Install and configure the FXCL CNG

4min
The Futurex Client Library (FXCL) is a set of functions, offered through either Java (Java Native Interface) or C++, which applications use to access cryptographic processing and key management functionality.
Install FXCL CNG
To maintain system security, install and operate only copies of FXCL that you get directly from Futurex. A member of the Solutions Architect team either provides the files or makes them available for download on the Futurex Portal or equivalent Futurex-operated file distribution platform.
1
Download or copy the fxcl-x.x.x-win64.zip file to the computer where you plan to run the Microsoft AD CS instance.
2
Unzip the file in any directory, then go to the fxcl-x.x.x-win64\bin folder. 
3
Run the InstallCNG.bat file to install FXCL CNG. If the installation fails, copy all of the files in the bin\ folder to C:\Program Files\Futurex\fxcl\kmes\cng\, and change the cng.config.json file name to config.json.
Configure FXCL CNG
1
Create the C:\FX-Logs directory. The FXCL CNG configuration file settings send log output to the FXCL CNG logs in the FX-Logs\ directory.
2
Open the config.json file for editing, and make the following changes, as shown in the following sample file:
Parameter
Required configuration
﻿
log_file
Set the define to point to C:\FX-Logs\fxcl-cng.log
﻿
host
Set the define to point to the IP and port of the network-connected KMES Series 3 device
﻿
Make the following changes in the Windows Store TLS settings section:
Parameter
Required configuration
win_cert_store
Set the define to point to the My, which corresponds with the Personal store
﻿
win_cert_name
Set the define to the Common/Subject Name of the AD CS certificate
﻿
win_ca_stores
Set the define to the Root store, which corresponds with the Trusted Root Certification Authorities store
﻿
win_use_crl 
Set the define to true
﻿
Text
{
    // Enables output via DebugOutputString
    // (default: false)
    // Note that regardless of this setting, output is
    // placed in the debug view while loading the config.
    "enable_debug_view": false,

    // A file to place logs into. Optional.
    // If not provided, no log file is made.
    "log_file": "C:\\FX-LOGS\\fxcl-cng.log",

    // Level of logging to emit. Case insensitive.
    // possible values: None, Error, Info, Debug, Traffic (default: Info)
    "log_level": "traffic",

    // What kind of key storage unit is this?
    // possible values: kmes (default: kmes)
    // Not currently used, it always uses kmes.
    "driver": "kmes",

    // The host to connect to. Required.
    "host": "10.0.5.209:2001",

    // Windows Store TLS settings
    // To load from window store set fields(win_cert_store,  win_cert_name, win_ca_stores, win_use_crl)
    // Windows store settings will have priority over loading from file settings

    // Windows store name with client certificate (Optional)
    "win_cert_store": "My",

    // Client certificate subject name in windows store (Optional)
    "win_cert_name": "ADCS",

    // Windows store with CA certificate (Optional)
    "win_ca_stores": "Root",

    // Load CRL from CA certificate in windows store (Optional)
    "win_use_crl": true
}
{
    // Enables output via DebugOutputString
    // (default: false)
    // Note that regardless of this setting, output is
    // placed in the debug view while loading the config.
    "enable_debug_view": false,

    // A file to place logs into. Optional.
    // If not provided, no log file is made.
    "log_file": "C:\\FX-LOGS\\fxcl-cng.log",

    // Level of logging to emit. Case insensitive.
    // possible values: None, Error, Info, Debug, Traffic (default: Info)
    "log_level": "traffic",

    // What kind of key storage unit is this?
    // possible values: kmes (default: kmes)
    // Not currently used, it always uses kmes.
    "driver": "kmes",

    // The host to connect to. Required.
    "host": "10.0.5.209:2001",

    // Windows Store TLS settings
    // To load from window store set fields(win_cert_store,  win_cert_name, win_ca_stores, win_use_crl)
    // Windows store settings will have priority over loading from file settings

    // Windows store name with client certificate (Optional)
    "win_cert_store": "My",

    // Client certificate subject name in windows store (Optional)
    "win_cert_name": "ADCS",

    // Windows store with CA certificate (Optional)
    "win_ca_stores": "Root",

    // Load CRL from CA certificate in windows store (Optional)
    "win_use_crl": true
}
﻿
The preceding sample file does not show the ca, p12, and p12_pass File TLS Setting defines because the configuration procedure uses the Windows Store TLS authentication method. However, the Windows Store TLS settings takes precedence if you define both.
Test the connection between FXCL CNG and the KMES Series 3
1
Open either the command prompt or PowerShell.
2
Run the following certutil command to test the connection between FXCL CNG and the KMES Series 3 by using the client TLS certificate configured for AD CS in the Windows Certificate Store:
PowerShell
certutil -csptest -csp "Futurex FXCL KMES CNG" RSA
certutil -csptest -csp "Futurex FXCL KMES CNG" RSA
﻿
If the connection succeeds, the following message displays on the last line of the command output:
PowerShell
CertUtil: -csptest command completed successfully.
CertUtil: -csptest command completed successfully.
﻿
If the command fails, check the FXCL CNG log for details about the error that occurred.
﻿
﻿
﻿
﻿
﻿
Updated 17 Feb 2024
Did this page help you?
Create an association between the signed AD CS certificate and the keypair in the Windows Certificate Store
Install and configure AD CS