Server Administration
This section describes how to perform server administration tasks. It contains the following sections:
>Root of Trust Activation and Deactivation
>Root of Trust Self Activation
>Adding and Managing Directories
Overview
CCC Administrator users are able to activate and deactivate the CCC root-of-trust HSM, as described in Root of Trust Activation and Deactivation. When the root of trust is disabled, CCC operates in view-only mode.
The CCC Administrator is responsible for managing licenses that are required to activate access to the CCC. Acquiring a license allows you to upgrade from a trial version to a full version, renew your license subscription, set the maximum provisioned partitions limit, or access the monitoring feature on HSM devices. See Managing Licenses.
The server Administrator can also start or stop the CCC service, outside of CCC, to enable or disable the CCC server, as described in Managing the CCC Service.
Regular backups are essential to allow you to successfully recover from a disaster. See Backup and Restore.
To help troubleshoot operational issues you may encounter, such as failure to connect to devices, or provision services, you can view the logs, as described in Server Administration.
Logging Into the Server
Only users with the Admin role can log in to the CCC as an Administrator. By default, the Admin role has one user, the admin user. An active license is required for access, so if a license is absent, you are prompted to upload one on activation of the CCC.
To login to the server as an Administrator
1.Launch CCC using a supported browser (CCC supports the latest versions of Microsoft Edge, Google Chrome, and Mozilla Firefox browsers). The URL you use depends on whether the server is identified by IP address or hostname, as follows:
•https://<host_ip>:8181
•https://<hostname>:8181
The Crypto Command Center Login page is displayed.
2.Login to the CCC as an admin user.
If this is the first time you are logging into the server, use the following credentials:
| User Name | admin |
| Password | PASSWORD |
3.Change the password, if you are prompted.
4.Upload the license file from your local filesystem, if you are prompted.
The license summary is displayed, indicating the license type affiliated with your CCC. You can later manage your licenses as described in Managing Licenses.
Root of Trust Activation and Deactivation
You can activate and deactivate the CCC server, as required, to limit its ability to log in to the managed devices. For example, you may want to limit periods of activation to specific maintenance windows, to reduce the risk of unauthorized activity in CCC.
Activating the Root of Trust
You need to activate the root of trust on first login to CCC, and to re-activate CCC any time it has been deactivated. You may also need to re-activate the root of trust if its address or credentials are changed.
NOTE You must be able to see the root-of-trust HSM as a slot in your Luna client before you can activate it.
To activate the root of trust
1.Click on the Administration tab, and select Activation in the navigation frame to display the CCC Activation page.
2.Enter the Partition label and Password.
3. Check the Remember credentials checkbox if you want CCC to cache your root of trust credentials, and then click the Activate button.
NOTE In case you don't want CCC to cache your root of trust credentials, you can leave the Remember credentials checkbox unchecked. When the CCC service is restarted, the root of trust label and password details get erased automatically.
Activating a New Root of Trust
To activate a new root of trust, you need to reauthorize all the devices managed in the CCC.
To activate a new root of trust
1.Restart the CCC server.
2.Enter the Partition label and Password.
3. Check the Remember credentials checkbox if you want CCC to cache your root of trust credentials, and then click the Activate button.
4.Click the Devices tab and select the device.
5.Open the Connections tab and then click the Update Credentials button.
6.Open the Authorization tab and then click the Re-Authorize button.
Deactivating the Root of Trust
You can deactivate the root of trust to prevent CCC from logging into the managed devices, or to prevent Application Owners from using the CCC Client (ccc_client) to deploy services.
To deactivate the root of trust
1.Click on the Administration tab, and select Activation in the navigation frame to display the CCC Activation page.
2.Click Deactivate.
Root of Trust Self Activation
To view the steps involved in automatic ROT activation, click here.
Managing Licenses
Access to CCC functionality is regulated by licenses. An active license is required to access the CCC graphical user interface. CCC must be activated to upload a license file. A single license can apply to multiple CCC instances in a high availability configuration.
Once the license expires, you are given a grace period during which you still have access to full CCC functionality. This grace period is to allow some time to order and obtain a new license file. Once the period ends, Administrators cannot import more partitions, create new services, or activate new services, and Application Owners cannot deploy existing services.
CCC users have access to the following license types:
| Freemium | A Freemium license is included in the CCC software package and can be applied to the product once installed. The Freemium license provides access to 20 device partitions and can also enable the device monitoring feature. The Freemium license is deployed in a test environment and should not be used in a production environment. |
| Premium - Trial | The Premium - Trial license is a 90-day trial license distributed for assessment purposes. The number of device partitions that can be provisioned by the Premium - Trial license is specified in the license file, as per the license agreement. The Premium - Trial license can be deployed in a test or production environment. It can also enable the device monitoring feature. |
| Premium - Subscription | The Premium - Subscription license is an annual subscription-based license. The number of device partitions that can be provisioned by the Premium - Subscription license is specified in the license file, as per the license agreement. The Premium - Subscription license is deployed in a production environment. It can also enable the device monitoring feature. |
| Premium - Perpetual |
The Premium - Perpetual license is a one-time purchase license. The number of device partitions that can be provisioned by the Premium - Perpetual license can is specified in the license file, as per the license agreement. The Premium - Perpetual license is for deployment in a production environment. It can also enable the device monitoring feature. |
NOTE For more information about license types and acquiring your CCC License contact your Thales sales representative.
Upgrading the license allows you to upgrade from a trial version to a full version, renew your license subscription, or increase the maximum provisioned partitions limit.
NOTE The CCC license files are set in the UTC time zone. As a result, the expiry dates on the individual license files may not coincide with your local time zone.
To view the license information
1.Click on the Administration tab, and select Licenses in the navigation frame.
The following information is displayed:
| License Type | The service level (Freemium or Premium) and duration of your license. |
| Features | Lists the features made available by the uploaded license. These features can include monitoring and provisioning. |
| Maximum Provisioned Partitions | The number of Thales Luna HSM partitions which you may manage through CCC.The Freemium License allows access to 20 fixed partitions. The entitlements of the Premium License will define the quantity of available partitions. |
| Partitions Used | The number of Thales Luna HSM partitions which are currently managed through CCC. |
| License Activation Date | The date when the license was activated in the Sentinel EMS portal. |
| License Expiration Date | The date when the license will expire. This date can be calculated relative to the activation date, as with a trial license, or can be fixed based on your license term. This field is displayed while CCC is still within its licensed period of operation. If the user has purchased a perpetual license this information is not displayed. |
The following additional fields are displayed if you exceed the license limits by using an expired license, or managing more partitions than allowed:
| License Grace Period Ends | The date when the grace period for the CCC license will expire, and functionality will be reduced. Once the period ends, Administrators cannot import more partitions, create or activate new services, and Application Owners cannot deploy existing services. |
To upload a license
1.Click on the Administration tab, and select Licenses in the navigation frame.
2.Obtain the new license and place it in the local filesystem.
NOTE Access the Thales Customer Support portal for more information about obtaining a license.
3.Click the Upload License button. The Upload License dialog is displayed.
4.Click the Upload button and select the new license file from your filesystem.
NOTE The license type and entitlements are displayed in the Update License dialog.
5.Click the Continue or Update button.
To update a license
1.Click on the Administration tab, and select Licenses in the navigation frame.
2.Obtain the new license and place it in the local filesystem.
NOTE Access the Thales Customer Support portal for more information about obtaining a license.
3.Click the Update License button. The Update License dialog is displayed.
4.Click the Update... button and select the new license file from your filesystem.
NOTE The license type and entitlements are displayed in the Update License dialog.
5.Click the Update button.
NOTE The Update License button is now enabled with Freemium license also. The CCC user can now apply a premium license to replace a Freemium license using this Upload License button as per the requirement.
Managing the CCC Service
The CCC web server runs as a service. The service must be running for the server to be available. You can use the following set of commands to manage the CCC service:
| Command | Description |
|---|---|
| systemctl start ccc |
Start the CCC service. The service must be running to use CCC. |
| systemctl stop ccc |
Stop the CCC service. If you stop the service, CCC will not be available for use. |
| systemctl restart ccc |
Restart the CCC service. This command stops and restarts the service. |
| systemctl status ccc |
Display the current status of the CCC service. |
To start, stop, restart, or display the status of the CCC service
1.Log in, as root, to the Linux server used to host the CCC server.
2.Enter a command from the list above, as desired.
Backup and Restore
Database and root-of-trust HSM backups are essential to allow you to successfully recover from a disaster.
Regular database backups are required. Refer to the PostgreSQL documentation or the Oracle Database Backup and Recovery User Guide for database backup and restore procedures.
Ensure that you backup the root-of-trust HSM after you first activate CCC. Refer to the Thales Luna HSM documentation for more information.
