Edit the Futurex PKCS #11 configuration file

16min
The fxpkcs11.cfg file enables you to set the FXPKCS #11 library to connect to the KMES Series 3. To edit the file, run a text editor as an Administrator on Windows or as root on Linux, and edit the configuration file accordingly. Most notably, you must set the fields described in this section inside the <KMS> section of the file. 
Our PKCS #11 library expects to find the PKCS #11 config file in a certain location (C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg for Windows and /etc/fxpkcs11.cfg for Linux), but you can override that location by using the FXPKCS11_CFG environment variable.
To configure the fxpkcs11.cfg file, edit the following sections of the partial file sample:
Text
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            crypto1                 </CRYPTO-OPR>

    # Key group name
    #<KEYGROUP-NAME>        keygroup1               </KEYGROUP-NAME>
    
    # Asymmetric key group name
    <ASYM-KEYGROUP-NAME>    asymkeygroup1           </ASYM-KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20 </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /connection_certs/root_tls_cert.pem        </PROD-TLS-CA>
    <PROD-TLS-CERT>         /connection_certs/signed_fxpkcs11_tls_cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /connection_certs/fxpkcs11_tls_privatekey.pem   </PROD-TLS-KEY>
#    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
<KMS>
    # Which PKCS11 slot
    <SLOT>                  0                       </SLOT>

    # Login username
    <CRYPTO-OPR>            crypto1                 </CRYPTO-OPR>

    # Key group name
    #<KEYGROUP-NAME>        keygroup1               </KEYGROUP-NAME>
    
    # Asymmetric key group name
    <ASYM-KEYGROUP-NAME>    asymkeygroup1           </ASYM-KEYGROUP-NAME>

    # Connection information
    <ADDRESS>               10.0.8.20 </ADDRESS>
    <PROD-PORT>             2001                    </PROD-PORT>
    <PROD-TLS-ENABLED>      YES                     </PROD-TLS-ENABLED>
    <PROD-TLS-ANONYMOUS>    NO                      </PROD-TLS-ANONYMOUS>
    <PROD-TLS-CA>           /connection_certs/root_tls_cert.pem        </PROD-TLS-CA>
    <PROD-TLS-CERT>         /connection_certs/signed_fxpkcs11_tls_cert.pem      </PROD-TLS-CERT>
    <PROD-TLS-KEY>          /connection_certs/fxpkcs11_tls_privatekey.pem   </PROD-TLS-KEY>
#    <PROD-TLS-KEY-PASS>     safest                 </PROD-TLS-KEY-PASS>

    # YES = This is communicating through a Guardian
    <FX-LOAD-BALANCE>       NO                      </FX-LOAD-BALANCE>
</KMS>
﻿
The following list describes the fields and recommended settings for the file:
Field
Description
﻿
<SLOT>
Leave this set to the default value of 0 or change if needed.
﻿
<CRYPTO-OPR>
Specify the name of the identity you created on the KMES for this integration.
﻿
<KEYGROUP-NAME>
Used when an application needs to create symmetric keys on the KMES. For this integration, set the name of the key group to the one you created in an earlier section on the KMES.
﻿
<ASYM-KEYGROUP-NAME>
Used when an application needs to create asymmetric keys on the KMES.
﻿
<ADDRESS>
Specify the IP address of the KMES that the PKCS #11 library should connect to.
﻿
<LOG-FILE>
Set the path of the PKCS #11 log file.
﻿
<PROD-PORT>
Set the PKCS #11 library to connect to the default Host API port on the KMES, port 2001.
﻿
<PROD-TLS-ENABLED>
Must be set to YES because you can only connect to the Host API port on the KMES over TLS.
﻿
<PROD-TLS-ANONYMOUS>
Defines whether the PKCS #11 library authenticates to the KMES. Because we're connecting to the Host API port by using mutual authentication, set this value to NO.
﻿
<PROD-TLS-CA>
You must define the location of the CA certificates with one or more instances of this tag. In this example, we have only one CA certificate.
﻿
<PROD-TLS-CERT>
You must define the location of the signed client certificate with this tag.
﻿
<PROD-TLS-KEY>
This tag defines the location of the client private key. Supported formats for the TLS private key are: 
PKCS #1 clear private keys
PKCS #8 encrypted private keys
PKCS #12 file that contains the private key and certificates encrypted under a password (defined in the <PROD-TLS-KEY-PASS> field).
﻿
<PROD-TLS-KEY-PASS>
Set the password of the PKCS #12 file, if necessary.
﻿
<FX-LOAD-BALANCE>
If you are using a Guardian to manage KMES Series 3 devices in a cluster, you must define this field as YES. If not, set this field to NO.
﻿
After you edit the fxpkcs11.cfg file, run the PKCS11Manager file to test the connection with the KMES, and check the fxpkcs11.log for errors and information. For more information, refer to the Futurex PKCS #11 technical reference found on the Futurex Portal.
Updated 28 Feb 2024
Did this page help you?
Configure KMES Series 3
Configure the Futurex PKCS #11 library with CyberArk Vault