1.0 Introduction
This article describes how to configure the various account-level configuration options for the Fortanix DSM Clients.
Currently, the Fortanix DSM clients are configured locally through configuration files and environment variables. With the Client Configuration feature in the Fortanix DSM user interface (UI), you can set the default configurations for clients such as PKCS#11 in the Fortanix DSM accounts and the PKCS#11 clients will automatically get these values. This makes it simpler to configure a large number of clients.
NOTE
You can set the client config values at the Fortanix DSM account/group/app level using the
client_configuations
field. You can also use an app to callGET /sys/v1/apps/client_configs
to get the client config value outside of the client.
2.0 Setting Client Configuration Options
Using the Client Configuration setting in the Fortanix DSM UI, you can set the default options for the Fortanix DSM clients such as PKCS#11, KMIP, and other common clients.
2.1 Common Clients
Perform the following steps to set the default options for the account-level Fortanix DSM Common client:
Click the Settings menu item in the DSM left navigation bar.
On the Account settings page, click the CLIENT CONFIGURATION tab.
On the Client Configuration page, click the COMMON tab to configure the common clients.
The following table lists the Common client configuration options.
NAME | DESCRIPTION |
---|---|
Retry timeout | When API calls that allow retrying fail with error codes, select this option to allow the client library to retry the API call up to the specified timeout in milliseconds. |
Logging | Select this option to log all function calls made into the client library based on the following settings:
|
2.2 PKCS#11 Clients
Perform the following steps to set the default options for the account-level Fortanix DSM PKCS#11 client:
Click the Settings menu item in the DSM left navigation bar.
On the Account settings page, click the CLIENT CONFIGURATION tab.
On the Client Configuration page, click the PKCS#11 tab to configure the PKCS#11 client.
The following table lists the PKCS#11 client configuration options.
NAME | DESCRIPTION |
---|---|
Fake RSA X9.31 keygen support | Select this option to allow the PKCS#11 mechanism |
Signing AES key as HMAC | Select this option to create an AES key while specifying either the |
Prevent duplicate opaque objects | Select this option to prevent creating a duplicate opaque object. This would skip creating new Opaque objects if there is an existing Opaque object with the same |
Opaque objects are not certificates | Fortanix DSM versions prior to 2.1.633 did not support |
Max concurrent requests | Select this option to limit the number of concurrent HTTP requests the PKCS#11 client can make to the Fortanix DSM per slot. This effectively limits the number of concurrent API calls the client can make. This can be used to prevent a client from consuming too many resources. If set to 0, no limit is imposed. |
Exact key ops | Select this option to explicitly specify the key operations in the attribute template when creating a key instead of the PKCS#11 having to specify the default key operations. The key created using the template will contain exactly the key ops that the user specified in the template. However, when no key operation attributes (apart from |
2.3 KMIP Clients
Perform the following steps to set the default options for the account-level Fortanix DSM KMIP client:
Click the Settings menu item in the DSM left navigation bar.
On the Account settings page, click the CLIENT CONFIGURATION tab.
On the Client Configuration page, click the KMIP tab to configure the KMIP client.
The app-level client configuration settings for the KMIP client can be set using the Fortanix DSM REST API and after you set it, a read-only view of the setting will be visible in the detailed view of the Fortanix DSM app in the UI.
The following table lists the KMIP client configuration options.
NAME | DESCRIPTION |
---|---|
Default to creating keys with Export permission | Enable this option to provide an override mechanism for the key export value specified by the user or KMIP app so that the keys can always be created with export permission. It is useful for Disaster Recovery replication using Extended Virtual Keys (EVKs).
|
Ignore unknown key operation for | Enable this option to allow the KMIP proxy to filter out unsupported key operations for selected key types. When a key is selected under this setting, any incompatible operations in the KMIP request will be ignored before processing.
|
3.0 References
For more details about the Fortanix DSM Common PKCS#11 clients, refer to the Developer’s Guide – PKCS#11 Library.
For more details about the Fortanix DSM KMIP client, refer to the DSM KMIP Coverage.