Initial setup
This section provides instructions for performing the minimum initial setup tasks required for all payment-related use cases on Futurex HSMs. These configurations can be made using either Excrypt Manager or Futurex Client Tools (FXCLI).
- FXCLI (required)
- Available for all operating systems
- This tool can be utilized to perform all initial setup tasks, but it must be used to configure TLS mutual authentication between the HSM and the payment application you are integrating.
- Excrypt Manager (optional)
- Available only for Windows
- This tool provides a GUI option for performing most initial configurations on the HSM.
The FXTools installation package includes Futurex Client Tools (FXCLI). The easiest way to install FXCLI on Windows is by installing FXTools. You can download FXTools from the Futurex Portal.
To install FXCLI, run the Futurex Tools installer as an administrator and follow the prompts in the setup wizard to complete the installation.
By default, all tools are installed on the system. The user can overwrite and choose not to install certain modules. The modules include:
Module
Description
Futurex Client Tools
Command Line Interface (CLI) and associated SDK for both Java and C,
Futurex CNG Module
The Microsoft Next Generation Cryptographic Library.
Futurex Cryptographic Service Provider (CSP)
The Legacy Microsoft Cryptographic Libary.
Futurex EKM Module
The Microsoft Enterprise Key Management library.
Futurex PKCS #11 Module
The Futurex PKCS #11 library and associated tools.
Futurex Secure Access Client
The Client used to connect a Futurex Excrypt Touch to a local laptop via USB, and a remote Futurex device.
After starting the installation, all noted services are installed. If the Futurex Secure Access Client was selected, the Futurex Excrypt Touch driver will also be installed (Note this sometimes will start minimized or in the background).
Install Excrypt Manager (If using Windows)
Excrypt Manager is a Windows application that provides a GUI-based method for configuring the HSM, while FXCLI provides a command-line-based method for configuring the HSM and can be installed on all platforms.
If you will be configuring the Vectera Plus from a Linux computer, you can skip this section. If you will be configuring the Vectera Plus from a Windows computer, installing FXCLI in the next section is still required because FXCLI is the only method that can be used to configure TLS certificates in a later section.
Install Excrypt Manager on the workstation you will use to configure the HSM.
If you plan to use a Virtual HSM for the integration, all configurations will need to be performed using either FXCLI, the Excrypt Touch, or the Guardian Series 3.
The Excrypt Manager version must be from the 4.4.x branch or later to be compatible with the HSM firmware, which must be 6.7.x.x or later.
To install Excrypt Manager, run the Excrypt Manager installer as an administrator and follow the prompts in the setup wizard to complete the installation.
The installation wizard prompts you to specify where you want to install Excrypt Manager. The default location is C:\Program Files\Futurex\Excrypt Manager\. After choosing a location, select [ Install ].
For both Excrypt Manager and FXCLI, you must connect your laptop to the front USB port on the HSM. The initial login process described in this section uses the default Admin identities to log in under dual control.
User #1
User #2
User ID: Admin1
User ID: Admin2
Password: safe
Password: safe
Open Excrypt Manager and select [ Refresh ] in the lower right-hand side of the Connection menu. Then, select USB Connection and select [ Connect ].
Log in with both default Admin identities.
You must change the default Admin passwords for both of your default Admin identities (Admin1 and Admin2) to load the major keys onto the HSM. To do so via Excrypt Manager, open the Identity Management menu, select the first default Admin identity (Admin1), and select [ Change Password ]. Enter the old password and enter the new password twice. Select [ OK ]. Perform the same steps for the second default Admin identity (Admin2).
Start the FXCLI application and run the following commands:
The login command prompts for the username and password. You must run the command twice because you must login with both default Admin identities.
You must change the default Admin passwords for both of your default Admin Identities in order to load the major keys onto the HSM. Use the following FXCLI commands to change the passwords for each default Admin Identity
The preceding user change-password commands prompt you to enter the old and new passwords.
Navigate to the Configuration menu and modify the IP configuration as required.
Run the network interface modify FXCLI command to set an IP for the HSM. An example is provided below to show the command syntax:
The HSM requires you to load an MFK (Master File Key) before use. Depending on the intended use, you can also load a PMK (Platform Master Key), KEK (Key Encryption Key), and FTK (Futurex Token Key) at this point. The HSM allows you to load certain major keys through M of N fragmentation or a key wizard. With M of N key fragmentation, organizations can define a number of required key officers for a key ceremony that is less than the total number of key officers available. This allows organizations to maintain security while dramatically reducing the inconvenience of coordinating busy schedules around key ceremonies.
Navigate to the Key Management menu and select [ Load ] next to the relevant key. You can load keys through M of N fragmentation or a key wizard. If this is the first HSM in a cluster, we recommend that you generate the key and save it to smart cards as M of N fragments.
If this is the first HSM you are setting up, you need to generate a random major key. Optionally, you can simultaneously load the generated key onto a smart card using the -m and -n flags.
If it's a second HSM that you're setting up in a cluster, then you will load the major key from smart cards using the following command: