High-Level Architecture
Central to CCC is the CCC server. The CCC server is a Linux workstation where the CCC web application is installed. The CCC web application includes an application container and service, which provides the administrative and application owner interfaces for managing and deploying HSM resources. In addition to the web application, CCC also requires the following components:
-
A Thales Luna Network HSM to serve as the root of trust, to authenticate communications between the CCC and managed HSM devices.
-
A PostgreSQL or Oracle database. The database can be installed either on the same server or on a different server used for hosting the CCC web application.
The following figure provides a high-level architectural view of CCC.
Server and Client Components
CCC is installed on a Linux workstation running CentOS or Red Hat Enterprise Linux. The Customer Release Notes list specify supported versions of these operating systems. CCC also includes a Java client, which is used to deploy a service created in CCC on a crypto application server.
| Terms | References |
|---|---|
| Devices | Devices are referred as Luna Network HSMs. |
| Services | Services are referred as one or more partitions in Luna Network HSMs. |
| Clients | Clients are referred as Application owners who are responsible for deploying the services. |
Web Server
The CCC web server consists of a Java-based web application. It uses the Java JDK and requires the Thales Luna Network HSM client software to communicate with the root-of-trust HSM.
Databases
The data managed by CCC is stored in a PostgreSQL or Oracle database. You can install the database on the CCC server, or on an external server.
Root-of-Trust HSM
All communications between CCC and the HSMs on any managed devices are authenticated using a Thales Luna Network HSM. You can use a password-authenticated or PED-authenticated Thales Luna Network HSM partition as the root of trust. You can use a FIPS-enabled HSM if FIPS compliance is required, or a non-FIPS-enabled HSM if you do not require FIPS compliance.
If the root-of-trust HSM is PED-authenticated, it must be activated (to allow password login) to work with CCC. You can activate (enable) or deactivate (disable) the root-of-trust HSM as required to control whether or not CCC has access to the HSMs on the managed devices to create and deploy services.
Activation of a PED-authenticated HSM to allow password authentication is not the same as activation of CCC. Activation of CCC enables the root-of-trust HSM, which allows CCC to create and deploy services.
Crypto Command Center Client
The Crypto Command Center client is run on a crypto application server to set up the NTLS or STC links from the application server's Thales Luna Network HSM client to the devices used to host the service. STC links are available for devices with a minimum software version of 6.2.1 and a minimum firmware version of 6.24.2. The Crypto Command Center client is available for download from CCC.
Users
CCC supports two distinct user roles: Administrators, and Application Owners.
Administrators
Administrators are responsible for creating organizations, adding user accounts, adding devices, and creating services on the managed devices. Administrators can also generate reports for the managed devices and services.
Application Owners
Application owners are responsible for deploying the services created in CCC for their organization. Application Owners own the services and are free to deploy them as they see fit. When the services are no longer required, the Application Owner can release the service, making the resources used to provide the service available to the Administrator to create new services.
The following table compares the capabilities of the CCC Admin and CCC Application Owner users:
| Feature | CCC Admin | CCC Application Owner |
|---|---|---|
| Service Creation | Yes | No |
| Service Initialization | Yes | Yes |
| Service Deployment | Yes | Yes |
| Key Material Visibility | Yes | Yes |
| Reporting | Yes | No |
| Service Monitoring | Yes | Yes |
| Device Monitoring | Yes | No |
| Alerting and Notifications | Yes | No |
| Licensing | Yes | No |
| Support Catalog | Yes | No |
| Software Center | Yes | Yes |
| Directory Support | Yes | No |
| Device Log Export | Yes | No |
| Account Management | Yes | No |
| Migrate Service | Yes | No |
Managed Devices
You can use CCC to manage Thales Luna Network HSM devices. CCC is able to manage any Thales Luna Network HSM device that is available over the network, including those located in the cloud. In order to manage a device, CCC must be able to log in to the device as the admin user. The admin credentials required to log in to the device are encrypted using an encryption key stored on the root-of-trust HSM, and stored in CCC.
STC is not available with Thales Luna Network HSM 7 (Firmware 7.7.0 and above).
CCC does not provide STC support with Thales Luna Network HSM 5/6 and Thales Luna Network HSM 7 (Firmware 7.4.0 and below).
Device Requirements
CCC can manage PED-authenticated and password-authenticated Thales Luna Network HSM devices. For CCC to manage a Thales Luna Network HSM device, the device must meet the minimum requirements.
