Device Management
This section describes how to perform device management tasks. To add, view, edit, or manage a device, click on the Devices tab from the menu bar at the top and then click on the Devices button from the navigation panel on the left. You can sort the device list by column, or use the search function to find a specific device. When you click on a device, its attributes are displayed towards the bottom of the page:
Parameter | Description |
---|---|
General | Displays the appliance version, device address and port. You can update this information as required to re-establish a connection to the device if its software version address or credentials are changed outside of CCC. |
Connection | Displays the appliance version, device address and port. You can update this information as required to re-establish a connection to the device if its software version address or credentials are changed outside of CCC. CCC connects to devices using the REST API, on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is installed with the 7.1 software. It requires configuration. |
Device Pool | Displays the device pool that the device belongs to, if any. You can add the device to a device pool, or change its existing device pool. You can add a device to only one device pool. |
Authorization | Displays authorization status of the device. You must add a device before you can authorize it. When you authorize a device, you need to provide the HSM SO credentials for the device. This information allows CCC to log into the device as the HSM SO to provision services on the device.
STEPS TO CHANGE HSM SO CREDENTIALS You need to reauthorize the device whenever its HSM SO credentials are changed. To change the HSM SO credentials of a device that is added to a CCC instance, you must follow these steps: For managing 7.7.0 and 7.7.1 Luna HSM devices with CCC, the Root of trust HSM has to be running firmware 7.7.0 or above. In addition, while activating CCC ROT, you need to select the checkbox stating that This device is running firmware 7.7 and above. If you are updating the HSM SO credentials of multiple devices, perform the above-mentioned steps separately for each device. You can use an FM-enabled ROT to manage only FM-enabled Luna SA devices. |
Capabilities | Displays the device capabilities. You can query the device to update the capabilities stored in the device attributes in case the device capabilities have changed after the device was added to CCC, such as after the application of a capability update file (CUF). 7.x Thales Luna Network HSMs require PPSO partitions. PPSO is enabled by default on Thales Luna Network HSM 7.x devices. |
Services | Displays the services provisioned on the device. |
Rebooting | Enables you to reboot a device if required. |
Adding Devices
To add a device:
-
Click on the Devices tab, and select Devices in the navigation frame.
-
Click the Add Device button. The Add Device wizard is displayed.
-
Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
General | Enter a name and optional description for the device. This information is used to identify the device in CCC. You can enter any strings you like. |
Set Connection |
CCC connects to devices using REST API on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is bundled with 7.1 and above software and requires only configuration. If you add a device using a hostname, CCC does not check to verify that the same device has not already been added using its IP address. As a result, you can add the same device twice – once using its hostname, and once using its IP address. To avoid this issue, we recommend that you always use either hostnames or IP addresses when adding devices. |
Verify Connection | Review the device certificate and check the I have reviewed and trust this host key or I have reviewed and trust this certificatecheckbox to accept. If the host key or certificate is not as expected, investigate and correct the problem. |
Select Device Pool | Select a device pool for the device, if desired. |
Summary |
Displays a summary of the information you entered for the device. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to add the device. If successful, a success message is displayed and the device is added. You are prompted to authorize the device. Otherwise, an error is displayed, and you can Go Back to update the device information as required to resolve the issue. If you want to authorize the device now, click Authorize now. You are prompted for the HSM SO password or remote PED address, as relevant. |
After you add a device, you can view its capabilities, but you cannot create services on the device until it has been authorized. To authorize a device, you must supply the HSM SO credentials for the device. You can authorize a device when you add it, or you can authorize it at a later time.
The CCC administrator can add a Luna HSM 7.7.0 or Luna HSM 7.7.1 or Luna HSM 7.4 device with FM capability enabled or disabled. If the FM capability is enabled on a device, no services can be created, but device monitoring is supported.
CCC administrator can add a Luna HSM 7.7.0 (non-FM), or Luna HSM 7.7.1 (non-FM), or Luna HSM 7.4 FM capability enabled or disabled device. If the FM capability is enabled on a device, no services can be created, but device monitoring is supported.
The 5.x SAs cannot be added to CCC.
Displaying FM Status of a Device
To display whether a device is FM enabled or disabled, click Devices in the main navigation. To help find if a device is FM enabled or not, you can select a device displayed in Devices report.
To display FM status:
-
Click on the Devices tab, and select Devices in the navigation frame.
-
Click on a device from the list of devices.
-
Select Capabilities tab. A new field "Functional Module (FM)" with three options is available:
-
Enabled
-
Disabled
-
Not Supported
-
The "Not Supported" option is available only for FM incapable devices. It means for the devices prior to Luna SA 7.4, the Functional Module (FM) is not supported.
Managing Device Upgrade
To upgrade managed devices:
-
Inform any application users connecting to the devices that their services will be unavailable during the upgrade. You might like to perform the upgrade during a scheduled maintenance window.
-
Upgrade the Luna Network HSM software as detailed in Luna HSM documentation.
-
Set up REST API.
a. As an appliance user with the Admin or Operator role, obtain and transfer the REST API secure package to the device via SCP/PSCP. Login to the HSM using Security Officer credentials, and install the package. See Thales Luna Network HSM REST API documentation for details.
b. Set the REST API web service to use a network interface in the HSM. Valid values are all, eth0, eth1, or bond0.
lunash:>webserver bind -netdevice
c. Enable the web service.
lunash:>webserver enable
d. Generate a REST API service certificate and restart the service. We recommend an RSA certificate type.
lunash:>webserver certificate generate -keytype rsa -restart
-
In CCC, navigate to the Devices list and select the recently upgraded device.
-
Click the Configuration tab and click Edit.
-
In the Appliance Version section, select the appropriate version. The LunaSH Admin Credentials section changes to REST API Credentials, and Host Key changes to Certificate.
-
Adjust the Host Address and Port Number as required. Save your changes.
-
Under the Certificate section, click Verify to view the device certificate.
-
Review the certificate, check the box indicating that you have reviewed and trust the certificate, and then click Accept.
-
Update the version of the Thales Luna HSM Client on any crypto application servers that access the devices' services. The device is now ready to process incoming cryptographic requests from application users.
Deleting Devices
You can delete a device from CCC only if it is not currently providing any services. To delete a device:
-
Click on the Devices tab, and select Devices in the navigation frame.
-
After finding the device you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Device Pools
You can place your devices into device pools, if desired, to help manage your devices. Placing a device into a device pool has no effect on which users or organizations can use the device. You can add a device to one device pool only.
To add, view, edit, or manage a device pool, click on the Devices tab, and select Device Pools in the navigation frame. All existing device pools are listed. You can sort the list of device pools by column, or use the search function to find a specific device pool. Click on the trash can icon button in the Delete column to delete the device pool (with confirmation).
When you click on a device pool, its attributes are displayed at the bottom of the page. The information in the device attributes are arranged by tab, as follows:
General | Displays the device name and description. You can edit this information. |
Devices | Displays the devices in the device pool. |
Adding Device Pools
You can create as many device pools as you like. Device pools can contain an unlimited number of devices. To add a device pool:
-
Click on the Devices tab, and select Device Pools in the navigation frame.
-
Click the Add Device Pool button. The Create Device Pool dialog is displayed.
-
Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
General | Enter a name and optional description for the device pool. You can enter any strings you like. |
Add Devices |
You can add devices to the device pool if desired. All devices that are not currently members of a device pool are listed in the Available Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool. To add a device to the device pool, select a device from the Available Devices list and click Add. To remove a device from the device pool, select a device from the Selected Devices list and click Remove. |
Summary | Displays a summary of the information you entered for the device pool. If the information is not correct, click Go Back and update the information as required. Otherwise, click Create to create the device pool. |
Viewing or Editing Device Pool Attributes
You can sort the device pool list by column heading, or use the search function to find a device pool. When you find the device pool you want, click on the device pool to view or edit its attributes. To view or edit the attributes of a device pool:
-
Click on the Devices tab, and select Device Pools in the navigation frame.
-
After finding the device pool you want, click on the device pool to display the device pool's attributes at the bottom of the page.
-
Use the following tabs to view or edit the device pool attributes:
General |
Contains the device pool name and an optional description. Click Edit to edit the information. Click Save when done, or Cancel to discard the changes and exit edit mode. |
Devices |
Lists the devices in the device pool: Click the Jump to icon to view detailed information for the device. Click Edit to update the device pool. All devices that are not currently members of a device pool are listed in the Available Devices list. The devices in the device pool are listed in the Selected Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool: To add a device to the device pool, select a device from the Available Devices list and click Add>>. To remove a device from the device pool, select a device from the Selected Devices list and click << Remove. Click Save when you are done, or click Cancel to discard the changes, and then exit the Edit mode. |
Deleting Device Pools
You can delete a device pool at any time. If the device pool contains devices, they are no longer associated with the device pool and become Available Devices. To delete a device pool:
-
Click on the Devices tab, and select Device Pools in the navigation frame.
-
After finding the device pool you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Troubleshooting Device Connection
CCC can lose its connection to a device for multiple reasons. The Device Status column in the Devices List signifies the severity of the issue.
Device connection lost but device visible
If CCC has lost its connection to a device, but the device is still visible within the Devices List, there has been some alteration to the HSMs configuration and you must verify the credentials and certificate shared between the device and CCC.
To reconnect a device visible in the CCC Devices List
-
Click on the Devices tab, and select Devices in the navigation frame.
-
Select the malfunctioning device to display its attributes.
-
Verify the administrator credentials associated with the device are correct.
-
Click Verify to confirm that the device certificate matches the certificate stored by CCC. If the device is not Authorized, click Authorize Device. You will be prompted for the HSM SO password.
Device Connection lost and device not visible in CCC
If the device is no longer visible in the CCC Devices List, the device has been deleted. If you would like to use this device, you must add the device to CCC.
Absence of a device that was not deleted from CCC may signify corruption in the CCC database. In this event, we recommend following the best practices for ensuring and maintaining database integrity as defined by your Organization's security infrastructure.
General Device Troubleshooting Tips
If you continue to experience problems with the HSM device we recommend connecting to the device using a secure channel, such as the PuTTY SSH client (putty.exe), and verifying the following before attempting to restore the device connection:
-
Ensure that the date and time are set correctly
-
Ensure that NTLS is bound to the correct Ethernet port
-
Ensure that the REST API is installed and configured on the device
-
Ensure the webserver on the device is configured and running
-
Ensure that the client is registered with the correct ip/hostname
-
Ensure that the client is given access to the correct partition
-
Check the output of the syslog for any information on errors