Steps to configure the Futurex PKCS #11 Library with the Protegrity Data Security Platform
The Protegrity documentation suite for 7.2.1 contains a guide named "Protegrity Key Management Guide". The appendix of the guide has a section describing the steps to utilize Futurex as an HSM (“Switching from Soft HSM to Futurex HSM").
The Protegrity Data Security Platform requires drivers supporting Debian 9 with OpenSSL version 1.0.2 for version 7.2.1 of the Protegrity Data Security Platform. Driver version 4.20 (fxpkcs11-debian9-ssl1.0-4.20- 4afd.tar) contains a compliant driver (the file fxpkcs11/x64/OpenSSL-1.0.x/libfxpkcs11.so in the tar archive).
Server and client certificate files, client private key file, pkcs11 driver (libfxpkcs11.so) and fxpkcs11.cfg file need to be uploaded to ESA in placed in the /opt/protegrity/hsm/external folder. Protegrity recommends putting all files in a tgz archive.
Once files are uploaded and extracted to /opt/protegrity/hsm/external folder permissions of the files need to be set to 744. Also ensure that the file owner is service_admin.
The following environment variables need to be set in the /opt/protegrity/hsm/external/hsm.env configuration file e.g:
The fxpkcs11.cfg then needs to be updated as per the table below:
Section | Parameter in the .cfg file | Description | Value |
Config | <LOG-FILE> | Sets the log file location | /opt/protegrity/hsm/external/fxpkcs11.log |
HSM | <SLOT> | Sets the PKCS11 slot for the HSM | |
HSM | <CRYPTO-OPR> | Sets the Crypto Operator username to login to the Futurex HSM | protegrity |
HSM | <ADDRESS> | Sets the IP address of the Futurex HSM | |
HSM | <PROD-PORT> | Sets the production port | |
HSM | <PROD-TLS-CA> | Sets the path to the HSM Server Certificate file | /opt/protegrity/hsm/external/<server_ca_file.pem> |
HSM | <PROD-TLS-CERT> | Sets the path to the HSM Client Certificate file | /opt/protegrity/hsm/external/<client_cert_file.pem> |
HSM | <PROD-TLS-KEY> | Sets the path to the HSM Client Private Key file | /opt/protegrity/hsm/external/<client_priv_key_file.pem> |
HSM | <PROD-TLS-KEY-PASS> | Sets the passphrase for the HSM Client Private Key file | |
Once the configuration is complete the HSM Gateway service on ESA needs to be restarted and the crypto user PIN needs to be set.
On the ESA Web UI, navigate to System > Services.
Restart the HSM Gateway service.
Set the user pin for the ESA to connect to the HSM. On the ESA Web UI, navigate to Key Management > HSM > HSM.
Click Set User Pin.
Set the user pin in the dialog box.
The ESA UI has built-in functionality to verify the configuration. The test checks for connectivity and authentication to the HSM and validates whether the HSM generates random bytes to determine successful authentication and connection.
On the ESA Web UI, navigate to Key Management > HSM > HSM.
Click Test.
The Test HSM Connection dialog box appears. If the test succeeds green icons shall appear for the tests performed.
Click OK.
Set the HSM as active:
On the ESA Web UI, navigate to Key Management > HSM > HSM.
Click Set As Active.
A confirmation message box appears.
Click Ok.