Install and configure the Futurex Client Library EKM

3min
The Futurex Client Library (FXCL) is a set of functions, offered through either Java (Java Native Interface) or C++, which applications use to access cryptographic processing and key management functionality.
Install FXCL EKM
To maintain system security, install and operate only copies of FXCL that you get directly from Futurex. A member of the Solutions Architect team provides these files directly or you can download them on the Futurex Portal or equivalent Futurex-operated file distribution platform.
Perform the following steps to install FXCL Expandable Key Management (EKM):
1
Download or copy the fxcl-x.x.x-win64.zip file to the computer that runs the Microsoft SQL Server instance.
2
Unzip the file in any directory and go to the fxcl-x.x.x-win64\bin folder.
3
Copy ekm.config.json and libfxcl-ekm.dll to C:\Program Files\Futurex\fxcl\kmes\ekm\ and change the name of the ekm.config.json file to config.json.
Configure FXCL EKM
1
Create the C:\FX-Logs directory. The FXCL EKM configuration file outputs content to FXCL EKM logs to the C:\FX-Logs\ directory.
2
Open the config.json file for editing, and make the following changes:
Parameter
Required configuration
﻿
log_file
Set the define to point to the C:\FX-LOGS\fxcl-ekm.log directory
﻿
host 
Set the define to point to the IP and port of the network-connected KMES Series 3 device
﻿
In the Windows Store TLS settings section, make the following changes as shown in the following sample file:
Parameter
Required configuration
﻿
win_cert_store 
Set the define to point to the My, which corresponds with the Personal store.
﻿
win_cert_name
Set the define to the Common or Subject Name of the Microsoft SQL Server certificate.
﻿
win_ca_stores
Set the define to the Root store, which corresponds with the Trusted Root Certification Authorities store.
﻿
win_use_crl 
Set the define to true.
﻿
Text
{
    // Enables output via DebugOutputString
    // (default: false)
    // Note that regardless of this setting, output is
    // placed in the debug view while loading the config.
    "enable_debug_view": false,

    // A file to place logs into. Optional.
    // If not provided, no log file is made.
    "log_file": "C:\\FX-LOGS\\fxcl-ekm.log",

    // Level of logging to emit. Case insensitive.
    // possible values: None, Error, Info, Debug, Traffic (default: Info)
    "log_level": "traffic",

    // What kind of key storage unit is this?
    // possible values: kmes (default: kmes)
    // Not currently used, it always uses kmes.
    "driver": "kmes",

    // The host to connect to. Required.
    "host": "10.0.5.209:2001",

    // Windows Store TLS settings
    // To load from window store set fields(win_cert_store,  win_cert_name, win_ca_stores, win_use_crl)
    // Windows store settings will have priority over loading from file settings

    // Windows store name with client certificate (Optional)
    "win_cert_store": "My",

    // Client certificate subject name in windows store (Optional)
    "win_cert_name": "SqlServer",

    // Windows store with CA certificate (Optional)
    "win_ca_stores": "Root",

    // Load CRL from CA certificate in windows store (Optional)
    "win_use_crl": true
}
{
    // Enables output via DebugOutputString
    // (default: false)
    // Note that regardless of this setting, output is
    // placed in the debug view while loading the config.
    "enable_debug_view": false,

    // A file to place logs into. Optional.
    // If not provided, no log file is made.
    "log_file": "C:\\FX-LOGS\\fxcl-ekm.log",

    // Level of logging to emit. Case insensitive.
    // possible values: None, Error, Info, Debug, Traffic (default: Info)
    "log_level": "traffic",

    // What kind of key storage unit is this?
    // possible values: kmes (default: kmes)
    // Not currently used, it always uses kmes.
    "driver": "kmes",

    // The host to connect to. Required.
    "host": "10.0.5.209:2001",

    // Windows Store TLS settings
    // To load from window store set fields(win_cert_store,  win_cert_name, win_ca_stores, win_use_crl)
    // Windows store settings will have priority over loading from file settings

    // Windows store name with client certificate (Optional)
    "win_cert_store": "My",

    // Client certificate subject name in windows store (Optional)
    "win_cert_name": "SqlServer",

    // Windows store with CA certificate (Optional)
    "win_ca_stores": "Root",

    // Load CRL from CA certificate in windows store (Optional)
    "win_use_crl": true
}
﻿
The ca, p12, and p12_pass file TLS Setting defines are not included in the preceding sample configuration file because this guide uses the Windows Store TLS authentication method. However, the Windows Store TLS settings take precedence if both are defined.
﻿
﻿
Updated 20 Feb 2024
Did this page help you?
Create an association between the signed certificate and its corresponding key pair
Configure EKM in Microsoft SQL Server