Edit the Futurex CNG (FXCNG) configuration file

15min

the fxcng cfg file enables you to set the fxcng library to connect to the {{k3}} to edit, run a text editor as an administrator and modify the configuration file accordingly most notably, you must set the following fields in the \<kms> section (note that the full fxcng cfg file is not shown) our cng library expects the cng config file to be in a certain location ( c \program files\futurex\fxcng\fxcng cfg ) \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \# login username \<crypto opr> signtooluser \</crypto opr> 	\<crypto opr pass> safest \</crypto opr pass> \# connection information \<address> 10 0 8 20 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \<prod tls ca> /home/futurex/tls/root pem \</prod tls ca> \<prod tls cert> /home/futurex/tls/signed client cert pem \</prod tls cert> \<prod tls key> /home/futurex/tls/pki p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> field description \<slot> can leave set to the default value of 0 \<crypto opr> specify the name of the identity created on the {{k}} \<crypto opr pass> specify the password for the user configured in the \<crypto opr> field \<address> specify the ip address of the {{k}} to which the cng library should connect \<log file> set the path of the cng log file \<prod port> set the cng library to connect to the default host api port on the {{k}} , port 2001 \<prod tls enabled> set the field to yes the only way to connect to the host api port on the {{k}} is over tls \<prod tls anonymous> set this value to no because you're connecting to the host api port by using mutual authentication this field defines whether the cng library authenticates to the {{k}} \<prod tls ca> because a pkcs #12 file is defined in the \<prod tls key> field in this example, it is unnecessary to define the ca certificates with one or more instances of the \<prod tls ca> tag \<prod tls cert> because a pkcs #12 file is defined in the \<prod tls key> field in this example, you don't need to define the signed client cert with the \<prod tls cert> tag \<prod tls key> set the location of the client private key supported formats for the tls private key are pkcs #1 clear private keys, pkcs #8 encrypted private keys, or a pkcs #12 file that contains the private key and certificates encrypted under a password \<prod tls key pass> set the password of the pkcs #12 file \<fx load balance> set this field to yes if you use a guardian to manage {{k3}} devices in a cluster if you don't use a guardian, set it to no for additional details, see the {{futurex}} cng technical reference on the {{futurex}} portal

Configure KMES Series 3

Import certificates into the Windows certificate store