Initial setup
This section provides instructions for performing the minimum initial setup tasks required for all payment-related use cases on Futurex HSMs. These configurations can be made using either Excrypt Manager or Futurex Client Tools (FXCLI).
- FXCLI (required)
- Available for all operating systems
- This tool can be utilized to perform all initial setup tasks, but it must be used to configure TLS mutual authentication between the HSM and the payment application you are integrating.
- Excrypt Manager (optional)
- Available only for Windows
- This tool provides a GUI option for performing most initial configurations on the HSM.
The FXTools installation package includes Futurex Client Tools (FXCLI). The easiest way to install FXCLI on Windows is by installing FXTools. You can download FXTools from the Futurex Portal.
To install FXCLI, run the Futurex Tools installer as an administrator and follow the prompts in the setup wizard to complete the installation.
By default, all tools are installed on the system. The user can overwrite and choose not to install certain modules. The modules include:
Module
Description
Futurex Client Tools
Command Line Interface (CLI) and associated SDK for both Java and C,
Futurex CNG Module
The Microsoft Next Generation Cryptographic Library.
Futurex Cryptographic Service Provider (CSP)
The Legacy Microsoft Cryptographic Libary.
Futurex EKM Module
The Microsoft Enterprise Key Management library.
Futurex PKCS #11 Module
The Futurex PKCS #11 library and associated tools.
Futurex Secure Access Client
The Client used to connect a Futurex Excrypt Touch to a local laptop via USB, and a remote Futurex device.
After starting the installation, all noted services are installed. If the Futurex Secure Access Client was selected, the Futurex Excrypt Touch driver will also be installed (Note this sometimes will start minimized or in the background).
Install Excrypt Manager (If using Windows)
For both Excrypt Manager and FXCLI, you must connect your laptop to the front USB port on the HSM. The initial login process described in this section uses the default Admin identities to log in under dual control.
User #1
User #2
User ID: Admin1
User ID: Admin2
Password: safe
Password: safe
Select the appropriate method and follow the instructions:
Open Excrypt Manager and select [ Refresh ] in the lower-right corner of the Connection menu. Then, select USB Connection and select [ Connect ].
Log in with both default Admin identities.
You must change the default Admin passwords for both of your default Admin identities (Admin1 and Admin2) to load the major keys onto the HSM. To do so through Excrypt Manager, perform the following instructions:
- Open the Identity Management menu, select the first default Admin identity (Admin1), and select [ Change Password ].
- Enter the old password and enter the new password twice.
- Select [ OK ].
- Perform the same steps for the second default Admin identity (Admin2).
The HSM requires you to load an MFK (Master File Key) before use. Depending on the intended use, you can also load a PMK (Platform Master Key), KEK (Key Encryption Key), and FTK (Futurex Token Key) at this point.
The HSM enables you to load some major keys through M of N fragmentation or a key wizard. With M of N key fragmentation, you can define the number of required key officers for a key ceremony that is less than the total number of key officers available. This helps maintain security while dramatically reducing the inconvenience of coordinating busy schedules around key ceremonies.
Choose the appropriate method and perform the instructions to load major keys:
Go to the Key Management menu and select [ Load ] next to the relevant key.
You can load keys through M of N fragmentation or a key wizard. If this is the first HSM in a cluster, we recommend that you generate the key and save it to smart cards as M of N fragments.