Privileged access management
Microsoft AD RMS
Edit the Futurex CSP configuration file
13min
the fxpkcs11 cfg file enables you to set the fxpkcs #11 library to connect to the {{k3}} to edit the file, run a text editor as an administrator on windows or root on linux and edit the configuration file accordingly most notably, you must set the fields described in this section inside the \<kms> section of the file the {{futurex}} csp module expects to find the config file in a certain location ( c \program files\futurex\fxcsp\fxpkcs11 cfg for windows), but you can override that location by using the fxpkcs11 cfg environment variable to configure the fxpkcs11 cfg file, edit the following sections of the partial file sample \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \# login username \<crypto opr> crypto1 \</crypto opr> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \<prod tls ca> /home/futurex/tls/root pem \</prod tls ca> \<prod tls key> /home/futurex/tls/signed jarsigner cert p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> parameter description \<slot> can leave it set to the default value of 0 \<crypto opr> specify the name of the identity created on the {{k}} \<address> specify the ip address of the {{k}} to which the pkcs #11 library should connect \<prod port> set the pkcs #11 library to connect to the default host api port on the {{k}} , port 2001 \<prod tls enabled> set the field to yes the only way to connect to the host api port on the {{k}} is over tls \<prod tls anonymous> set this value to no because you're connecting to the host api port by using mutual authentication this field defines whether the pkcs #11 library authenticates to the {{k}} \<prod tls ca> define the location of the ca certificates with one or more instances of this tag in this example, there is only one ca certificate \<prod tls key> set the location of the client private key supported formats for the tls private key are pkcs #1 clear private keys, pkcs #8 encrypted private keys, or a pkcs #12 file that contains the private key and certificates encrypted under a password \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> set this field to yes if you use a guardian to manage {{k3}} devices in a cluster if you don't use a guardian, set it to no additional defines required for this integration in the \<config> section of the file, you must set \<unique connections> to yes \<unique connections> yes \</unique connections> in the \<config> section of the file, you must also add the following define \# override all key usage requests with specific values \<forced symmetric usage> encrypt | decrypt \</forced symmetric usage> \<forced asymmetric usage> sign | verify \</forced asymmetric usage>