Edit the Futurex PKCS #11 configuration file

perform the following tasks to configure the pkcs #11 file for this integration define the connection information configure special compatibility mode test the connection the following sections provide detailed steps for these tasks define the connection information the fxpkcs11 cfg file enables you to set the fxpkcs #11 library to connect to the kmes series 3 to edit the file, run a text editor as an administrator on windows or as root on linux, and edit the configuration file accordingly most notably, you must set the fields described in this section inside the \<kms> section of the file our pkcs #11 library expects to find the pkcs #11 config file in a certain location (c \program files\futurex\fxpkcs11\fxpkcs11 cfg for windows and /etc/fxpkcs11 cfg for linux), but you can override that location by using the fxpkcs11 cfg environment variable to configure the fxpkcs11 cfg file, edit the following sections of the partial file sample \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \# login username \<crypto opr> vaultuser \</crypto opr> \# key group name \<keygroup name> vaultkeygroup \</keygroup name> \# connection information \<address> 10 0 8 20 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \<prod tls ca> /home/futurex/tls/root pem \</prod tls ca> \<prod tls cert> /home/futurex/tls/signed ubuntu cert pem \</prod tls cert> \<prod tls key> /home/futurex/tls/ssl client privatekey pem \</prod tls key> \# \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> field description \<slot> can leave set to the default value of 0 \<crypto opr> specify the name of the identity created on the kmes \<keygroup name> specify the name of the key group created for this integration on the kmes \<address> specify the ip address of the kmes to which the pkcs #11 library should connect \<log file> set the path of the pkcs #11 log file \<prod port> set the pkcs #11 library to connect to the default host api port on the kmes, port 2001 \<prod tls enabled> set the field to yes the only way to connect to the host api port on the kmes is over tls \<prod tls anonymous> set this value to no because you're connecting to the host api port by using mutual authentication this field defines whether the pkcs #11 library authenticates to the kmes \<prod tls ca> define the location of the ca certificates with one or more instances of this tag in this example, there is only one ca certificate \<prod tls cert> set the location of the signed client certificate \<prod tls key> set the location of the client private key supported formats for the tls private key are pkcs #1 clear private keys, pkcs #8 encrypted private keys, or a pkcs #12 file that contains the private key and certificates encrypted under a password \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> set this field to yes if you use a guardian to manage kmes series 3 devices in a cluster if you don't use a guardian, set it to no for additional details, see the futurex pkcs #11 technical reference on the futurex portal configure special compatibility mode this integration requires the following special defines in the \<config> section of the fxpkcs11 cfg file \<forced label usage> hsm demo = encrypt | decrypt \</forced label usage> \<forced label usage> hsm hmac demo = sign | verify \</forced label usage> these defines force specific usages for the two keys that vault creates on the kmes based on the key labels that you specify the hsm demo and hsm hmac demo key labels correspond with what is defined for the key label and hmac key label values in the vault hcl file (covered in the next section) test the connection after you edit the fxpkcs11 cfg file, run the pkcs11manager file to test the connection against the kmes check the fxpkcs11 log for errors and information for more information, see our administrator guide