Server Administration
CCC Administrator users can activate and deactivate the CCC root-of-trust HSM. When the root of trust is disabled, CCC operates in view-only mode. The CCC Administrator is responsible for managing licenses that are required to activate access to the CCC. Acquiring a license allows you to upgrade from a trial version to a full version, renew your license subscription, set the maximum provisioned partitions limit, or access the monitoring feature on HSM devices. The server Administrator can also start or stop the CCC service, outside of CCC, to enable or disable the CCC server. Regular backups are essential to allow you to successfully recover from a disaster. To help troubleshoot operational issues you may encounter, such as failure to connect to devices, or provision services, you can view the logs.
Logging Into the Server
Only users with the admin role can log in to the CCC as an Administrator. By default, the admin role has one user, the admin user. An active license is required for access, so if a license is absent, you are prompted to upload one during CCC activation. To log in to the server as an Administrator:
-
Launch CCC using a supported browser (CCC supports Microsoft Edge, Google Chrome, and Mozilla Firefox browsers). The URL you use depends on whether the server is identified by IP address or hostname, as follows:
-
https://host_ip:8181
-
https://hostname:8181
-
-
Log in to CCC as an admin user. If this is the first time you are logging into the server, use the following credentials:
User Name admin Password PASSWORD -
Change the password, if you are prompted.
-
Upload the license file from your local filesystem, if you are prompted. The license summary is displayed, indicating the license type affiliated with your CCC.
Root of Trust Activation and Deactivation
You can activate and deactivate the CCC server as required, to limit its ability to log in to the managed devices. For example, you may want to limit periods of activation to specific maintenance windows, to reduce the risk of unauthorized activity in CCC.
Managing Luna HSM having firmware 7.7.0 and above
To manage a Luna HSM having firmware 7.7.0 or above:
-
Universal Client 10.3 has to be installed on the CCC server with JCProv patch for Universal Client 10.3 to add JCPROV compatibility with HA Login V2. The KB ID for the patch is KB0024452 and it can be downloaded from https://supportportal.thalesgroup.com/.
-
On the CCC server, copy the jcprov.jar and libjcprov.so from the patch to location /usr/safenet/lunaclient/jcprov/lib on the CCC Server.
You can obtain jcprov.jar from the following location: \630-000495-001_SW_Patch_haloginv2_ecies_ext_params_UC_Clnt_10.3.0_RevB\jcprov.jar.
You can obtain libjcprov.so from the following location: \630-000495-001_SW_Patch_haloginv2_ecies_ext_params_UC_Clnt_10.3.0_RevB\linux\64\ libjcprov.so.
-
After applying the latest 10.3 Jcprov HALogin 2.0 patch, the CCC service must be restarted using the systemctl restart ccc command, if the service is already configured.
Activating the Root of Trust
You need to activate the root of trust on first login to CCC, and to re-activate CCC any time it has been deactivated. You may also need to re-activate the root of trust if its address or credentials are changed.
You must be able to see the root-of-trust HSM as a slot in your Luna client before you can activate it.
To activate the root of trust:
-
Click the Administration tab and select Activation in the navigation frame to display the CCC Activation page.
-
Select the checkbox mentioning that this device is running firmware 7.7 and above if you are using Luna HSM 7.7.0 or Luna HSM 7.7.1 having firmware 7.7.0 or 7.7.1.
-
Enter the Partition label and Password.
-
Check the Remember credentials checkbox if you want CCC to cache your root of trust credentials, and then click the Activate button.
In case you don't want CCC to cache your root of trust credentials, you can leave the Remember credentials checkbox unchecked. When the CCC service is restarted, the root of trust label and password details get erased automatically.
Activating a New Root of Trust
To activate a new root of trust, you need to reauthorize all the devices managed in the CCC. To activate a new root of trust:
-
Restart the CCC server.
-
Select the checkbox mentioning that This device is running firmware 7.7 and above if you are using Luna HSM 7.7.0 or Luna HSM 7.7.1 having firmware 7.7.0 or 7.7.1.
-
Enter the Partitition label and password.
-
Check the Remember credentials checkbox if you want CCC to cache your root of trust credentials, and then click the Activate button.
-
Click the Devices tab and select the device.
-
Open the Connections tab and then click the Update Credentials button.
-
Open the Authorization tab and then click the Re-Authorize button.
Deactivating the Root of Trust
You can deactivate the root of trust to prevent CCC from logging into the managed devices, or to prevent Application Owners from using the CCC Client (ccc_client) to deploy services. To deactivate the root of trust:
-
Click on the Administration tab, and select Activation in the navigation frame to display the CCC Activation page.
-
Click Deactivate.
Root of Trust Self Activation
CCC can cache your root of trust partition label and password at the time of activation and use them later for reactivation in case of a network disruption. To Enable ROT Self Activation:
-
Click on the Administration tab, and select Activation from the navigation pane to display the CCC Activation page.
-
Select the checkbox mentioning that This device is running firmware 7.7 and above if you are using Luna HSM 7.7.0 or Luna HSM 7.7.1 having firmware version 7.7.0 or 7.7.1.
-
Enter the partition label and password.
-
Check the Remember credentials checkbox and then click the Activate button.
In case you don't want CCC to cache your root of trust credentials, you can leave the Remember credentials checkbox unchecked.
Managing Licenses
Access to CCC functionality is regulated by licenses. An active license is required to access the CCC graphical user interface. CCC must be activated to upload a license file. A single license can apply to multiple CCC instances in a high availability configuration.
Once the license expires, you are given a grace period during which you still have access to full CCC functionality. This grace period is to allow some time to order and obtain a new license file. Once the period ends, Administrators cannot import more partitions, create new services, or activate new services, and Application Owners cannot deploy existing services.
Upgrading the license allows you to upgrade from a trial version to a full version, renew your license subscription, or increase the maximum provisioned partitions limit. CCC users have access to the following license types:
License Type | Description |
---|---|
Freemium | A Freemium license is included in the CCC software package and can be applied to the product once installed. The Freemium license provides access to 20 device partitions and can also enable the device monitoring feature. The Freemium license is deployed in a test environment and should not be used in a production environment. |
Premium - Trial | The Premium - Trial license is a 90-day trial license distributed for assessment purposes. The number of device partitions that can be provisioned by the Premium - Trial license is specified in the license file, as per the license agreement. The Premium - Trial license can be deployed in a test or production environment. It can also enable the device monitoring feature. |
Premium - Subscription | The Premium - Subscription license is an annual subscription-based license. The number of device partitions that can be provisioned by the Premium - Subscription license is specified in the license file, as per the license agreement. The Premium - Subscription license is deployed in a production environment. It can also enable the device monitoring feature. |
Premium - Perpetual | The Premium - Perpetual license is a one-time purchase license. The number of device partitions that can be provisioned by the Premium - Perpetual license can is specified in the license file, as per the license agreement. The Premium - Perpetual license is for deployment in a production environment. It can also enable the device monitoring feature. |
The CCC license files are set in the UTC time zone. As a result, the expiry dates on the individual license files may not coincide with your local time zone.
For more information about license types and acquiring your CCC License, contact your Thales sales representative.
Viewing license information
To view license information, click the Administration tab and select Licenses in the navigation frame. The following information will appear on your screen:
Field | Description |
---|---|
License Type | The service level (Freemium or Premium) and duration of your license. |
Features | Lists the features made available by the uploaded license. These features can include monitoring and provisioning. |
Maximum Provisioned Partitions | The number of Thales Luna HSM partitions which you may manage through CCC.The Freemium License allows access to 20 fixed partitions. The entitlements of the Premium License will define the quantity of available partitions. |
Partitions Used | The number of Thales Luna HSM partitions which are currently managed through CCC. |
License Activation Date | The date when the license was activated in the Sentinel EMS portal. |
License Expiration Date | The date when the license will expire. This date can be calculated relative to the activation date, as with a trial license, or can be fixed based on your license term. This field is displayed while CCC is still within its licensed period of operation. If the user has purchased a perpetual license this information is not displayed. |
License Grace Period Ends | The following additional fields are displayed if you exceed the license limits by using an expired license, or managing more partitions than allowed: The date when the grace period for the CCC license will expire, and functionality will be reduced. Once the period ends, Administrators cannot import more partitions, create or activate new services, and Application Owners cannot deploy existing services. |
Uploading a License
To upload a license:
-
Click on the Administration tab and select Licenses in the navigation frame.
-
Obtain the new license and place it in the local filesystem.
Access Thales Customer Support Portal for more information about obtaining a license.
-
Click the Upload License button. The Upload License dialog is displayed.
-
Click the Upload button and select the new license file from your filesystem.
The license type and entitlements are displayed in the Update License dialog.
-
Click the Continue or Update button.
Updating a License
To update a license:
-
Click on the Administration tab, and select Licenses in the navigation frame.
-
Obtain the new license and place it in the local filesystem.
Access the Thales Customer Support Portal for more information about obtaining a license.
-
Click the Update License button. The Update License dialog is displayed.
-
Click the Update... button and select the new license file from your filesystem.
The license type and entitlements are displayed in the Update License dialog.
-
Click the Update button.
The Update License button is now enabled with Freemium license also. The CCC user can now apply a premium license to replace a Freemium license using this Upload License button as per the requirement.
Managing CCC Service
The CCC web server runs as a service. The service must be running for the server to be available. You can use the following set of commands to manage the CCC service:
Command | Description |
---|---|
systemctl start ccc |
Start the CCC service. The service must be running to use CCC. |
systemctl stop ccc |
Stop the CCC service. If you stop the service, CCC will not be available for use. |
systemctl restart ccc |
Restart the CCC service. This command stops and restarts the service. |
systemctl status ccc |
Display the current status of the CCC service. |
To start, stop, restart, or display the status of the CCC service:
-
Log in as a root user to the Linux server used to host the CCC server.
-
Enter a command from the list above, as desired.
Backup and Restore
Database and root-of-trust HSM backups are essential to allow you to successfully recover from a disaster.
Regular database backups are required. Refer to PostgreSQL documentation or Oracle Database Backup and Recovery User Guide for database backup and restore procedures.
Ensure that you backup the root-of-trust HSM after you first activate CCC. Refer to the Thales Luna HSM documentation for more information.
External Directory Support over LDAP
The key highlights of External Directory Server Support over LDAP feature are as follows:
-
As a CCC administrator, you can add any number of directories into the CCC server and then import, provision, and manage users from those directories.
-
At the time of user creation, the CCC imports various details associated with the user into the database, such as the First Name, Last Name, User Name, and Email Address.
-
The imported user can be assigned either the administrator role or application owner role.
-
When a directory user tries to log in to the CCC application, the user authentication request is forwarded to the external directory associated with the user. After receiving a confirmation, the CCC performs user authorization to identify whether the user is an administrator or application owner.
-
CCC provides a flexible directory sync service to either manually sync the configured directory for any changes or define a scheduled sync to manage the changes.
-
CCC never stores user password details in case of directory users and provides support to Add External Directory over secured as well as unsecured communication channels.
-
CCC can work with directory services over LDAP provided by any vendor, including Microsoft Active Directory, Microsoft Azure Directory, and Redhat Directory Service.
-
In case a user leaves the organization and the user details are deleted from the directory server, the CCC server will sync the details as per the scheduled sync and update the records.
-
As a CCC administrator, you can also perform manual sync on that directory server. Post sync, if that user tries to log in to the CCC server, the CCC server authentication will fail.
Adding Directories
To add a directory:
-
Log on to CCC as an Administrator.
-
Click the Administration button from the menu bar at the top, followed by the Directories tab from the left-side navigation pane.
-
Create a new directory, taking into consideration whether you are utilizing LDAP or LDAPs. If you are using LDAP, click the Add Directory button and fill out the required information in the displayed form. If you are using LDAPs, first complete the steps explained under the Additional Steps for LDAPs Users section below and then click the Add Directory button to provide the necessary details.
Field | Explanation |
---|---|
Directory Display Name | Enter a name for the directory that you want to configure. |
Vendor | Select an LDAP vendor. |
LDAP over SSL | Check this option if you want to create a secure connection with the LDAP directory. Ensure that you've completed the steps explained under the Additional Steps for LDAPs Users section before checking the checkbox. |
Connection URL | Provide a connection URL to your LDAP server. (For example, protocol ldap/ldaps://hostname/ip:port number) |
Username LDAP Attribute | Provide the name of LDAP attribute that is mapped as the CCC user name. |
RDN LDAP Attribute | Provide the name of LDAP attribute that is used as Relative Distinguished Name (RDN). |
UUID LDAP Attribute | Provide the name of LDAP attribute that is used as Unique Object Identifier (UUID). |
User First Name LDAP Attribute | Provide the name of the mapped first name attribute on the LDAP object. |
User Last Name LDAP Attribute | Provide the name of the mapped last name attribute on the LDAP object. |
User Email LDAP Attribute | Provide the name of the mapped email address attribute on the LDAP object. |
User Object Classes | Provide all values of LDAP objectClass attribute for users in LDAP separated by comma. |
Users DN | Provide full Distinguished Name (DN) of LDAP tree where your users are. |
Authentication Type | Select the LDAP Authentication Type. You can choose from None (anonymous LDAP authentication) or Simple (bind credential + bind password authentication) mechanisms. |
Bind DN | Provide DN of LDAP admin that will be used by CCC to access LDAP server. |
Bind Credential | Provide password of LDAP admin. |
Custom User LDAP Filter (Optional) | You have the option to provide an additional filter that you can use to filter searched users. Ensure that it begins with ( and ends with ). |
Search Scope | You can use search scope options to select the level of search scope. Level One searches for users in DNs specified by user DNs. Subtree searches for users in the entire Subtree. |
Enable Users Sync | You can enable Users Sync to perform synchronization of LDAP users to CCC at specified intervals. The minimum sync time is 10 minutes. |
Additional Steps for LDAPs Users
Follow the steps below to create a new directory using LDAPs:
-
Ensure that you have imported an SSL certificate in the CCC server truststore before checking the check-box. To import an SSL certificate in truststore, run the command
keytool -import -alias unique_alias -file full path of cert file -storetype JKS -keystore /usr/safenet/ccc/server/standalone/configuration/cacerts.jks -storepass password
.
You need to restart the CCC server after importing the SSL certificate.
To list all the SSL certificates you've imported, run the following command:
keytool -list -storetype JKS -keystore /usr/safenet/ccc/server/standalone/configuration/cacerts.jks
-
Modify the hosts file to ensure that your LDAP client can connect to the LDAP server using the correct hostname. Use the command
vi /etc/hosts
to open the hosts file in the vi text editor. -
Make the following entry to map the LDAP server's hostname or domain name to its IP address in the hosts file:
IP address of LDAPs Hostname/DNS of LDAPs
Example:
127.0.0.1 WIN-7BNUL.thales.com
Managing Directories
To manage a directory:
-
Log on to CCC as an Administrator.
-
Click the Administration button from the menu bar at the top, followed by the Directorie tab from the left-side navigation pane.
-
Use the page that appears to view and manage directories that are already configured in your CCC application.
-
Status: You can use the Status column to validate the status of any directory. A green tick icon before the name of a directory indicates that it is Active. On the other hand, an orange error icon before the name of the directory indicates that it's Inactive.
-
Name: You can find the names of all the directories associated with the CCC application in the Names column.
-
Connection URL: You can validate connection information of each directory through the Connection URL column.
-
Next Sync: In case you've used the Enable Users Sync option to automate syncing for a particular directory, that information will appear here.
-
Sync Users: You can use the blue sync icon to sync one or more directories whenever required.
-
Last Sync Status: This column will display the details regarding the last syncing, including its timing, status, number of users synced, number of users removed, and users that could not be synced.
-
Actions: You can use the Actions column to edit the specifications of a directory or to delete a directory. If you are deleting a directory that you had configured over SSL, it's recommended that you also delete its corresponding SSL certificate from the CCC truststore using the command
keytool -delete -alias certificate_alias -keystore /usr/safenet/ccc/server/standalone/configuration/cacerts.jks -storepass password
.
You need to restart the CCC service after deleting the SSL certificate.