Steps to configure the Futurex PKCS #11 Library with the Protegrity Data Security Platform

the protegrity documentation suite for 7 2 1 contains a guide named protegrity key management guide the appendix of the guide has a section describing the steps to use {{futurex}} as an hsm ( switching from soft hsm to futurex hsm ) perform initial configuration requirements for the protegrity data security platform include the following specifications drivers supporting debian 9 with openssl version 1 0 2 for version 7 2 1 of the protegrity data security platform driver version 4 20 ( fxpkcs11 debian9 ssl1 0 4 20 4afd tar ) contains a compliant driver ( fxpkcs11/x64/openssl 1 0 x/libfxpkcs11 so in the tar archive) perform the following configuration steps zip the following files (protegrity recommends putting all files in a tgz archive) server and client certificate files client private key file pkcs11 driver ( libfxpkcs11 so ) fxpkcs11 cfg upload the files and extract them to the /opt/protegrity/hsm/external folder, set the file permissions to 744 and ensure the file owner is service admin set the following environment variables in the /opt/protegrity/hsm/external/hsm env configuration file, as shown in the following example export pty pkcs11 library=${hsm dir}/libfxpkcs11 so export pty pkcs11 env key=fxpkcs11 cfg export pty pkcs11 env value=${hsm dir}/fxpkcs11 cfg export pty pkcs11 slot=\<slot id> update the fxpkcs11 cfg as shown in the following example section parameter in the cfg file description value config \<log file> sets the log file location /opt/protegrity/hsm/external/fxpkcs11 log hsm \<slot> sets the pkcs11 slot for the hsm hsm \<crypto opr> sets the crypto operator username to login to the futurex hsm protegrity hsm \<address> sets the ip address of the futurex hsm hsm \<prod port> sets the production port hsm \<prod tls ca> sets the path to the hsm server certificate file /opt/protegrity/hsm/external/\<server ca file pem> hsm \<prod tls cert> sets the path to the hsm client certificate file /opt/protegrity/hsm/external/\<client cert file pem> hsm \<prod tls key> sets the path to the hsm client private key file /opt/protegrity/hsm/external/\<client priv key file pem> hsm \<prod tls key pass> sets the passphrase for the hsm client private key file restart the gateway and set the pin after you complete the configuration, perform the following steps to restart the hsm gateway service on esa and set the crypto user pin on the esa web ui, go to system > services restart the hsm gateway service to set the user pin for the esa to connect to the hsm, first go to key management > hsm > hsm on the esa web ui select \[ set user pin ] set the user pin in the dialog box test the configuration the esa ui has built in functionality to verify the configuration the test checks for connectivity and authentication to the hsm and validates whether the hsm generates random bytes to determine successful authentication and connection on the esa web ui, go to key management > hsm > hsm select \[ test ] the test hsm connection dialog box appears if the test succeeds, green icons appear for the tests performed select \[ ok ] activate the configuration set the hsm as active on the esa web ui, go to key management > hsm > hsm select \[ set as active ] a confirmation message box appears select \[ ok ]