Edit the Futurex PKCS #11 configuration file

15min
The fxpkcs11.cfg file enables you to set the FXPKCS #11 library to connect to the KMES Series 3. To edit the file, run a text editor as an Administrator on Windows or as root on Linux, and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the <KMS> section of the file. 
Our PKCS #11 library expects to find the PKCS #11 config file in a certain location (C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux), but you can override that location by using the FXPKCS11_CFG environment variable.
To configure the fxpkcs11.cfg file, edit the following sections of the partial file sample:
Text
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            vSEC                  </CRYPTO-OPR>

    # Key group name
    <KEYGROUP-NAME>         vSEC-symmetric-keygroup     </KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20               </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>           /home/user/tls/root.pem        </PROD-TLS-CA>
#    <PROD-TLS-CERT>         /home/user/tls/signed-client-cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /home/user/tls/vsec-client-cert.p12   </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            vSEC                  </CRYPTO-OPR>

    # Key group name
    <KEYGROUP-NAME>         vSEC-symmetric-keygroup     </KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20               </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>           /home/user/tls/root.pem        </PROD-TLS-CA>
#    <PROD-TLS-CERT>         /home/user/tls/signed-client-cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /home/user/tls/vsec-client-cert.p12   </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
﻿
Field
Description
﻿
<SLOT>
Can leave set to the default value of 0.
﻿
<CRYPTO-OPR>
Specify the name of the identity created on the KMES.
﻿
<KEYGROUP-NAME>
Can leave set to the default value, keygroup1, or specify a different name, as shown above.
﻿
<ADDRESS>
Specify the IP address of the KMES to which the PKCS #11 library should connect.
﻿
<PROD-PORT>
Set the PKCS #11 library to connect to the default Host API port on the KMES, port 2001.
﻿
<PROD-TLS-ENABLED>
Set the field to YES. The only way to connect to the Host API port on the KMES is over TLS.
﻿
<PROD-TLS-ANONYMOUS>
Set this value to NO because you're connecting to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the KMES. 
﻿
<PROD-TLS-CA>
Because you use a PKCS #12 file to connect, remove or comment out this tag.
﻿
<PROD-TLS-CERT>
Because you use a PKCS #12 file to connect, remove or comment out this tag.
﻿
<PROD-TLS-KEY>
Specify the location of the PKCS #12 file you exported for this integration. This file contains the Verasec private key and certificate, encrypted under the password specified in the <PROD-TLS-KEY-PASS> field.
﻿
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file.
﻿
<FX-LOAD-BALANCE>
Set this field to YES if you use a Guardian to manage KMES Series 3 devices in a cluster. If you don't use a Guardian, set it to NO.
﻿
For additional details, see the Futurex PKCS #11 technical reference on the Futurex Portal.
After you edit the fxpkcs11.cfg file, run the PKCS11Manager file to test the connection against the KMES Series 3, and check the fxpkcs11.log for errors and information.
Special defines required for this integration
For the Versasec integration, add the following defines to the <CONFIG> section of the FXPKCS11 configuration file:
Text
# Required for the vSEC integration
<KEY-REQUIRE-LOGIN>         NO                  </KEY-REQUIRE-LOGIN>
<ALLOW-DUPLABELS>           YES                 </ALLOW-DUPLABELS>
<ENFORCE-IMMUTABLE>         NO                  </ENFORCE-IMMUTABLE>
# Required for the vSEC integration
<KEY-REQUIRE-LOGIN>         NO                  </KEY-REQUIRE-LOGIN>
<ALLOW-DUPLABELS>           YES                 </ALLOW-DUPLABELS>
<ENFORCE-IMMUTABLE>         NO                  </ENFORCE-IMMUTABLE>
﻿
﻿
﻿
Updated 28 Feb 2024
Did this page help you?
Configure KMES Series 3
Configure the Futurex PKCS #11 library in vSEC:CMS