Release Notes
The release notes for Crypto Command Center 3.8 provide you details regarding new features and enhancements, advisory notes, compatibility information, upgrade instructions, and resolved and known issues.
New Features and Enhancements
CCC 3.8 includes a range of new capabilities, updates, and bug fixes, as described below.
Migrate Services
You can use the Migrate Services feature to transfer objects from Luna HSM 6.x devices to 7.x devices.
Support for Luna HSM 7.7.0 and 7.7.1 Devices
Support for Luna HSM 7.7.0 and 7.7.1 devices has been introduced in CCC 3.8.
Oracle 19C Support
You can now configure Oracle 19C with CCC. You can also configure SSL and TDE.
Advisory Notes
This section highlights important issues you should be aware of before deploying this release.
Server Monitoring
We recommend monitoring your CCC server configuration with a server monitoring system. CCC cannot notify the users of a CCC instance deactivation in the event of a server outage or disconnection.
Thales Luna Network HSM 7.1 Monitoring HSM CPU Usage
The Thales Luna Network HSM 7.1 device firmware incorrectly reports the value for HSM CPU usage. The firmware will always populate the HSM CPU usage monitoring histogram value as 99.9%. This is not an accurate evaluation of the HSM devices performance by CCC.
Support for 5.x Devices
CCC 3.8 does not support 5.x devices. If you are managing primarily 5.x devices then you may desire to defer this software upgrade at this time. If you are managing a combination of 5.x and 6.x devices, then the upgrade to CCC 3.8 will require upgrading your 5.x devices.
Thales Luna HSM 7.1 and Newer Device REST API
On Thales Luna Network HSM 7.1 and newer devices, the REST API package comes pre-installed on the device. The user is still responsible for configuring the REST API on the device. It is recommended to use the latest REST API versions for better stability, as listed below.
-
7.1.0 - 7.1.0-380
-
7.2.0 - 7.2.0-221
-
7.3.0 - 7.3.0-166
-
7.4.0 - 7.4.0-228
If STC is enabled, the webserver (REST API) of some Luna devices may need to be restarted.
ccc_client PED-Authenticated HSM Partition HA Group Service
If the user enters an incorrect challenge password when deploying a PED-authenticated HSM partition HA group service with ccc_client, the service will display as deployed but will not be operational. To deploy the service, relaunch ccc_client, select the service, and revoke access to that service. Then, deploy the service, as described in the CCC User Guide.
Database Security
CCC supports tablespace encryption enabled through transparent data encryption (TDE) on an Oracle database. CCC does not currently support full disk encryption on a PostgreSQL database. As a result, the integrity of the database server is the responsibility of the user. We recommend keeping your database server in an environment that is secured by software data networks and firewalls. Customers are responsible for ensuring compliance with their organization's security policies.
Freemium License
The CCC Freemium virtual image is not available with CCC 3.8. However, the Freemium license file is still supported with CCC 3.8 premium build. The Freemium license is available as part of the CCC software package.
The CCC Administrator user can now use the Update License button to replace the Freemium license file with the premium license when the product evaluation is completed.
Mixed High Availability Device Partition Groups
7.x devices do not support mixed high availability (HA) device partition groups. You cannot create an HA partition group consisting of both 6.x and 7.x devices. HA partition groups can only consist of 6.x or 7.x device partitions.
Oracle Java JDK 8 Requirements
Previously released versions of Oracle Java JDK do not have a security.policy file. If you are using a previously released version of Oracle Java JDK you must download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 found at oracle.com. Three files are included with the download: a README and two jar files. To install the JCE Unlimited Strength Jurisdiction Policy, please refer to the README.TXT file provided in the zip package.
Java 1.8.0-144 JDK Memory Leak
The Java 1.8.0-144 JDK is not supported by CCC. The Java 1.8.0-144 JDK has a known security leak. It is recommended that you upgrade to the latest version of Java 1.8.0. For more information about the Java 1.8.0-144 JDK memory leak, review Java JDK issue 8164293.
Limitations of Luna Appliance Software 7.3.3 and 7.3.4
If you are using a Luna Network HSM device having Luna appliance software version 7.3.3 or 7.3.4, you will not be able to use certain features of CCC.
Non Availability of STC Support
CCC no longer provides support for STC with Luna Network HSM. The option to create a partition using STC is not available with Luna Network HSM 7 (Firmware 7.7.0 and above).
Compatibility Information
For information regarding the supported hardware, software, and managed devices, consult CCC User Guide.
Feature Matrix for CCC 3.8
This section outlines the minimum requirements to support major features and functionalities of CCC.
CCC Feature | Requires Monitoring License | Minimum SA Version | Minimum SA Firmware | Lunaclient |
---|---|---|---|---|
Service Provisioning | 6.x | 6.10.9 | 7.x | |
Security Officer Per Partition (PPSO) | 6.x | 6.10.9 | 7.x | |
Device & Service Reports | 6.x | 7.x | ||
Import Services | 6.x | 7.x | ||
Device Monitoring, Dashboard & Notifications | Yes | 6.x | 6.10.9 | 7.x |
Device Monitoring (Full) | Yes | 6.x | 6.20.0 | 7.x |
Service Monitoring | Yes | 7.3 | 7.3.0 | 7.x |
Device Logs | Yes | 6.x | 7.x | |
Key Material Visibility | 6.x | 6.10.9 | 7.1 | |
External Directory Server over LDAP | NA | NA | ||
Apply SW Package | 7.3 | NA | 7.x | |
Update Firmware | 7.3 | NA | 7.x | |
Migrate Service | 6.2.2 | 6.24.3 | 7.2 and above |
Upgrade Instructions
You can upgrade to CCC 3.8 from the following CCC versions:
-
CCC 3.7.1
-
CCC 3.7
-
CCC 3.6.2
-
CCC 3.6.1
-
CCC 3.6
You must perform some configuration after upgrade to ensure access for existing managed devices and application owners.
Backing up Existing CCC Version
The steps available here are for a PostgreSQL database. To back up an Oracle database, refer to the Oracle documentation which is available at the official Oracle website.
Take a full backup of all CCC files before you begin. Enter the following commands to backup the existing Thales Crypto Command Center database:
su - postgres
pg_dump -f CCC_old_db_backup lunadirectordb
The database is backed up to the following file: /var/lib/pgsql/CCC_old_db_backup
Upgrading CCC from the Existing Version
-
Go to the CCC installation directory: cd /usr/safenet/ccc
-
Launch the uninstall.sh script and respond to the prompts to uninstall. Retain your firewall port and database tables.
sh uninstall.sh
Do you really want to uninstall Crypto Command Center Server? [n]
Do you want to close the port used by CCC in the firewall? [y]
Do you want to drop database tables? [n]
Do you want to remove all files in the support catalogue? [n]If y is selected as the option, all the files in the support catalogue are deleted.
-
Install and configure CCC 3.8, using the steps mentioned in the CCC User Guide.
-
Upload a license to CCC 3.8:
a. The License Upload Modal appears on your screen.
b. Click the Upload License button. The Upload License dialog displays.
c. Click the Upload button and select the new license from your filesystem.
d. Click the Continue or Update button.
-
Distribute CCC clients:
a. From the Administration page, navigate to the Software Center to download an updated CCC client.
b. Install this client on any application servers that access CCC.
Managing Device Upgrade from 5.x to 6.x
You may wish to upgrade your managed devices from version 5.x to 6.x or higher to obtain the benefits of 6.x features such as PPSO. If you choose to upgrade your managed devices to 6.x, there is some additional configuration necessary to integrate with CCC 3.8.
Upgrading to 6.x may result in the loss of configured service templates, users, HA groups, and partitions on the HSM.
To upgrade managed devices from 5.x to 6.x:
-
Inform any application users connecting to the devices that their services will be unavailable during the upgrade. You might like to perform the upgrade during a scheduled maintenance window.
-
Upgrade the Thales Luna Network HSM software as detailed in Thales Luna Network HSM documentation.
-
Set up REST API.
a. As an appliance user with the Admin or Operator role, obtain and transfer the REST API secure package to the device via SCP/PSCP. Login to the HSM using Security Officer credentials, and install the package. See Thales Luna Network HSM REST API documentation for details.
b. Set the REST API web service to use a network interface in the HSM. Valid values are all, eth0, eth1, or bond0: lunash:>webserver bind -netdevice
c. Enable the web service: lunash:>webserver enable
d. Generate a REST API service certificate and restart the service. We recommend an RSA certificate type: lunash:>webserver certificate generate -keytype rsa -restart
-
In CCC, navigate to the Devices list and select the recently upgraded device.
-
Click the Configuration tab and click Edit.
-
In the Appliance Version section, select 6.x. The LunaSH Admin Credentials section changes to REST API Credentials, and Host Key changes to Certificate.
-
Adjust the Host Address and Port Number as required. Save your changes.
-
Under the Certificate section, click Verify to view the device certificate.
-
Review the certificate, check the box indicating that you have reviewed and trust the certificate, and then click Accept.
-
Update the version of the Thales Luna HSM Client on any crypto application servers that access the device services. The device is now ready to process incoming cryptographic requests from application users.
Resolved and Known Issues
This section lists the resolved and known issues in the product at the time of release. Workarounds are provided where available. The following table defines the severity of the issues that are listed.
Priority | Classification | Definition |
---|---|---|
C | Critical | No reasonable workaround exists. |
H | High | Reasonable workaround exists. |
M | Medium | Medium level priority problems. |
L | Low | Lowest level priority problems. |
Resolved Issues
Issue | Severity | Synopsis |
---|---|---|
CCC-12638 | M | Sometimes due to network latency, ccc_client.jar fails to authorize the services on Windows machine. |
CCC-13742 | M | Key export fails when non-identical name and label are used by an HA service that is authorized through CCC client. |
Known Issues
Issue | Severity | Synopsis |
---|---|---|
CCC-8303 | M | Problem: If you login with a newly created user, and stay on the "change password" screen for five minutes with no activity, and then attempt a password change, you are redirected to a blank page. Workaround: This behavior indicates a timeout. You can reattempt login by clicking the back button or by re-entering the Thales Crypto Command Center address into the URL bar in the browser. |
CCC-8319 | M | Problem: If you add a 6.x device, and then use LunaSH to alter the admin password and the REST API certificate, you cannot update either the admin password or the REST API certificate on Thales Crypto Command Center. If you add a 5.x device, and then use LunaSH to alter the admin password and the SSH host key, you cannot update either the admin password or the SSH host key on Thales Crypto Command Center. Workaround: Update Thales Crypto Command Center immediately after updating the admin password, SSH host key, or REST API certificate on the appliance. Do not perform any other configuration until Thales Crypto Command Center is updated. If you accidentally change both the device password and the device identity (SSH host key or REST API certificate) without updating Thales Crypto Command Center, use LunaSH to change the admin password back to the previous value. In Thales Crypto Command Center, verify the SSH key or REST API certificate. Then return to the device and change the admin password to the new desired password. Update the admin password in Thales Crypto Command Center. |
CCC-8678 | L | Problem: It is possible to create a service whose partition size is too small to store an STC client identity. If you attempt to authorize STC access to such a service through ccc_client, the operation fails. Each STC client registration uses 2332 bytes of storage on the partition. Workaround: If you intend to use STC with a new service, set the partition size to at least 5000 bytes to accommodate an STC client registration and still leave space for keys used in cryptographic operation. Consider partition storage needs when creating new service templates. |
CCC-8819 | M | Problem: If you create and deploy a service, change its organization, and then attempt to revoke access to the service, the full deregistration might not complete. For example, the revoke might not complete, the client entry might still be displayed in the service details tab, or the client might still be registered on the managed device partition(s). Workaround: If you attempted a revocation which did not complete, detach the service, re-import it, complete the normal application owner setup, and then revoke again. If you want to change a service's organization, first revoke client access, then change the organization, then deploy the service again. This ensures that future attempts to revoke access to the service will succeed. |
CCC-9208 | M | Problem: Monitoring data does not update automatically in the General and Capabilities tabs on the Device page. Monitoring information is retrieved and stored by the device, but is not generated automatically in the Thales Crypto Command Center graphic user interface on the General tab and the Capabilities tab. Workaround: Click Refresh in the Capabilities tab to generate up-to-date monitoring data. |
CCC-10174 | L | Problem: When sorting a Service Report, at times the Sort drop down menu loses its interface layer priority, appearing behind the entries in the Services List. Workaround: Minimize and expand the row where the issue is occurring. |
CCC-11976 | M | Problem: STC partition can not be created through CCC. Workaround: Use LunaCM if STC partition is required. |
CCC-12639 | M | Problem: If the ccc_client.jar is run without trusting the server certificate, it throws an exception when Option 4 (exit) is directly selected after the run. Workaround: Always trust the server certificate when the ccc_client.jar is run. |
CCC-13073 | L | Problem: Status of a imported user does not change in CCC even when state is changed in external directory server. Workaround: Manually delete the user and then import again. |
CCC-13259 | M | Problem: Sometimes when NFS server goes down in CCC High Availability setup, NFS clients becomes unresponsive. Workaround: Re-run enableNFSSharing.sh script on client side for NFS connection. |
CCC-13260 | M | Problem: Sometimes when a new NFS client is added to an existing High Availability CCC setup, permissions on shared folder of existing NFS clients change to some unknown permission. Workaround: Change the permission on shared folder /usr/safenet/ccc/packages and /usr/safenet/ccc/lunalogs to lunadirector. |
CCC-13948 | M | Problem: While migrating a large number of keys, the status bar displays a “null” message if object synchronization takes a long time. Workaround: You may encounter this error message in case a large number of keys are being migrated. However, the migration process will get completed despite this issue. |
CCC-13980 | M | Problem: The Migrate Service button appears enabled for a moment when the partition limit is reached. Workaround: Even if you are able to click this button, you will not be able to perform Migrate Service operation after the partition limit is reached. |
CCC-14306 | M | Problem: Unable to upgrade a device to firmware version 7.7.0 or 7.7.1. Workaround: Use LUSH to upgrade your device to firmware version 7.7.0 or 7.7.1. For details, refer to Luna HSM documentation. |
CCC-14336 | M | Problem: Support Catalog does not work on Luna Network HSM having application software 7.4 and above. Workaround: Upgrade appliance software using manual steps through LUSH. |
Supported Versions of CCC
The list of supported CCC versions can be found at Thales Customer Support Portal. As a user, you are advised to upgrade to the latest CCC version.
Contacting Thales Customer Support
If you encounter a problem while installing, registering, or operating this product, refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Thales Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
Customer Support Portal
The customer support portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most common problems. The Customer Support Portal is a comprehensive, fully searchable database of support resources, including software and firmware downloads, release notes listing known problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also use the portal to create and manage support cases.
You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
Telephone Support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Thales Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed on the support portal.
Email Support
You can also contact technical support by email at technical.support@thalesgroup.com.