Authentication Model
The user, device, and service management functionality provided by CCC requires it to store the following information:
-
The user passwords for the CCC users. This information is used to control access to CCC. These passwords are hashed and stored in the database, and are not extracted from that location.
CCC stores passwords for local users only. CCC does not store passwords for the users imported from a Directory.
-
The Admin password for the managed devices. This information is used to allow CCC to log in to a managed device using REST API. The Admin password is encrypted using an encryption key stored in the root-of-trust HSM, before being stored in the database. When it is required to log in to a device, the password is extracted from the database and decrypted using the encryption key stored in the root-of-trust HSM.
In addition, all communications between CCC and the device HSMs are authenticated using a key pair stored on the root-of-trust HSM. The key pair is created when you first activate CCC. The public key is copied to the device HSM when you authorize a device. The private key is used to sign messages sent to the HSM. The public key is used to verify the messages received by the HSM. The authentication model is illustrated below:
Password Management
CCC manages the following three types of passwords:
User passwords | User passwords (along with the user name) provide access to CCC, either as an Administrator or as an Application Owner. These passwords are used only by CCC, and do not need to be extracted from the database to be passed to another application. Because they are not extracted, these passwords are simply hashed and stored in the database to be compared with the password entered by the user. CCC stores passwords for local users only. CCC does not store passwords for the users imported from a Directory. |
Device passwords | Each managed device uses two passwords. When you add a device, you supply the device administrator password, which is used by CCC to log in to the Thales Luna Network HSM appliance. The device administrator password is encrypted (using a key stored in the root-of-trust HSM) and stored in the database. When you authorize a device, you supply the HSM SO (Admin) password, which is used to authorize CCC to log in to the device as the HSM SO, using the root-of-trust HSM credentials. The HSM SO password is not stored in the database. |
Root of trust partition password | While performing CCC activation, if you check the Remember credentials checkbox, the label and password of the root of trust partition will be cached in the JVM context. The root of trust partition password will be cached after applying the AES GCM Encryption algorithm on the password provided by the user. When the user deactivates a root of trust partition that was activated by checking the Remember credentials checkbox, the label and password of root of trust partition are unbound from the JVM context. When the CCC service shuts down, the cached root of trust label and password details get erased. |
Modes of Operation
CCC provides the following two modes of operation:
Deactivated | In this mode, root-of-trust authentication is disabled, and CCC operates in read-only mode. CCC Administrator users cannot view users, organizations, devices or service. CCC Application Owner users can view the services created for their organization and download the CC Client, but they cannot use the CCC Client to deploy the services. |
Activated | In this mode, root-of-trust authentication is enabled, and all of the functions provided by CCC and the CCC Client are available. |
You can activate and deactivate CCC as required. For enhanced security, you can choose to activate CCC only during specified HSM maintenance windows, if desired.
Root-of-Trust Authentication
All communications between CCC and the device HSMs are secured by the root-of-trust HSM. When you first activate CCC, a public/private key pair is generated on the root-of-trust HSM. When you authorize a device, the public key is copied from the root-of-trust HSM to the device HSM. This enables CCC to log in to the device as the HSM SO, using the root-of-trust HSM credentials. Thereafter, any message sent from CCC to the device HSM is authenticated by signing the message with the private key on the root-of-trust HSM, and then verifying the message with the public key when it is received by the device HSM.