Edit the Futurex CSP configuration file
The fxpkcs11.cfg file enables you to set the FXPKCS #11 library to connect to the . To edit the file, run a text editor as an Administrator on Windows or root on Linux and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the <KMS> section of the file.
Our CSP module expects to find the config file in a certain location (C:\Program Files\Futurex\fxcsp\fxpkcs11.cfg for Windows), but you can override that location by using the FXPKCS11_CFG environment variable.
To configure the fxpkcs11.cfg file, edit the following sections of the partial file sample:
Parameter
Description
<SLOT>
Can leave it set to the default value of 0.
<CRYPTO-OPR>
Specify the name of the identity created on the .
<ADDRESS>
Specify the IP address of the to which the PKCS #11 library should connect.
<PROD-PORT>
Set the PKCS #11 library to connect to the default Host API port on the , port 2001.
<PROD-TLS-ENABLED>
Set the field to YES. The only way to connect to the Host API port on the is over TLS.
<PROD-TLS-ANONYMOUS>
Set this value to NO because you're connecting to the Host API port by using mutual authentication. This field defines whether the PKCS #11 library authenticates to the .
<PROD-TLS-CA>
Define the location of the CA certificates with one or more instances of this tag. In this example, there is only one CA certificate.
<PROD-TLS-KEY>
Set the location of the client private key. Supported formats for the TLS private key are PKCS #1 clear private keys, PKCS #8 encrypted private keys, or a PKCS #12 file that contains the private key and certificates encrypted under a password.
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file, if necessary.
<FX-LOAD-BALANCE>
Set this field to YES if you use a Guardian to manage devices in a cluster. If you don't use a Guardian, set it to NO
In the <CONFIG> section of the file, you must set <UNIQUE-CONNECTIONS> to YES.
In the <CONFIG> section of the file, you must also add the following define: