Privileged access management
CyberArk Privileged Access
Edit the Futurex PKCS #11 configuration file
16min
the fxpkcs11 cfg file enables you to set the fxpkcs #11 library to connect to the {{k3}} to edit the file, run a text editor as an administrator on windows or as root on linux, and edit the configuration file accordingly most notably, you must set the fields described in this section inside the \<kms> section of the file our pkcs #11 library expects to find the pkcs #11 config file in a certain location (c \program files\futurex\fxpkcs11\fxpkcs11 cfg for windows and /etc/fxpkcs11 cfg for linux), but you can override that location by using the fxpkcs11 cfg environment variable to configure the fxpkcs11 cfg file, edit the following sections of the partial file sample \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \# login username \<crypto opr> crypto1 \</crypto opr> \# key group name \#\<keygroup name> keygroup1 \</keygroup name> \# asymmetric key group name \<asym keygroup name> asymkeygroup1 \</asym keygroup name> \# connection information \<address> 10 0 8 20 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \<prod tls ca> /connection certs/root tls cert pem \</prod tls ca> \<prod tls cert> /connection certs/signed fxpkcs11 tls cert pem \</prod tls cert> \<prod tls key> /connection certs/fxpkcs11 tls privatekey pem \</prod tls key> \# \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> the following list describes the fields and recommended settings for the file field description \<slot> leave this set to the default value of 0 or change if needed \<crypto opr> specify the name of the identity you created on the {{k}} for this integration \<keygroup name> used when an application needs to create symmetric keys on the {{k}} for this integration, set the name of the key group to the one you created in an earlier section on the {{k}} \<asym keygroup name> used when an application needs to create asymmetric keys on the {{k}} \<address> specify the ip address of the {{k}} that the pkcs #11 library should connect to \<log file> set the path of the pkcs #11 log file \<prod port> set the pkcs #11 library to connect to the default host api port on the {{k}} , port 2001 \<prod tls enabled> must be set to yes because you can only connect to the host api port on the {{k}} over tls \<prod tls anonymous> defines whether the pkcs #11 library authenticates to the {{k}} because we're connecting to the host api port by using mutual authentication, set this value to no \<prod tls ca> you must define the location of the ca certificates with one or more instances of this tag in this example, we have only one ca certificate \<prod tls cert> you must define the location of the signed client certificate with this tag \<prod tls key> this tag defines the location of the client private key supported formats for the tls private key are pkcs #1 clear private keys pkcs #8 encrypted private keys pkcs #12 file that contains the private key and certificates encrypted under a password (defined in the \<prod tls key pass> field) \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> if you are using a guardian to manage {{k3}} devices in a cluster, you must define this field as yes if not, set this field to no after you edit the fxpkcs11 cfg file, run the pkcs11manager file to test the connection with the {{k}} , and check the fxpkcs11 log for errors and information for more information, refer to the {{futurex}} pkcs #11 technical reference found on the {{futurex}} portal