SSH
SSH Key Offloading
Edit the Futurex PKCS #11 configuration file
17min
the fxpkcs11 cfg file enables you to set the fxpkcs #11 library to connect to the {{k3}} to edit the file, run a text editor as an administrator on windows or root on linux and edit the configuration file accordingly most notably, you must set the fields described in this section inside the \<kms> section of the file our pkcs #11 library expects to find the pkcs #11 config file in a specific location (c \program files\futurex\fxpkcs11\fxpkcs11 cfg for windows and /etc/fxpkcs11 cfg for linux) still, you can override that location by using the fxpkcs11 cfg environment variable to configure the fxpkcs11 cfg file, edit the following sections \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \# login username \<crypto opr> crypto1 \</crypto opr> \# key group name \#\<keygroup name> keygroup1 \</keygroup name> \# asymmetric key group name \<asym keygroup name> asymkeygroup1 \</asym keygroup name> \# connection information \<address> 10 0 8 20 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \<prod tls ca> /connection certs/root tls cert pem \</prod tls ca> \<prod tls cert> /connection certs/signed fxpkcs11 tls cert pem \</prod tls cert> \<prod tls key> /connection certs/fxpkcs11 tls privatekey pem \</prod tls key> \# \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> field description \<slot> leave it set to the default value of 0 \<crypto opr> specify the name of the identity created on the {{k}} \<keygroup name> define the symmetric key group name for this integration \<asym keygroup name> define the asymmetric key group name for this integration \<address> specify the ip address of the {{k}} to which the pkcs #11 library should connect \<log file> set the path of the pkcs #11 log file \<prod port> set the pkcs #11 library to connect to the default host api port on the {{k}} , port 2001 \<prod tls enabled> set the field to yes the only way to connect to the host api port on the {{k}} is over tls \<prod tls anonymous> set this value to no because you connect to the host api port by using mutual authentication this field defines whether the pkcs #11 library authenticates to the {{k}} \<prod tls ca> define the location of the ca certificates with one or more instances of this tag in this example, there is only one ca certificate \<prod tls cert> set the location of the signed client certificate \<prod tls key> set the location of the client private key supported formats for the tls private key are pkcs #1 clear private keys, pkcs #8 encrypted private keys, or a pkcs #12 file that contains the private key and certificates encrypted under a password \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> set this field to yes if you use a guardian to manage {{k3}} devices in a cluster if you don't use a guardian, set it to no after you finish editing the fxpkcs11 cfg file, run the pkcs11manager file to test the connection against the {{k}} and check the fxpkcs11 log for errors and information for more information, refer to the {{futurex}} pkcs #11 technical reference on the {{futurex}} portal special defines required for this integration in the \<config> section, add the following definition so that fxpkcs11 does not prompt for a password during the ssh connection attempt you don't need to enter a password during the connection attempt because the fxpkcs11 library is already logged in to the {{k3}} with the configured user at that point \<require login flag> no \</require login flag>