-CA>
#    <PROD-TLS-CA>          /home/user/tls/sub2.pem     </PROD-TLS-CA>
    <PROD-TLS-KEY>          C:\TLS\ClientPKI.p12       </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</HSM>
﻿
Field
Description
﻿
<SLOT>
Leave set to the default value of 0.
﻿
<LABEL>
Leave set to the default value of Futurex.
﻿
<CRYPTO-OPR>
Specify the name of the identity created for the Application Partition.
﻿
<CRYPTO-OPR-PASS>
specify the password of the identity configured in the <CRYPTO-OPR> field. This can be used to log the application into the HSM automatically, if required.
﻿
<ADDRESS>
Specify the IP address of the HSM to which the FXEKM library should connect.
﻿
<PROD-PORT>
Set the port number of the HSM that the FXEKM library should connect to.
﻿
<PROD-TLS-ENABLED>
Set the field to YES. 
﻿
<PROD-TLS-ANONYMOUS>
Defines whether the FXEKM library authenticates to the server.
﻿
<PROD-TLS-KEY>
Set the location of the client private key. Supported formats for the TLS private key include the following values:
PKCS #1 clear private keys
PKCS #8 encrypted private keys
A PKCS #12 file containing the private key and certificates encrypted under a password.
Because the <PROD-TLS-KEY> field in this example defines the PKCS #12 file, you don't need to define the signed client cert with the <PROD-TLS-CERT> tag, nor the CA certificates with one or more instances of the <PROD-TLS-CA> tag.
﻿
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file, if necessary.
﻿
<FX-LOAD-BALANCE>
If you use a Guardian to manage HSM devices in a cluster, set this field to YES. 
If you don't use a Guardian, set it to NO.
﻿
For additional details, refer to the  EKM technical reference found on the  Portal.
Updated 26 Aug 2024
Did this page help you?
Configure TLS authentication
Configuring EKM on the SQL Server