Edit the Futurex PKCS #11 configuration file
The PKCS #11 library uses the application configuration file (fxpkcs11.cfg) to connect to the HSM. It enables you to modify certain configurations and set connection details. This section covers the <HSM> portion of the FXPKCS11 config file, where you set the connection details.
By default, the FXPKCS11 library looks for the configuration file in C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux. Alternatively, you cn set the FXPKCS11_ CFG environment variable to the location of the fxpkcs11.cfg file.
Open the fxpkcs11.cfg file in a text editor as an administrator and edit it accordingly.
Field
Description
<SLOT>
Leave it set to the default value of 0.
<LABEL>
Leave it set to the default value of Futurex.
<CRYPTO-OPR>
Specify the name of the identity created for the application partition.
<CRYPTO-OPR-PASS>
Specify the password of the identity configured in the <CRYPTO-OPR> field. This can be used to log the application into the HSM automatically if required.
<ADDRESS>
Specify the IP address of the HSM to which the PKCS #11 library should connect.
<PROD-PORT>
Set the port number of the HSM that the FXPKCS11 library should connect to.
<PROD-TLS-ENABLED>
Set the field to YES.
<PROD-TLS-ANONYMOUS>
Defines whether the FXPKCS11 library authenticates to the server.
<PROD-TLS-KEY>
Set the location of the client private key. Supported formats for the TLS private key are PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.
Because you define a PKCS #12 file in the <PROD-TLS-KEY> field in this example, you don't need to define the signed client certificate with the <PROD-TLS-CERT> tag or define the CA certificates with one or more instances of the <PROD-TLS-CA> tag.
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file, if necessary.
<FX-LOAD-BALANCE>
Set this field to YES if you use a Guardian to manage HSM devices in a cluster. If you don't use a Guardian, set it to NO.