Edit the Futurex PKCS #11 configuration file

the fxpkcs11 cfg file enables you to set the fxpkcs #11 library to connect to the {{k3}} to edit the file, run a text editor as an administrator on windows or root on linux and edit the configuration file accordingly most notably, you must configure the fields described in this section inside the \<kms> section of the file our pkcs #11 library expects to find the pkcs #11 config file in a certain location (c \program files\futurex\fxpkcs11\fxpkcs11 cfg for windows and /etc/fxpkcs11 cfg for linux), but you can override that location by using the fxpkcs11 cfg environment variable to configure the fxpkcs11 cfg file, edit the following sections \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# login username \<crypto opr> \[identity name] \</crypto opr> \# key group name \<keygroup name> keygroup1 \</keygroup name> \# asymmetric key group name \<asym keygroup name> asymkeygroup1 \</asym keygroup name> \# connection information \<address> 10 0 8 20 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \# \<prod tls ca> /tls/root pem \</prod tls ca> \# \<prod tls cert> /tls/signed client cert pem \</prod tls cert> \<prod tls key> /tls/client pki p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> field description \<slot> can leave it set to the default value of 0 \<crypto opr> specify the name of the identity created on the {{k}} \<keygroup name> define the symmetric key group name for this integration \<asym keygroup name> define the asymmetric key group name for this integration \<address> specify the ip address of the {{k}} to which the pkcs #11 library should connect \<log file> set the path of the pkcs #11 log file \<prod port> set the pkcs #11 library to connect to the default host api port on the {{k}} , port 2001 \<prod tls enabled> set the field to yes the only way to connect to the host api port on the {{k}} is over tls \<prod tls anonymous> set this value to no because you're connecting to the host api port by using mutual authentication this field defines whether the pkcs #11 library authenticates to the {{k}} \<prod tls ca> comment out this field because the client pki is all contained within a pkcs #12 file \<prod tls cert> comment out this field because the client pki is all contained within a pkcs #12 file \<prod tls key> set the location of the client pkcs #12 file, encrypted under the password specified in the \<prod tls key pass> field, which you must define \<prod tls key pass> set the password of the pkcs #12 file \<fx load balance> set this field to yes if you use a guardian to manage {{k3}} devices in a cluster if you don't use a guardian, set it to no after you finish editing the fxpkcs11 cfg file, run the pkcs11manager file to test the connection against the {{k}} and check the fxpkcs11 log for errors and information for more information, refer to the {{futurex}} pkcs #11 technical reference on the {{futurex}} portal special compatibility mode required for zettaset integration the zettaset integration requires the following special defines in the \<config> section of the fxpkcs11 cfg file \# override all key usage requests with specific values \<forced symmetric usage> encrypt | decrypt \</forced symmetric usage> \<forced asymmetric usage> sign | verify \</forced asymmetric usage> these defines override key usages for the symmetric and asymmetric keys zettaset creates on the {{k3}}