Initial setup

this section provides instructions for performing the minimum initial setup tasks required for all payment related use cases on futurex hsms these configurations can be made using either excrypt manager or futurex client tools (fxcli) fxcli (required) available for all operating systems this tool can be utilized to perform all initial setup tasks, but it must be used to configure tls mutual authentication between the hsm and the payment application you are integrating excrypt manager (optional) available only for windows this tool provides a gui option for performing most initial configurations on the hsm install futurex command line interface (fxcli) the fxtools installation package includes futurex client tools (fxcli) the easiest way to install fxcli on windows is by installing fxtools you can download fxtools from the futurex portal to install fxcli, run the futurex tools installer as an administrator and follow the prompts in the setup wizard to complete the installation by default, all tools are installed on the system the user can overwrite and choose not to install certain modules the modules include module description futurex client tools command line interface (cli) and associated sdk for both java and c, futurex cng module the microsoft next generation cryptographic library futurex cryptographic service provider (csp) the legacy microsoft cryptographic libary futurex ekm module the microsoft enterprise key management library futurex pkcs #11 module the futurex pkcs #11 library and associated tools futurex secure access client the client used to connect a futurex excrypt touch to a local laptop via usb, and a remote futurex device after starting the installation, all noted services are installed if the futurex secure access client was selected, the futurex excrypt touch driver will also be installed (note this sometimes will start minimized or in the background) install excrypt manager (if using windows) download the appropriate fxcli package files for your system from the futurex portal if the system is 64 bit, select from the files marked amd64 if the system is 32 bit, select from the files marked i386 if running an openssl version in the 1 0 x branch, select from the files marked ssl1 0 if running an openssl version in the 1 1 x branch, select from the files marked ssl1 1 futurex offers the following features in fxcli java software development kit ( java ) hsm command line interface ( cli hsm ) kmes command line interface ( cli kmes ) software development kit headers ( devel ) yaml parser used to parse bash output ( cli fxparse ) to install an rpm package, run the following command in a terminal sudo rpm ivh \[fxcl xxxx rpm] to install a deb package, run the following command in a terminal sudo dpkg i \[fxcl xxxx deb] to run fxcli and enter the hsm fxcli prompt, run the following command in a terminal fxcli hsm after entering the fxcli prompt, you can run help to list all of the available fxcli commands to configure your hsm, you can use excrypt manager, a windows application that provides a gui based method, or fxcli, a command line based method that you can install on all platforms if you configure the {{vectera}} from a linux computer, you can skip this section if you configure it from a windows computer, perform the fxcli installation steps in the next section because fxcli is the only method that you can use to configure tls certificates in a later section install excrypt manager on the workstation on which you plan to configure the hsm if you plan to use a virtual hsm for the integration, you must perform all configurations by using either fxcli, the excrypt touch, or the {{guard}} the excrypt manager version must be from the 4 4 x branch or later to be compatible with the hsm firmware, which must be 7 2 x x or later to install excrypt manager, run the excrypt manager installer as an administrator and follow the prompts in the setup wizard to complete the installation the installation wizard prompts you to specify where you want to install excrypt manager the default location is c \program files\futurex\excrypt manager\ after choosing a location, select \[ install ] connect and log in for both excrypt manager and fxcli , you must connect your laptop to the front usb port on the hsm the initial login process described in this section uses the default admin identities to log in under dual control user #1 user #2 user id admin1 user id admin2 password safe password safe log in and connect select the appropriate method and follow the instructions open excrypt manager and select \[ refresh ] in the lower right corner of the connection menu then, select usb connection and select \[ connect ] log in with both default admin identities you must change the default admin passwords for both of your default admin identities ( admin1 and admin2 ) to load the major keys onto the hsm to do so through excrypt manager, perform the following instructions open the identity management menu, select the first default admin identity ( admin1 ), and select \[ change password ] enter the old password and enter the new password twice select \[ ok ] perform the same steps for the second default admin identity ( admin2 ) start the fxcli application and run the following commands fxcli connect usb login user the login command prompts for the username and password you must run the command twice using both default admin identities you must change the default admin passwords for both the default admin identities to load the major keys onto the hsm use the following fxcli commands to change the passwords for each default admin identity fxcli user change password u admin1 user change password u admin2 the preceding user change password commands prompt you to enter the old and new passwords configure the network for this step, you must log in with an identity that has a role with permissions communication\ network settings you can use the default administrator role and admin identities choose one of the following methods to configure the network go to the configuration menu and modify the ip address configuration as required run the network interface modify fxcli command to set an ip address for the hsm the following example shows the command syntax fxcli network interface modify interface ethernet1 –ip 10 221 0 10 –netmask 255 255 255 0 – gateway 10 221 0 1 at this point during the hsm configuration, consider the following you can complete the remaining hsm configurations in this section by using the {{guard}} (see the applicable guide for configuring hsms for pkcs #11 integrations using the {{guard}} ), except for the final section, which covers creating connection certificates for mutual authentication if you are performing the configuration on the hsm directly but plan to add it to a guardian later, you might have to synchronize the hsm after you add it to a device group on the guardian if your use case requires configuration through a cli, then you should manage the hsms directly load major keys the hsm requires you to load an mfk (master file key) before use depending on the intended use, you can also load a pmk (platform master key) , kek (key encryption key) , and ftk (futurex token key) at this point the hsm enables you to load some major keys through m of n fragmentation or a key wizard with m of n key fragmentation, you can define the number of required key officers for a key ceremony that is less than the total number of key officers available this helps maintain security while dramatically reducing the inconvenience of coordinating busy schedules around key ceremonies choose the appropriate method and perform the instructions to load major keys go to the key management menu and select \[ load ] next to the relevant key you can load keys through m of n fragmentation or a key wizard if this is the first hsm in a cluster, we recommend that you generate the key and save it to smart cards as m of n fragments if this is the first hsm you are setting up, you need to generate a random major key optionally, you can simultaneously load the generated key onto a smart card using the m and n flags fxcli majorkey random mfk m \[number from 2 to 9] n \[number from 2 to 9] if you're setting up a second hsm that you're setting up in a cluster, then you load the major key from smart cards by using the following command fxcli majorkey recombine key mfk