Edit the Futurex PKCS #11 configuration file

16min
The fxpkcs11.cfg file enables you to set the FXPKCS #11 library to connect to the . To edit the file, run a text editor as an Administrator on Windows or root on Linux and edit the configuration file accordingly. Most notably, you must configure the fields described in this section inside the <KMS> section of the file. 
Our PKCS #11 library expects to find the PKCS #11 config file in a certain location (C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux), but you can override that location by using the FXPKCS11_CFG environment variable.
To configure the fxpkcs11.cfg file, edit the following sections:
Text
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # Login username
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>

    # Key group name
    <KEYGROUP-NAME>         keygroup1               </KEYGROUP-NAME>
    # Asymmetric key group name
    <ASYM-KEYGROUP-NAME>    asymkeygroup1           </ASYM-KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20               </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>           /tls/root.pem           </PROD-TLS-CA>
#    <PROD-TLS-CERT>         /tls/signed-client-cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /tls/client-pki.p12     </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>
    <LABEL>                 Futurex                 </LABEL>

    # Login username
    <CRYPTO-OPR>            [identity_name]         </CRYPTO-OPR>

    # Key group name
    <KEYGROUP-NAME>         keygroup1               </KEYGROUP-NAME>
    # Asymmetric key group name
    <ASYM-KEYGROUP-NAME>    asymkeygroup1           </ASYM-KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20               </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
#    <PROD-TLS-CA>           /tls/root.pem           </PROD-TLS-CA>
#    <PROD-TLS-CERT>         /tls/signed-client-cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /tls/client-pki.p12     </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                  </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
﻿
Field
Description
﻿
<SLOT>
Can leave it set to the default value of 0.
﻿
<CRYPTO-OPR>
Specify the name of the identity created on the .
﻿
<KEYGROUP-NAME>
Define the symmetric key group name for this integration.
﻿
<ASYM-KEYGROUP-NAME>
Define the asymmetric key group name for this integration. 
﻿
<ADDRESS>
Specify the IP address of the  to which the PKCS #11 library should connect.
﻿
<LOG-FILE>
Set the path of the PKCS #11 log file.
﻿
<PROD-PORT>
Set the PKCS #11 library to connect to the default Host API port on the KMES, port 2001.
﻿
<PROD-TLS-ENABLED>
Set the field to YES. The only way to connect to the Host API port on the  is over TLS.
﻿
<PROD-TLS-ANONYMOUS>
Set this value to NO because you're connecting to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the . 
﻿
<PROD-TLS-CA>
Comment out this field because the client PKI is all contained within a PKCS #12 file.
﻿
<PROD-TLS-CERT>
Comment out this field because the client PKI is all contained within a PKCS #12 file.
﻿
<PROD-TLS-KEY>
Set the location of the client PKCS #12 file, encrypted under the password specified in the <PROD-TLS-KEY-PASS> field, which you must define.
﻿
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file.
﻿
<FX-LOAD-BALANCE>
Set this field to YES if you use a Guardian to manage  devices in a cluster. If you don't use a Guardian, set it to NO.
After you finish editing the fxpkcs11.cfg file, run the PKCS11Manager file to test the connection against the  and check the fxpkcs11.log for errors and information. For more information, refer to the  PKCS #11 technical reference on the  Portal.
Special compatibility mode required for Zettaset integration
The Zettaset integration requires the following special defines in the <CONFIG> section of the fxpkcs11.cfg file:
Text
# Override all key usage requests with specific values
<FORCED-SYMMETRIC-USAGE>   ENCRYPT | DECRYPT   </FORCED-SYMMETRIC-USAGE>
<FORCED-ASYMMETRIC-USAGE>  SIGN | VERIFY       </FORCED-ASYMMETRIC-USAGE>
# Override all key usage requests with specific values
<FORCED-SYMMETRIC-USAGE>   ENCRYPT | DECRYPT   </FORCED-SYMMETRIC-USAGE>
<FORCED-ASYMMETRIC-USAGE>  SIGN | VERIFY       </FORCED-ASYMMETRIC-USAGE>
﻿
These defines override key usages for the symmetric and asymmetric keys Zettaset creates on the .
Updated 12 Jul 2024
Did this page help you?
Configure authentication and permissions for Zettaset on the KMES Series 3
Zettaset XCrypt Full Disk deployment prerequisites