Edit the Futurex CNG (FXCNG) configuration file

15min
The fxcng.cfg file enables you to set the FXCNG library to connect to the KMES Series 3. To edit, run a text editor as an Administrator and modify the configuration file accordingly. Most notably, you must set the following fields in the <KMS> section (note that the full fxcng.cfg file is not shown).
Our CNG library expects the CNG config file to be in a certain location (C:\Program Files\Futurex\fxcng\fxcng.cfg).
Text
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            SignToolUser                 </CRYPTO-OPR>
	<CRYPTO-OPR-PASS>       safest                  </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.20 </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /home/futurex/tls/root.pem        </PROD-TLS-CA>
    <PROD-TLS-CERT>         /home/futurex/tls/signed-client-cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /home/futurex/tls/PKI.p12   </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            SignToolUser                 </CRYPTO-OPR>
	<CRYPTO-OPR-PASS>       safest                  </CRYPTO-OPR-PASS>

    # Connection information
    <ADDRESS>               10.0.8.20 </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /home/futurex/tls/root.pem        </PROD-TLS-CA>
    <PROD-TLS-CERT>         /home/futurex/tls/signed-client-cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /home/futurex/tls/PKI.p12   </PROD-TLS-KEY>
    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
﻿
Field
Description
﻿
<SLOT>
Can leave set to the default value of 0.
﻿
<CRYPTO-OPR>
Specify the name of the identity created on the KMES.
﻿
<CRYPTO-OPR-PASS>
Specify the password for the user configured in the <CRYPTO-OPR> field.
﻿
<ADDRESS>
Specify the IP address of the KMES to which the CNG library should connect.
﻿
<LOG-FILE>
Set the path of the CNG log file.
﻿
<PROD-PORT>
Set the CNG library to connect to the default Host API port on the KMES, port 2001.
﻿
<PROD-TLS-ENABLED>
Set the field to YES. The only way to connect to the Host API port on the KMES is over TLS.
﻿
<PROD-TLS-ANONYMOUS>
Set this value to NO because you're connecting to the Host API port by using mutual authentication. This field defines whether the CNG library authenticates to the KMES. 
﻿
<PROD-TLS-CA>
Because a PKCS #12 file is defined in the <PROD-TLS-KEY> field in this example, it is not necessary to define the CA certificates with one or more instances of the <PROD-TLS-CA> tag.
﻿
<PROD-TLS-CERT>
Because a PKCS #12 file is defined in the <PROD-TLS-KEY> field in this example, you don't need to define the signed client cert with the <PROD-TLS-CERT> tag
﻿
<PROD-TLS-KEY>
Set the location of the client private key. Supported formats for the TLS private key are: PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.
﻿
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file.
﻿
<FX-LOAD-BALANCE>
Set this field to YES if you use a Guardian to manage KMES Series 3 devices in a cluster. If you don't use a Guardian, set it to NO.
﻿
For additional details, see the Futurex CNG technical reference on the Futurex Portal.
Updated 25 Feb 2024
Did this page help you?
Configure KMES Series 3
Import certificates into the Windows certificate store