Certificate Authority
EJBCA
Edit the Futurex PKCS #11 configuration file
13min
the {{futurex}} pkcs #11 library uses the application configuration file ( fxpkcs11 cfg ) to connect to the hsm it enables you to modify certain configurations and set connection details this section covers the \<hsm> portion of the fxpkcs11 config file, where you set the connection details by default, the fxpkcs11 library looks for the configuration file in c \program files\futurex\fxpkcs11\fxpkcs11 cfg for windows and /etc/fxpkcs11 cfg for linux alternatively, you can set the fxpkcs11 cfg environment variable to the location of the fxpkcs11 cfg file open the fxpkcs11 cfg file in a text editor as an administrator and edit it accordingly \<hsm> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# hsm crypto operator user name \<crypto opr> \[identity name] \</crypto opr> \# automatically login on session open \#\<crypto opr pass> \[identity password] \</crypto opr pass> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 9100 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \# \<prod tls ca> /home/user/tls/root pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub1 pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub2 pem \</prod tls ca> \<prod tls key> /home/user/tls/pki p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</hsm> field description \<slot> leave it set to the default value of 0 \<label> leave it set to the default value of futurex \<crypto opr> specify the name of the identity created for the application partition \<crypto opr pass> specify the password of the identity configured in the \<crypto opr> field use this to log the application into the hsm automatically if required \<address> specify the ip address of the hsm to which the pkcs #11 library should connect \<prod port> set the port number of the hsm that the fxpkcs11 library should connect to \<prod tls enabled> set the field to yes \<prod tls anonymous> defines whether the fxpkcs11 library authenticates to the server \<prod tls key> set the location of the client private key supported formats for the tls private key are pkcs #1 clear private keys, pkcs #8 encrypted private keys, or a pkcs #12 file that contains the private key and certificates encrypted under a password because you define a pkcs #12 file in the \<prod tls key> field in this example, you don't need to define the signed client certificate with the \<prod tls cert> tag or define the ca certificates with one or more instances of the \<prod tls ca> tag \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> set this field to yes if you use a guardian to manage hsm devices in a cluster if you don't use a guardian, set it to no after you finish editing the fxpkcs11 cfg file, run the pkcs11manager file to test the connection against the hsm, and check the fxpkcs11 log for errors and information for more information, refer to the {{futurex}} pkcs #11 technical reference found on the {{futurex}} portal