Device Management
This section describes how to perform device management tasks. It contains the following topics:
>Managing Device Upgrade from 5.x to 6.x
>Troubleshooting Device Connection
Overview
You can use CCC to manage, and provision services on Thales Luna Network HSM devices. See the Hardware and Software Requirements section for the minimum device requirements.
There are two levels of device management:
| Added devices |
When you add a device to CCC, you provide the device address and admin credentials. This information allows CCC to log in to the device as the appliance administrator to perform appliance-level tasks, such as retrieving the device capabilities. |
| Authorized devices |
You must add a device before you can authorize it. When you authorize a device, you provide the HSM SO credentials for the device. This information allows CCC to log into the device as the HSM SO to provision services on the device. NOTE You require a remote PED to authorize PED-authenticated devices. |
Devices
To add, view, edit, or manage a device, click on the Devices tab, and select Devices in the navigation frame. All existing devices are listed. You can sort the device list by column, or use the search function to find a specific device:
> Click on the trash can icon button in the Delete column to delete the device (with confirmation).
> Click on the Authorize button in the Authorization column to register a currently unregistered device.
>The Status column displays an icon for each device. The status indicates whether the device is experiencing any problems.
When you click on a device, its attributes are displayed at the bottom of the page. The information in the device attributes are arranged by tab, as follows:
| General | Displays the device name and description. You can edit this information. |
| Connection |
Displays the device address and port. You can update this information as required to re-establish a connection to the device if its software version address, or credentials are changed outside of CCC. CCC connects to devices using the REST API, on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is installed with the 7.1 software. It requires configuration. |
| Device Pool | Displays the device pool that the device belongs to, if any. You can add the device to a device pool, or change its existing device pool. You can add a device to only one device pool. |
| Authorization | Displays the device's authorization status. You can authorize the device if it is not currently authorized. |
| Capabilities |
Displays the device capabilities. If the device capabilities have changed since the device was added to CCC (for example, after the application of a capability update file (CUF), you can query the device to update the capabilities stored in the device attributes.) NOTE 7.x Thales Luna Network HSMs require PPSO partitions. PPSO is enabled by default on Thales Luna Network HSM 7.x devices. |
| Services | Displays the services provisioned on the device. |
Adding Devices
To add a device, you must supply the device address and admin credentials. After you add a device, you can view its capabilities, but you cannot create services on the device until it has been authorized. To authorize a device, you must supply the HSM SO credentials for the device. You can authorize a device when you add it, or you can authorize it at a later time.
NOTE The CCC administrator can add a Luna SA 7.4 FM capability enabled or disabled device to CCC. If the FM capability is enabled, no services can be created on this device but device monitoring is supported.
NOTE The 5.x SAs cannot be added to CCC.
To add a device
1.Click on the Devices tab, and select Devices in the navigation frame.
2.Click the Add Device button. The Add Device wizard is displayed.
3.Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
| General | Enter a name and optional description for the device. This information is used to identify the device in CCC. You can enter any strings you like. |
| Set Connection |
1.Select the device software version. CCC connects to devices using the REST API, on port 8443 (default). You must install and configure the REST API on 6.x 2.Enter the IP address or hostname for the device. If you are not using the default port ( 8443), enter the port you want to use to connect to the device. 3.Enter the credentials required to log into the device as the Admin user. This information is encrypted and stored in the database to be used by CCC to log into the device. NOTE If you add a device using a hostname, CCC does not check to verify that the same device has not already been added using its IP address. As a result, you can add the same device twice – once using its hostname, and once using its IP address. To avoid this issue, we recommend that you always use either hostnames or IP addresses when adding devices. |
| Verify Connection | Review the device certificate and check the I have reviewed and trust this host key or I have reviewed and trust this certificate checkbox to accept. If the host key or certificate is not as expected, investigate and correct the problem. |
| Select Device Pool | Select a device pool for the device, if desired. |
| Summary |
Displays a summary of the information you entered for the device. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to add the device. CCC uses the information you provided to log in to the device. If successful, a success message is displayed and the device is added. You are prompted to authorize the device. Otherwise, an error is displayed, and you can Go Back to update the device information as required to resolve the issue. If you want to authorize the device now, click Authorize now. You are prompted for the HSM SO password or remote PED address, as relevant. You can authorize the device later by selecting the device and navigating to the Authorization tabDisplaying FM Status of a Device |
Displaying FM Status of a Device
To display whether a device is FM enabled or disabled, click Devices in the main navigation. To help find if a device is FM enabled or not, you can select a device displayed in Devices report.
To display FM status
1.Click on the Devices tab, and select Devices in the navigation frame.
2.Click on a device from the list of devices.
3.Select Capabilities tab.
A new field "Functional Module (FM)" with three options is available:
•Enabled
•Disabled
•Not Supported
NOTE The "Not Supported" option is available only for FM incapable devices. It means for the devices prior to Luna SA 7.4, the Functional Module (FM) is not supported.
Managing Device Upgrade from 5.x to 6.x
You may wish to upgrade your managed devices from version 5.x to 6.x or higher to obtain the benefits of 6.x features such as PPSO. If you choose to upgrade your managed devices to 6.x, there is some additional configuration necessary to integrate with CCC 3.7.
NOTE We recommend following the best practices for upgrading detailed in the Thales Luna HSM Documentation.
To upgrade managed devices from 5.x to 6.x
1.Inform any application users connecting to the devices that their services will be unavailable during the upgrade. You might like to perform the upgrade during a scheduled maintenance window.
2.Upgrade the Thales Luna Network HSM software as detailed in Thales Luna HSM documentation.
3.Set up REST API.
a.As an appliance user with the Admin or Operator role, obtain and transfer the REST API secure package to the device via SCP/PSCP. Login to the HSM using Security Officer credentials, and install the package. See Thales Luna Network HSM REST API documentation for details.
b.Set the REST API web service to use a network interface in the HSM. Valid values are all, eth0, eth1, or bond0.
lunash:>webserver bind -netdevice <network_device>
c.Enable the web service.
lunash:>webserver enable
d.Generate a REST API service certificate and restart the service. We recommend an RSA certificate type.
lunash:>webserver certificate generate -keytype rsa -restart
4.In CCC, navigate to the Devices list and select the recently upgraded device.
5.Click the Configuration tab and click Edit.
6.In the Appliance Version section, select 6.x.
The LunaSH Admin Credentials section changes to REST API Credentials, and Host Key changes to Certificate.
7.Adjust the Host Address and Port Number as required. Save your changes.
8.Under the Certificate section, click Verify to view the device certificate.
9.Review the certificate, check the box indicating that you have reviewed and trust the certificate, and then click Accept.
10.Update the version of the Thales Luna HSM Client on any crypto application servers that access the devices' services.
The device is now ready to process incoming cryptographic requests from application users.
Deleting Devices
You can delete a device from CCC only if it is not currently providing any services.
To delete a device
1.Click on the Devices tab, and select Devices in the navigation frame.
2.After finding the device you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Device Pools
You can place your devices into device pools, if desired, to help manage your devices. Placing a device into a device pool has no effect on which users or organizations can use the device. You can add a device to one device pool only.
To add, view, edit, or manage a device pool, click on the Devices tab, and select Device Pools in the navigation frame. All existing device pools are listed. You can sort the list of device pools by column, or use the search function to find a specific device pool. Click on the trash can icon button in the Delete column to delete the device pool (with confirmation).
When you click on a device pool, its attributes are displayed at the bottom of the page. The information in the device attributes are arranged by tab, as follows:
| General | Displays the device name and description. You can edit this information. |
| Devices | Displays the devices in the device pool. |
Adding Device Pools
You can create as many device pools as you like. Device pools can contain an unlimited number of devices.
To add a device pool
1.Click on the Devices tab, and select Device Pools in the navigation frame.
2.Click the Add Device Pool button. The Create Device Pool dialog is displayed.
3.Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
| General | Enter a name and optional description for the device pool. You can enter any strings you like. |
| Add Devices |
You can add devices to the device pool if desired. All devices that are not currently members of a device pool are listed in the Available Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool: > To add a device to the device pool, select a device from the Available Devices list and click Add >>. >To remove a device from the device pool, select a device from the Selected Devices list and click << Remove. |
| Summary |
Displays a summary of the information you entered for the device pool. If the information is not correct, click Go Back and update the information as required. Otherwise, click Create to create the device pool. |
Viewing or Editing Device Pool Attributes
You can sort the device pool list by column heading, or use the search function to find a device pool. When you find the device pool you want, click on the device pool to view or edit its attributes.
To view or edit a device pool's attributes
1.Click on the Devices tab, and select Device Pools in the navigation frame.
2.After finding the device pool you want, click on the device pool to display the device pool's attributes at the bottom of the page.
3.Use the following tabs to view or edit the device pool attributes:
| General |
Contains the device pool name and an optional description. >Click Edit to edit the information. Click Save when done, or Cancel to discard the changes and exit edit mode. |
| Devices |
Lists the devices in the device pool: >Click the Jump to icon to view detailed information for the device. >Click Edit to update the device pool. All devices that are not currently members of a device pool are listed in the Available Devices list. The devices in the device pool are listed in the Selected Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool: • To add a device to the device pool, select a device from the Available Devices list and click Add >>. •To remove a device from the device pool, select a device from the Selected Devices list and click << Remove. Click Save when done, or Cancel to discard the changes and exit edit mode. |
Deleting Device Pools
You can delete a device pool at any time. If the device pool contains devices, they are no longer associated with the device pool and become Available Devices.
To delete a device pool
1.Click on the Devices tab, and select Device Pools in the navigation frame.
2.After finding the device pool you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Troubleshooting Device Connection
CCC can lose its connection to a device for multiple reasons. The Device Status column in the Devices List signifies the severity of the issue.
Device Connection Lost - Device Visible in CCC
If CCC has lost its connection to a device, but the device is still visible within the Devices List there has been some alteration to the HSMs configuration and you must verify the credentials and certificate shared between the device and CCC.
To reconnect a device visible in the CCC Devices List
1.Click on the Devices tab, and select Devices in the navigation frame.
2.Select the malfunctioning device to display its attributes.
3.Verify the administrator credentials associated with the device are correct.
4.Click Verify to confirm that the device certificate matches the certificate stored by CCC
5.If the device is not Authorized, click Authorize Device. You will be prompted for the HSM SO password.
Device Connection Lost - Device not Visible in CCC
If the device is no longer visible in the CCC Devices List the device has been deleted. If you would like to use this device you must add the device to CCC. See Adding Devices for more information.
Absence of a device that was not deleted from CCC may signify corruption in the CCC database. In this event, we recommend following the best practices for ensuring and maintaining database integrity as defined by your Organization's security infrastructure.
General Device Troubleshooting Tips
If you continue to experience problems with the HSM device we recommend connecting to the device using a secure channel, such as the PuTTY SSH client (putty.exe), and verifying the following before attempting to restore the device connection:
>Ensure that the date and time are set correctly
>Ensure that NTLS is bound to the correct Ethernet port
>Ensure that the REST API is installed and configured on the device
>Ensure the webserver on the device is configured and running
>Ensure that the client is registered with the correct ip/hostname
>Ensure that the client is given access to the correct partition
>Check the output of the syslog for any information on errors
