Service Management
This section describes how to perform service management tasks. It contains the following topics:
>Discovering and Importing Unmanaged Partitions
>Creating and Managing Service Templates
>Activating a PED-Authenticated Service
Overview
A cryptographic service is a standalone partition on a Thales Luna Network HSM, or an HA group consisting of multiple partitions, each configured on a different Thales Luna Network HSM, that you manage using CCC. Services are assigned to, and owned by, a specific organization (see Account Management). Only members of the organization that owns the service are able to deploy and use the service for their cryptographic applications.
You can use CCC to import, create, and manage cryptographic services on any devices you manage with CCC. In order to manage services on a device, the device must be authorized to allow CCC to log into the device as the HSM SO (see Device Management).
After you add and authorize a device, you can discover and import any partitions that are already provisioned on the device, or create new services on the device. Once you import or create a service, you can manage it with CCC.
The service management functions are grouped under the Crypto Services tab. Under Services you can sort the services list by column, or use the search function to find a specific service:
>Click on the trash can icon button in the Remove column to either detach or delete a device or organization from the services menu.
>The Status column displays an icon for each service. The status indicates whether the service is experiencing any problems.
The service status is displayed in the status column. If you hover over the icon with your cursor a relevant tooltip will display.
Discovering and Importing Existing Unmanaged Services
You can use the Import Partitions function to discover any partitions provisioned on your managed devices that do not already exist as services in CCC. The Import Partitions function queries each managed device, in turn, to find any partitions that are not currently in the CCC database. CCC examines the partitions on each device to determine if they represent standalone services or HA Group services. The results are displayed in a table that includes information for each partition, such as size, number of objects, and registered clients.
NOTE If you import an existing partition that uses both the Per-Partition Security Officer (PPSO) and Secure Trusted Channel (STC) features, CCC can only view partition details and delete the partition. CCC cannot modify the partition or give access to Application Owners. This is because the Partition SO can only access and modify the partition through the existing STC client that was established before import.
Partitions that appear to be part of an HA group (that is, those that are the same size, contain the same number of objects, and have the exact same set of clients) are grouped together and assigned the same default HA Group label (HA<n>, for example, HA3). Partitions which use STC and do not have the Per-Partition Security Officer (PPSO) feature enabled are grouped based on the STC fingerprint. If two or more partitions on the same appliance meet the criteria for belonging to the same HA group, only one is selected, as follows:
>if one of the partitions has the same name as the other partitions in the HA group, it is selected.
>if none of the partitions have the same name as the other partitions in the HA group, the first matching partition is selected.
NOTE The default HA Group label assigned to any discovered HA groups is temporary only, and is not the label assigned to the HA group when it was created. After confirming the grouping, you must change the default label to the actual label, as determined using VTL, to ensure that CCC can successfully manage the service.
The user is allowed to perform Import Partitions for an HA group only if the selected partitions belonging to an HA group should meet the following conditions:
> Partitions should be of same size.
NOTE If the selected partitions are of different sizes, the following error message displays:
"Cannot import an HA group that contains partitions with different sizes".
>Two or more partitions should have same authentication mechanism such as PED or Password type.
NOTE If two or more selected partitions have different authentication mechanisms such as PED or Password type, the following error message displays:
"Cannot import an HA group that contains partitions from a mix of Password and PED type devices".
>Two or more partitions should belong to different devices.
NOTE If two or more selected partitions belong to same device, the following error message displays:
"Cannot import an HA group that contains two or more partitions from the same device".
>Two or more partitions should have same transport (NTLS or STC) types .
NOTE If two or more selected partitions have a mix of different transport (NTLS/STC) types, the following error message displays:
"Cannot import an HA group that contains partitions with a mix of different transport (NTLS/STC) types.
After examining and verifying the data in the table, you must edit the table to specify a name, organization, and optional description. After providing the required information, you can import the partitions as services.
See Discovering and Importing Unmanaged Partitions for detailed procedures that describe how to import partitions and add them as services to CCC.
Creating New Services
To create a service:
>choose a template that defines the characteristics of the service you would like to create. New services are defined using templates, which specify the type, size, and capabilities of a service. See Creating and Managing Service Templates for detailed procedures that describe how to create, edit, and manage service templates.
>specify the device(s) you want to use to host the service.
>specify the organization whose users are able to deploy the service.
>optionally initialize the service with an option to activate, if the service is a PED-authenticated Per-Partition Security Officer (PPSO) service. See Initializing a Service and Activating a PED-Authenticated Service.
When you create a non-PPSO service, the resources required to provide the service are reserved in CCC, but the actual partition(s) are not created on the device(s) until the service is initialized. When you create a PPSO service on CCC, an uninitialized partition is also created on the specified device(s). Services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service.
In addition, you can create a service and indicate in the service template that the new service should use Secure Trusted Channel (STC) links for client connections. The STC status is "Pending" until an Application Owner deploys the service, which enables the STC policy on the partition(s) and establishes the STC link to the Application Owner's Thales Luna HSM client.
See Creating New Services for detailed procedures that describe how to create a new service.
Managing your services
After you have added or created a service, you can view or edit its attributes to do the following:
>change the service name, description, or organization
>initialize the crypto user role on a PPSO service
>activate a role on a PPSO PED-based service
> remove the service from CCC
>add a partition
>remove a partition
>delete the service it if it is no longer required
>view the service status
See Managing Services for detailed procedures that describe how to view, edit, remove, or delete services.
Discovering and Importing Unmanaged Partitions
Devices you add to CCC may already contain partitions and HA groups. Alternatively, although it is not recommended, an Administrator may have created partitions or HA groups on a managed device using the command line tools after you added the devices to CCC. You can use the Import Partitions function to discover any unmanaged partitions, with the option of importing them into CCC as services. You can use the Import Partitions function at any time to discover unmanaged partitions on your managed devices. To ensure that all HA groups are discovered, all authorized devices are included in the search.
If you attempt to import a number of partitions exceeding the partitions available, the Import Partitions option is disabled. CCC requires that you reduce the number of partitions for import to a value equal to, or less than, the number of available partitions, then re-attempt import.
The Import Partitions function consists of three distinct phases:
1.Discovery
In this phase, CCC logs in to each authorized device to find any partitions that are not in the CCC database.
2.Verification and data entry
The discovered partitions are returned in a table, sorted by service type (standalone partitions or partition HA groups), which you must then edit to provide the information required to create services for the discovered partitions (service name, organization, and optional description). You can choose to import all of the discovered partitions, or you can delete any partitions from the table that you do not want to import at this time. To add a partition or HA group as a service in CCC, you must enter a service name and choose the organization that will own the service. You can also enter an optional description for the service.
NOTE Any partitions that you delete from the table are removed from the current import only. You can import them later by running the Import Partitions function again.
Edits to the table are saved automatically and persist between login sessions. If you select Crypto Services > Import Partitions while you have a currently saved table, the discovery portion of the Import Partitions function is skipped, and the saved table is displayed. The Import Partitions page shows when the table was first created and last edited.
NOTE Your data may not be preserved, depending on your browser settings. If you have configured your browser to discard history on exit, all data will be lost.
3.Service creation
Once you have verified the data in the table, supplied a service name and optional description, and chosen the organization that will own the service, click Finish Import to create services for the partitions and HA groups. Once complete, you are redirected to the Crypto Services page, where you can manage the partitions and partition HA groups in CCC.
NOTE Importing partitions that have both the STC and PPSO policies into CCC allows you to view partition information, but functionality is reduced as CCC is not established as a secure endpoint for the existing STC connection. You can detach or delete the service, or change the service name, description, or organization.
To discover and import unmanaged partitions
1.Click on the Crypto Services tab, and select Import Partitions in the navigation frame:
• if you do not have a currently saved partition import table, the Import Partitions splash page is displayed. Go to the next step.
•otherwise, the currently saved partition import table is displayed. Go to step 3.
2.Click on the Get Started button to begin the discovery process. The Finding Partitions progress dialog is displayed.
The discovery process may take some time to complete, depending on the number of devices that must be queried. When the discovery is complete, a table listing all of the discovered partitions is displayed. A tutorial overlay is provided that explains how to use the table to verify the discovered partitions, and import them into CCC as services.
3.Although CCC attempts to identify the partitions by service type (standalone partition or partition HA group), it is strongly recommended that you examine the data in the table and verify its accuracy, especially for any HA groups that have been identified. For example, you may want to log in to each client that uses an HA group to verify that the HA group members match those listed in the table.
4.If you need to make any changes, you can do so as follows:
•to move a partition to a different HA group, type the correct HA group name for the partition in the HA Group field.
•to remove a partition from an HA group and make it a standalone service, delete the suggested HA group name from the HA Group field.
•to add a partition identified as a standalone service to an HA group, type the name of the HA group you want to add it to in the HA Group field.
5.For each HA group you want to import, log in to one of the clients that use the HA group and use the vtl haAdmin show command to determine the actual HA Group Label for the HA group. Delete the default HA Group label (HA_<n>), and replace it with the actual HA Group Label.
6.After you have verified the HA groupings and deleted any partitions from the table that you do not want to import at this time, edit the table to provide the following information for each partition or HA group. The values for service name, description, and organization are automatically replicated to each partition in an HA group as you enter them:
| HA Group | Enter the HA Group Label string for the HA group as determined using the vtl haAdmin show command. |
| Service Name | Enter the name that will be used to identify the service in CCC. This is limited to 28 characters. |
| Description | Enter a description for the service. This field is optional. |
| Organization | Choose the organization that will own the service. If the organization does not exist, you must create it. See Account Management. |
7.After you provide a service name, optional description, and organization for each partition or HA group, click Finish Imports to create a service for each partition or HA group.
The Services page is displayed, listing the newly added services. You can now manage the services as described in Managing Services.
Canceling an Import
If you want to restart the import process click Cancel. The current table is deleted. Click on Crypto Services > Import Partition to restart the discovery process and create a new table.
Creating and Managing Service Templates
When you create a service, you must specify a template for the service. Service templates specify the type, size, and capabilities of services created using the template. Service templates are reusable, allowing you to create templates for specific application types that can be used to quickly and easily create services for specific applications.
To add, copy, view, edit, or manage a service template, click on the Crypto Services tab, and select Service Templates in the navigation frame. All existing service templates are listed. You can sort the list of service templates by column, or use the search function to find a specific service template. Click on the Copy Template icon to copy and edit a service template. Click on the trash can icon in the Delete column to delete a service template (with confirmation).
When you click on a service template, its attributes are displayed at the bottom of the page. The attributes are arranged by tab, as follows:
| General | Displays the template name and description. You can edit this information. |
| Capabilities | Displays the type, size, and capabilities of services created using the template. You can edit this information. |
Creating Service Templates
You can create as many service templates as you like to define the different types of services you need to create.
To add a service template
1.Click on the Crypto Services tab, and select Service Templates in the navigation frame.
2.Click the Add Service Template button. The Create Service Template dialog is displayed.
3.Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
| General | Enter a name and optional description for the service template. You can enter any strings you like. |
| Set Capabilities |
Specify the type, size, and capabilities of services to be created using this template, as follows: >Service type: Choose HSM Partition to create a standalone service on a single device. Select HSM Partition HA Group to create an HA group using two or more devices. >Partition size (bytes): Specify the size of the partition(s), in bytes, used to provide services created using this template. >Per-Partition SO: Click this checkbox if you want the services created using this template to have their own security officer (SO). Per-Partition SO is supported on devices with firmware 6.22 or higher, and with the Per-Partition SO capability upgrade (CUF) installed. NOTE Per-partition SO is the mandatory setting for 7.x devices, and is enabled by default. >Secure Trusted Channel: Click this checkbox if you want the services created using this template to connect to Application Owner clients using Secure Trusted Channel (STC) instead of the default NTLS connection. Secure Trusted Channel is supported on devices with software 6.2.1 or higher, firmware 6.24.2 or higher, and the STC HSM policy enabled. When you create a service with the capability in the template, the STC status is "pending" until an Application Owner deploys the service, which enables the STC partition policy, and establishes the STC link. >Device Capabilities: Choose the following options to specify the capabilities of the device(s) used to host services created using this template. •Performance: Select Low or High performance. •Authentication: Select PED or Password. •Backup: Select Cloning or Key Export. |
| Summary |
Displays a summary of the information you entered for the service template. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to create the service template. |
Copying and Editing an Existing Service Template
You can copy an existing template and edit it as required to create a new service template.
To copy and edit an existing service template
1.Click on the Crypto Services tab, and select Service Templates in the navigation frame.
2.Find the service template you want to copy. To help find a service template, you can sort the service list by column heading, or use the search function.
3. Click on the Copy Template icon. The Create Service Template wizard is displayed, with the fields pre-filled with the values from the copied service template.
4.Complete the wizard, as described in Creating Service Templates.
Viewing or Editing the Service Template Attributes
You can sort the service template list by column heading, or use the search function to find a service template. When you find the service template you want, click on the service template to view or edit its attributes.
To view or edit a service template's attributes
1.Click on the Crypto Services tab, and select Service Templates in the navigation frame.
2.After finding the service template you want, click on the service template to display the service template's attributes at the bottom of the page.
3.Use the following tabs to view or edit the service template attributes:
| General |
Contains the service template name and an optional description. >Click Edit to edit the information. Click Save when done, or Cancel to discard the changes and exit edit mode. |
| Capabilities |
Displays the type, size, and capabilities of services created using the template. Click Edit to edit the service template, as follows >Service type: Choose HSM Partition to create a standalone service on a single device. Select HSM Partition HA Group to create an HA group using two or more devices. >Partition size: Specify the size of the partition(s) used to provide services created using this template. >Per-Partition SO: Click this checkbox if you want the services created using this template to have their own security officer (SO). Per-Partition SO is supported on devices with firmware 6.22 or higher, and with the Per-Partition SO capability upgrade (CUF) installed. NOTE Per-partition SO is the mandatory setting for 7.x devices, and is enabled by default. >Secure Trusted Channel: Click this checkbox if you want the services created using this template to connect to CCC using Secure Trusted Channel (STC) instead of the default NTLS connection. Secure Trusted Channel is supported on devices with software 6.2.1 or higher, firmware 6.24.2 or higher, and the STC HSM policy enabled. The STC link is established in ccc_client when the service is deployed by an Application Owner. >Device Capabilities: Choose the following options to specify the capabilities of the device(s) used to host services created using this template. •Performance: Select Low or High performance. •Authentication: Select PED or Password. •Backup: Select Cloning or Key Export. Click Save when done, or Cancel to discard the changes and exit edit mode. |
Deleting Service Templates
You can delete a service template at any time.
To delete a service template
1.Click on the Crypto Services tab, and select Service Templates in the navigation frame.
2.After finding the device pool you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Creating New Services
To create a service, you must specify the service template for the service, the device(s) used to host the service, and the owner organization. After you add a service, you can view its capabilities and host device, but an Application Owner cannot deploy a service until it has been initialized. You can initialize a service when you create it, or you can leave it uninitialized. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service.
To create a service
1.Click on the Crypto Services tab, and select Services in the navigation frame.
2.Click the Create Service button. The Create Service wizard is displayed.
3.Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
| General |
Enter a name and optional description for the service. This information is used to identify the service in CCC. You can enter any strings you like. After you add the service, you can change its name or description by editing the service attributes. See Service Management. |
| Choose Template |
Choose a template from the list that defines the type of service you want to create. To help find a service template, you can sort the list by column heading, or use the search function. NOTE You can view service template details by hovering over the information (i) icon associated with the service template. |
| Add Devices | Select the device, or devices, used to provide the service. If the service is an HSM partition HA group, you must specify each device (minimum of 2) that will be used to provide the HSM partition HA group. To select a device, click on the device in the Available Devices window and click Add to move it to the Selected Devices window. You can use the search function to help find a device, if necessary. To deselect a device, click on the device in the Selected Devices window and click Remove to move it to the Available Devices window. |
| Assign Organization |
Choose the organization that will own the service from the list. To help find an organization, you can sort the organization list by column heading, or use the search function. After you add the service, you can change the organization that owns the service by editing the service attributes. See Service Management. |
| Summary |
Displays a summary of the information you entered for the service. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to create the service. If successful, a success message is displayed and the service is added. You are prompted to initialize the service. See Initializing a Service Otherwise, an error is displayed, and you can click Go Back to update the device information, as required, to resolve the issue. |
Initializing a Service
You must initialize a service before you can use it. To initialize a service, you must specify or create the following:
>the initial credentials for the roles that will own or use the service:
•for services without PPSO enabled, you initialize the credentials for the partition owner (crypto officer) role.
•for services with PPSO enabled, you initialize the credentials for the partition SO and crypto officer roles. You also have the option to initialize the crypto user role.
>the cloning domain for the service. You can only clone objects between HSMs that are in the same cloning domain. Cloning is used to perform operations such as backup/restore.
You can initialize a service when you create it, or you can leave it uninitialized until it is ready to be deployed. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service.
Initializing a PED-authenticated Service
To initialize a PED-authenticated service, you need a remote PED and the orange PED key(s) encoded with the Remote PED Vector (RPV) for the Thales Luna Network HSM appliance(s) that provides the service. You also need to imprint or provide the role and domain PED keys for the service. as follows:
>for non-PPSO services, you initialize the credentials for the partition owner (crypto officer) and set the cloning domain for the service, by providing or imprinting the crypto officer (black) and domain (red) PED keys.
>for PPSO services, you initialize the credentials for the partition SO, crypto officer, and (optionally) crypto user roles, and set the cloning domain for the service, by providing or imprinting the partition SO (blue), crypto officer/crypto user (black/gray), and domain (red) PED keys.
Contact the CCC Administrator to get any keys you may require.
To use a remote PED with CCC, you need to install the Thales Luna HSM client, including the Remote PED Server option, on the computer you will use to access CCC, or on a separate computer you will use for the remote PED. After installing the Thales Luna HSM client, use LunaCM to configure the Remote PED Server so that you can connect to it from CCC. Refer to the Thales Luna HSM documentation for more information.
To initialize a PED-authenticated service
1.Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all currently provisioned services. Any uninitialized services have an Initialize button in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
2.Click on the Initialize Service link for the service you want to initialize. The Initialize Service wizard is displayed. Complete the wizard as follows:
| Define Partition |
Enter a label for the partition used to provide the service. |
| Initialize Roles |
Enter the IP address of your remote PED server. The default port is auto-filled. If you are not using the default port, enter the Remote PED server port. For PPSO services, enter the challenge password for the crypto officer and (optionally) crypto user roles. The challenge password is the password used to authenticate to the role after it is activated. Click Next and respond to the prompts on-screen and on the PED. For non-PPSO services, the PED generates and displays a 16-digit challenge password. Record this challenge password. It is necessary for service activation. |
| Activate Roles |
To activate the roles you initialized, click the Activate Crypto Officer and (optionally) Activate Crypto User checkboxes. You cannot activate the crypto user without also activating the crypto officer. You can activate the roles later for PPSO services, if desired, by editing the service attributes. For services which have the both the PPSO and the STC feature enabled in the template, you can activate the roles any time until an application user deploys the service, which establishes the STC link and precludes further changes through CCC. Click Finish to initialize the service. Observe the progress messages to verify success. |
Initializing a Password-authenticated Service
To initialize a password-authenticated service, you need to enter passwords for the roles you wish to initialize, and specify the cloning domain for the service, as follows:
>for non-PPSO services, you enter an initial password for the crypto officer and set the cloning domain for the service.
>for PPSO services, you enter an initial password for the partition SO, crypto officer, and (optionally) crypto user roles, and set the cloning domain for the service.
To initialize a password-authenticated service
1.Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all currently provisioned services. Any uninitialized services have an Initialize Service button in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
2.Click the Initialize Service link for the service you want to initialize. The Initialize Service wizard is displayed. Complete the wizard as follows:
| Define Partition |
Enter a label and cloning domain for the partition used to provide the service. |
| Initialize Roles |
Set the initial password for the Crypto Officer. For PPSO services, you also set the initial password for the Security Officer, and optionally for the Crypto User. Click Finish to initialize the service. Observe the progress messages to verify success. NOTE For a service which used STC and PPSO, after the service is deployed you cannot initialize the Crypto User role through CCC. |
Activating a PED-Authenticated Service
You can activate a role on a PED-authenticated service to allow the role to authenticate to the service using a challenge password only, without PED interaction. You can activate a service when you initialize it, or later, by selecting the service and navigating to the Partitions tab. See Service Management
Limitations
>You can activate PPSO services only. Use LunaCM to activate a non-PPSO service.
>Services that have both PPSO and STC enabled cannot be activated after the service is deployed to an Application Owner. This is because after the STC link is established, the Partition SO can only access and modify the partition through the STC link with the Thales Luna HSM client, not through CCC.
Managing Services
After you have added or created a service, you can view or edit its attributes, remove it from CCC, or delete it if it is no longer required.
To manage your services, click on the Crypto Services tab, and select Services in the navigation frame. All existing services are listed. You can sort the service list by column, or use the search function to find a specific service:
> Click on the dropdown button in the Remove column to detach or delete the service (with confirmation).
> Click on the Initialize button in the Initialization State column to initialize a currently uninitialized service. See Initializing a Service.
>There is a Status column displaying an icon for each service. The status indicates whether the service is running properly or offline.
When you click on a service, its attributes are displayed at the bottom of the page, arranged by tabs.
Viewing or Editing Service Attributes
Click on a service to display its attributes the bottom of the page. To help find a service, you can sort the service list by column heading, or use the search function.
To view or edit service attributes
1.Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all added services.
2.After finding the service you want, click on the service to display its attributes.
3.Click on a tab to view, edit, or refresh the service attributes, as follows:
| General |
Displays the service name and description, the organization that owns the service, who created the service, and when it was created. You can edit the service name, description, organization, or HA group label. |
| Capabilities |
Displays the service type, partition size, authentication type, and capabilities of the host device. NOTE The CCC administrator can view and edit the partition size in a service. For more details, refer to Modifying partition size to know the steps to configure the partition's size as per the required usage. |
| Partitions |
Displays the name of the host device(s). If the service is initialized, the name(s), label(s), serial number(s), appliance version(s), and device firmware version(s) of the partition(s), and that provide the service are also displayed. The Admin user can add and initialize partitions to any single or HA service. One or more partitions can be removed from an HA service. For PPSO services, additional functions are available: Click on Initialize Crypto User to set the initial credentials for the crypto user role. Click on Activate Roles to activate a role so that it can use a challenge password to connect to a PED-authenticated service without PED interaction. You are prompted to enter the challenge password(s) for the role(s). This function applies to PED-based services only. |
| Keys |
Displays the Label, Type, Handle, Fingerprint, Algorithm, and Bit Size of the keys present on partitions associated with a service. To view the key attributes, you must authenticate as the Crypto Officer by providing a Crypto Officer Password. For PED services, you must provide valid Remote PED Server IP Address and Port. NOTE In case of a PED service, if the CO role is activated, you are not required to provide Remote PED Server IP address and port details. CCC establishes an NTLS session with the partitions to fetch the partition object information. You can use the Log Off Session button to terminate the NTLS session. A session that remains idle for 3 hours gets automatically terminated. NOTE To ensure that this feature works properly, it's recommended that you use Lunaclient 7.1 or above on the CCC server. NOTE It is recommended that you should not use the CCC server to create an NTLS connection via LunaCM or LunaSH as that can lead to errors while displaying key attributes. Instead, you can use the CCC Client to create an NTLS connection. NOTE For non-PPSO PED HA services, activate the crypto officer manually. Before running key export, refer to Activating a non-PPSO PED-Authenticated HA Group. NOTE As part of the key attributes retrieval on HA service, CCC will sync objects created across all member partitions of that HA group. NOTE If you are unable to retrieve the keys for 6.x Non-PPSO partitions, refer to Administration Issues for a resolution. |
| Clients |
Displays the status, host address, fingerprint, and last registration of the Thales Luna HSM client workstation(s) that the service is deployed on, if it is currently deployed. NOTE When an added partition is initialized or an initialized partition is removed from a service, status of clients already associated with the service changes to error status icon indicating that these clients must be re-registered to sync to the changes of the service. |
Modifying partition size
After creating a service, CCC administrator can view and edit the size of partitions in a service to configure the partition's size as per their required usage.
The restriction on the partition size is defined as below:
>The minimum partition size can be 1000 bytes.
>The maximum partition size can be 99999999 bytes.
To modify partition size
1.Click Crypto Services tab, and select Services in the navigation frame to display a list of all added services.
2.Click a service. A list of attributes in the form of tabs displays.
3.Click Capabilities.
4.Click Edit button displayed under Capabilities tab.
5.Enter a new numeric value in the Partition size (bytes) text box.
NOTE
1. CCC administrator is not allowed to enter the alphanumeric value in the Partition size (bytes) text box.
2. If CCC administrator enters an value to configure the partition size which is not allowed as per available device memory size, a modal window with an error message displays.
6.Click on Save. If the updated partition size is saved successfully, a modal window displays with a success message.
7.Click Close to close the modal window.
NOTE
1. In case CCC stops functioning due to a network issue, then the updates are rolled back and an error message displays to notify the CCC administrator to try again later.
2. If one or more devices are offline while saving the updated partition size, an error message displays to notify the CCC administrator to try again when all the devices are online.
3. If no space is available on devices while modifying the partition size, an error message displays.
Adding a Partition to a Service
As a CCC administrator, you can add a partition to either bring failover support by converting single partition service to HA, or to increase the redundancy by adding more members to the HA group.
To add a partition to a service
1.Click Crypto Services tab, and selected Services in the navigation frame to display a list of all added services.
2.Click a service. A list of attributes in the form of tabs displays.
3.Click Partitions.
4.Click Add Partitions. The Add Partitions modal window displays.
5.Click Add to add the devices displayed under Available Devices or click Close to close the Add Partitions modal window.
NOTE The devices which are already associated with service will not display under Available Devices list.
6.Click Next. The confirmation modal window displays.
7.Click Add Partitions to add the partitions to the service.
Once the CCC administrator clicks Add Partitions, a modal window with success message displays.
8.Click Initialize now to initialize the added partitions or No, close to close the modal window.
NOTE
1. The new uninitialized partitions added are displayed in a separate grid with header "Uninitialized Partitions" below the initialized partitions with "Initialize Partitions" option on right side.
Initializing an added partition
You must initialize an added partition before you begin to use this partition. You can initialize an added partition as a CCC administrator or an application owner.
To initialize an added partition
1.Click Initialize now link displayed on success modal window while adding a new partition.
2.The Initialize New Partitions modal window with a caution displays with following three tabs:
•Important
•Define Partition
•Initialize Role
NOTE The Important tab displays a caution to initialize new partitions with same cloning domain and role credentials to prevent zeroizing of the existing partitions.
3.Click Next. The Define Partition tab displays with disabled Partition Label.
4. Enter the Cloning Domain and confirm it.
5.Click Next. The Initialize Roles tab displays.
6.Enter the Crypto Officer Password and confirm it.
7.Select Initialize Crypto User checkbox to initialize Crypto User credentials.
Applicable in case of PPSO Password and PED Services:
|
New Partition |
Old Partition | Behavior | ||
| Initialize CU |
Yes |
Already initialized | No change on old partition |
New: Initialized Old: Initialized |
| Initialize CU |
Yes |
Not initialized | Old partition will also be initialized |
New: Initialized Old: Initialized |
| Initialize CU | No | Already initialized | No change on old partition |
New: Uninitialized Old: Initialized |
| Initialize CU | No | Not initialized | No change on old partition |
New: Uninitialized Old: Uninitialized |
Applicable only in case of PPSO PED Services:
|
New Partition |
Old Partition | Behavior | ||
| Activate CU |
Yes |
Already activated | No change on old partition |
New: Activated Old: Activated |
| Activate CU |
Yes |
Not activated | Old partition will also be activated |
New: Activated Old: Activated |
| Activate CU | No | Already activated | No change on old partition |
New: Not activated Old: Activated |
| Activate CU | No | Not activated | No change on old partition |
New: Not activated Old: Not activated |
8.Click Initialize New Partitions. The Partitions successfully initialized modal displays.
9.Click Close to close the modal.
NOTE
1. When an added partition is initialized or an initialized partition is removed from a service, status of clients associated with the service changes to error status icon indicating that these clients must be re-registered to sync to the changes of the service.
2. When a partition is added and initialized, the CCC user should refers To deploy a service to repair the clients for authorizing the added partitions.
NOTE The CCC Administrator can also initialize a partition by clicking "Initialize Partitions" option under Firmware column of Uninitialized Partitions section and follow steps 2-9 to initialize an added partition.
To Initialize New Partitions from the list of all provisioned services
1.Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all currently provisioned services.
NOTE Any provisioned services that have some of the new partitions in uninitialized state have an Initialize New Partitions link in the Initialization State column.
2.Click Initialize New Partitions link in the Initialization State column.
NOTE The CCC Administrator can follow steps 2-9 of To initialize an added partition to initialize an added partition.
Removing a Partition from HA Group
As a CCC administrator, you can remove a partition from an HA group to save the memory on the device or to re-use the partitions.
NOTE It is important for CCC administrator to clone any required key material before deleting the partition.
To remove a partition from HA group
1.Click Crypto Services tab, and select Services in the navigation frame to display a list of all added services.
2.Click a service. A list of attributes in the form of tabs displays.
3.Click Partitions.
4.Click the dropdown icon displayed in rightmost column and select Remove Partition. A confirmation dialog displays.
5.Click Yes remove partition in the dialog to remove the partition from an HA group or click No, cancel to close the dialog.
CAUTION! Once a partition is removed, the action cannot be undone.
NOTE Partition deletion functionality is applicable only on HA services. If the user tries to remove the last partition from a HA group, an error message displays.
NOTE The CCC administrator cannot perform partition removal operation on a single HSM service.
Detaching or Deleting Services
You can detach or delete a service if you no longer wish to manage it using CCC, or you can delete a service if it is no longer required:
>Detaching a service only removes it from CCC. It does not affect the associated partition(s) used to provide the service, or the objects they contain.
> Deleting a service removes it from CCC and deletes the partition(s) used to provide the service and any objects they contain. Services are normally deleted by the Application Owner.
To detach a service
1.Click on the Crypto Services tab, and select Services in the navigation frame.
2.After finding the service you want, click on the dropdown icon in the Remove column and select Detach service. A confirmation dialog is displayed.
To delete a service
**WARNING** Deleting a service deletes the partition(s) used to provide the service and all objects in the partition(s).
1.Click on the Crypto Services tab, and select Services in the navigation frame.
2.After finding the service you want, click on the dropdown icon in the Remove column and select Delete service. A confirmation dialog is displayed.
