Privileged access management
Microsoft AD RMS

Edit the Futurex CSP configuration file

13min

The fxpkcs11.cfg file enables you to set the FXPKCS #11 library to connect to the . To edit the file, run a text editor as an Administrator on Windows or root on Linux and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the <KMS> section of the file.

Our CSP module expects to find the config file in a certain location (C:\Program Files\Futurex\fxcsp\fxpkcs11.cfg for Windows), but you can override that location by using the FXPKCS11_CFG environment variable.

To configure the fxpkcs11.cfg file, edit the following sections of the partial file sample:

Text


Parameter

Description



<SLOT>

Can leave it set to the default value of 0.



<CRYPTO-OPR>

Specify the name of the identity created on the .



<ADDRESS>

Specify the IP address of the to which the PKCS #11 library should connect.



<PROD-PORT>

Set the PKCS #11 library to connect to the default Host API port on the , port 2001.



<PROD-TLS-ENABLED>

Set the field to YES. The only way to connect to the Host API port on the is over TLS.



<PROD-TLS-ANONYMOUS>

Set this value to NO because you're connecting to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the .



<PROD-TLS-CA>

Define the location of the CA certificates with one or more instances of this tag. In this example, there is only one CA certificate.



<PROD-TLS-KEY>

Set the location of the client private key. Supported formats for the TLS private key are PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.



<PROD-TLS-KEY-PASS>

Set the password of the PKCS #12 file, if necessary.



<FX-LOAD-BALANCE>

Set this field to YES if you use a Guardian to manage devices in a cluster. If you don't use a Guardian, set it to NO



Additional defines required for this integration

In the <CONFIG> section of the file, you must set <UNIQUE-CONNECTIONS> to YES.

Text


In the <CONFIG> section of the file, you must also add the following define:

Text