Deploying a Service
After you have initialized a service using CCC, you need to run the CCC client (ccc_client.jar) from your crypto application server to register your client with the HSM used to host the service before you can begin to use the service. When you run ccc_client.jar, it automatically creates an NTLS or STC connection between your crypto application server and the device(s) associated with the service. The connection is NTLS unless the service configuration indicates that the STC should be enabled on the device partition(s). You can view the STC status for a service in the capabilities tab.
The only information you require is the CCC hostname, IP address, or fully qualified domain name, your CCC username, and for services that use both STC and Per-Partition Security Officer (PPSO), the partition officer credentials. The fully qualified domain name is preferred, as that value is recommended for the common name of the server certificate to prevent IP address conflicts in high availability configurations. If you wish to specify an IP address or hostname, contact your CCC Administrator to regenerate the certificate using IP address in the subjectAltName field.
If you have multiple deployed and initialized services awaiting registration, ccc_client.jar presents a list of the available services, from which you can select the service you want to register.
Using CCC Client to Deploy an NTLS Service
After you download and install the CCC Client to your crypto application server, you can use it to deploy services on the workstation.
Note
The option to support the "Repair Client" feature for PPSO-STC partially initialized services is not available.
To deploy an NTLS service:
-
Use sudo (Linux) or launch an Administrator command prompt (Windows) on the crypto application server that will use the service.
-
Go to the directory where ccc_client.jar is installed:
Linux cd /usr/safenet/lunaclient/bin Windows C:\Program Files\SafeNet\LunaClient\ -
Run ccc_client.jar:
java -jar ccc_client.jar -user
[-password ] [-otp -host [-port ] If you specify a password as part of the command, enclose it in single quotation marks (in Linux, as in the example), or double quotation marks (in Windows). If you do not specify a password, you are prompted for one, in which case do not use quotation marks.
If your account has one-time password (OTP) configured, you must either include the -otp parameter, or respond when prompted for the one-time password code. Consult your two-factor application on your mobile device for a current OTP code. Enter the six digit code with no spaces.
The -port parameter is optional. If not specified, the default port 8181 is used, as reflected in the example below:
java -jar ccc_client.jar -user myname@myorg -password 'mypassword' -host cccserver
-
You are prompted to accept the CCC server certificate. This message is not displayed if you previously imported the certificate on this client:
Connecting ...Server certificate is not trusted.
Select one of the following options to proceed:
1: Show the certificate details
2: Trust the certificate this time only
3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts
4: Exit
Enter an option(1-4):
Enter 1 to display the certificate.
Enter 2 to trust the certificate for this deployment only.
Enter 3 to permanently trust the certificate.
Enter 4 to exit the client without deploying the service. -
A client certificate for NTLS connections to service partitions is created, if the certificate is not present. You are prompted for an IP or hostname to register with partitions.
Creating certificate...
Please choose the IP address or hostname you want to register with HSMs
1) 1.1.1.1
2) 192.168.1.1
3) Manually enter a different IP or hostname
Option: 1 -
If you choose to permanantly trust the certificate, you are prompted to enter the trusted keystore password:
Enter the trusted keystore password:
Enter the trusted keystore password for the Java JDK installed on the Thales Luna HSM client workstation. The default password is changeit. -
A list of services created for your organization that are available to be deployed are displayed. Select the service you want to authorize your client to use.
Logging in ... Querying current services... Please select the service you want to configure: 1) Service_with_a_smile - No description 2) Now_thats_service - Password partition 3) Self_service - PED HA group 4) Exit -
You are prompted to authorize, revoke, or repair access. Select option 1 to authorize access.
Please select the action you want to execute:
1) Authorize Access
2) Repair Access
3) Revoke Access
4) Exit
Option: 1Note
When a partition is added or removed from an existing service, the CCC application owner can use "Repair Access" option to create a NTLS link with new service partition added to the client's HA group.
-
If you are authorizing a PED-authenticated HSM Partition HA Group service, go to the next step. Otherwise, the following message is displayed when the procedure gets completed:
Would you like to authorize access to service 'Service_with_a_smile'? (Y/N): y Access to service 'Service_with_a_smile' was successfully granted. Done
-
For PED-authenticated HSM Partition HA Group services, the service cannot be authorized until each partition in the HA group has been assigned the same challenge password and has been activated. If the HA group has the Per-Partition Security Officer (PPSO) feature enabled, you can activate through the CCC user interface. If PPSO is not enabled, continue in this section. This task can be performed by the Administrator when creating the service, or by the Application Owner when deploying the service. When you attempt to authorize the service, the following message is displayed:
Would you like to authorize access to service 'Self_service'? (Y/N): y
Configuring HSM Partition HA group...
List of group members:
label: partition-00 (serial number: 111111111110)
label: partition-01 (serial number: 111111111111)
Have you manually changed the challenges for the 'HAGROUP' group members? (Y/N): -
If you are sure that each partition in the HA group has been assigned the same challenge password, enter y. You are prompted to enter the challenge password:
Enter the group challenge for group HAGROUP:
-
Enter the challenge password. If successful, the following message is displayed:
Access to service 'Self_service' was successfully granted.
In case there's an issue, an error indicating that the challenge passwords do not match is displayed. To overcome this issue, re-run ccc_client.jar, answer n to the challenge passwords prompt, and complete this procedure for the case when you have not manually changed the challenges for the HA group members.
Note
This error is displayed if either the passwords do not match, or if the partitions are not activated.
If you have not assigned the same challenge password to each partition in the HA group, enter n. The following prompt is displayed.
Process paused. If you wish to align the CO challenges and activate the CO roles now, open a new console and run LunaCM to perform these operations. Once you have done so, select “Continue” below to proceed with this HA Group configuration.
1. Continue
2. ExitSet the challenge password for each listed member.
Using CCC Client to Deploy an STC Service
STC services are deployed slightly differently than NTLS services because of the need to exchange client identity and partition identity public keys. If the service was imported into CCC, and had both the STC and Per-Partition Security Officer policies enabled before import, you cannot deploy the service. This is because the Partition SO can only access and modify the partition through the existing STC client that was established before import.
To deploy an STC service:
-
Use sudo (Linux) or launch an Administrator command prompt (Windows) on the crypto application server that will use the service.
Note
If you are using a hard token, initialize it in a Windows computer as described in Thales Luna HSM documentation.
-
Go to the directory where ccc_client.jar is installed:
Linux
cd /usr/safenet/lunaclient/bin
Windows
C:\Program Files\SafeNet\LunaClient\
-
Run ccc_client.jar:
java -jar ccc_client.jar -user [-password ] [-otp ] -host [-port ]
If you specify a password as part of the command, enclose it in single quotation marks (for Linux, as in the example) or double quotation marks (for Windows). If you do not specify a password, you are prompted for one, in which case do not use quotation marks.
If your account has one-time password (OTP) configured, you must either include the -otp parameter, or respond when prompted for the one-time password code. Consult your two-factor application on your mobile device for a current OTP code. Enter the six digit code with no spaces.
The -port parameter is optional. If not specified, the default port 8181 is used.
For example:
java -jar ccc_client.jar -user myname@myorg -password 'mypassword' -host cccserver
-
You are prompted to accept the CCC server certificate. This message is not displayed if you previously imported the certificate on this client:
Connecting ...
Server certificate is not trusted.
Select one of the following options to proceed:
1: Show the certificate details
2: Trust the certificate this time only
3: Trust the certificate and permanently import it to the trusted keystore at:
C:\Program Files\Java\jre8\lib\security\cacerts
4: Exit
Enter an option(1-4):
Enter 1 to display the certificate.
Enter 2 to trust the certificate for this deployment only.
Enter 3 to permanently trust the certificate.
Enter 4 to exit the client without deploying the service.
-
A client certificate for NTLS connections to service partitions is created, if the certificate is not present. You are prompted for an IP or hostname to register with partitions.
Creating certificate...
Please choose the IP address or hostname you want to register with HSMs
1) 1.1.1.1
2) 192.168.1.1
3) Manually enter a different IP or hostname
Option: 1
-
If you choose to permanantly trust the certificate, you are prompted to enter the trusted keystore password.
Enter the trusted keystore password:
Enter the trusted keystore password for the Java JDK installed on the Thales Luna HSM client workstation. The default password is changeit.
-
A list of the services created for your organization that are available to be deployed are displayed. Select the service you want to authorize your client to use.
Logging in ...
Querying current services...
Please select the service you want to configure:
1) Service_with_a_smile - No description
2) Now_thats_service - Password partition
3) Self_service - PED HA group
4) Exit
-
You are prompted to authorize access. Select option 1 to authorize access.
Please select the action you want to execute:
1) Authorize STC Access
2) Exit
Option: 1
Note
If your service uses STC and Per-Partition SO together, CCC cannot revoke STC access and the option is not available. This prevents the risk of leaving the partition (s) with no client connections, which would make partition access unrecoverable. See "Re-Deploying or Deleting a Service" on page 1 for more details.
-
If no STC client ID is found on the application server, you are prompted to create one. Enter Y and enter a desired Client Name to be registered on the partition(s).
STC Client ID not found. Do you want to create one? (Y/N): y
Enter the STC Client Name: CCC_Application_1
-
If the device has the PPSO feature enabled, you are prompted for the Partition SO credentials to create the connection.
Configuring STC connection...
For password authenticated devices, you are prompted for the PSO password.
Enter PSO Password:
For PED authenticated devices, you are prompted for the Remote PED IP and port. The remote PED prompts you for the orange Remote PED key, and the blue Partition Security Officer key.
Enter Remote PED IP Address:
Enter Remote PED Port:
-
The STC client ID label is displayed. This could be an STC client ID created in step 10, or outside of ccc_client. You are given the option to change the client label registered on the partition(s).
STC Client will be registered with the client label 'ExistingName' on service 'Service_with_a_smile'.
Do you wish to change the registered STC Client Label? (Y/N): n
If you are authorizing a PED-authenticated HSM Partition HA Group service, go to the next step. Otherwise, the procedure is complete.
-
For PED-authenticated HSM Partition HA Group services, the service cannot be authorized until each partition in the HA group has been assigned the same challenge password and has been activated. If the HA group has the Per-Partition Security Officer (PPSO) feature enabled, you can activate through the CCC user interface. If PPSO is not enabled, continue in this section. When you attempt to authorize the service, the following message is displayed:
Would you like to authorize access to service 'Self_service'? (Y/N): y
Configuring HSM Partition HA group...
List of group members:
label: partition-00 (serial number: 111111111110)
label: partition-01 (serial number: 111111111111)
Have you manually changed the challenges for the 'HAGROUP' group members? (Y/N):
If you are sure that each partition in the HA group has been assigned the same challenge password, enter y. You are prompted to enter the challenge password:
Enter the group challenge for group HAGROUP:
Enter the challenge password. If successful, the following message is displayed:
Access to service 'Self_service' was successfully granted.
If not successful, an error indicating that the challenge passwords do not match is displayed. In this case, re-run ccc_client.jar, answer n to the challenge passwords prompt, and complete this procedure for the case when you have not manually changed the challenges for the HA group members.
Note
This error is displayed if either the passwords do not match, or if the partitions are not activated.
If you have not assigned the same challenge password to each partition in the HA group, enter n. The following prompt is displayed.
Process paused. If you wish to align the CO challenges and activate the CO roles now, open a new console and run LunaCM to perform these operations. Once you have done so, select “Continue” below to proceed with this HA Group configuration.
1. Continue
2. Exit
-
Set the challenge password for each listed member.
Activating a Non-PPSO PED-Authenticated HA Group
To successfully authorize access to a PED-authenticated HSM Partition HA Group, each partition in the HA group must use the same challenge password, and be activated. If the HA group does not have PPSO enabled, perform the following procedure to activate:
-
Ensure that you have the 16-digit challenge password generated by the PED when the service was initialized, as well as the partition owner/crypto officer (black) PED key.
Note
If the user enters an incorrect challenge password when deploying a PED-authenticated HSM partition HA group service with ccc_client, the service will display as deployed but will not be operational. To deploy the service, re-launch ccc_client, select the service, and revoke access to that service.
-
Run the ccc_client.jar command and proceed till you see the prompt for entering the group challenge. At this point, each member of the HSM Partition HA Group service will be available as a slot in LunaCM.
-
Start a Thales Luna HSM client session by opening a command prompt or terminal window and then launching LunaCM:.
Windows
C:\Program Files\SafeNet\LunaClient\bin\lunacm
Linux/AIX
/usr/safenet/lunaclient/data/bin/lunacm
Solaris/HP-UX
/opt/safenet/lunaclient/data/bin/lunacm
-
Browse through the list of available slots and note the firmware versions. If the partitions have firmware version 6.22 or higher (which was released alongside software version 6.0), role commands are required in LunaCM for the rest of this procedure. If the partitions have firmware below 6.22, partition commands are required in LunaCM.
lunacm:> slot list
-
Set the current slot to a slot containing one of the HSM Partition HA Group members:
lunacm:> slot set -slot
-
Connect the PED to your remote PED server:
lunacm:> ped connect -ip
-
If you are using devices that have firmware version 6.22 or above, skip to the next step. If your devices have firmware version below version 6.22, perform the following activities:
i. Log in to the partition. You are prompted to attend to the PED to provide the orange (remote PED) and black (Partition Owner/Crypto Officer) PED keys:
lunacm:> partition login
ii. Set the challenge password for the partition:
lunacm:> partition changepw -p
For example:
lunacm:> partition changepw -p
Option -oldpw was not supplied. It is required.
Enter the old challenge: *****
The old challenge password is displayed on the PED.
Option -newpw was not supplied. It is required.
Enter the new challenge: *****
Re-enter the new password: *****
User is not activated, please attend to the PED. Command Result : No Error
iii. Log out of the partition:
lunacm:> partition logout
iv. Log in to the partition. You are prompted to attend to the PED:
lunacm:> partition login
v. Activate the partition:
lunacm:> partition activate
For example:
lunacm:> partition activate
Option -password was not supplied. It is required.
Enter the password: ****
User is not activated, please attend to the PED.
Command Result : No Error
Repeat these steps for every partition in the HSM Partition HA Group.
-
If you are using devices that have firmware version 6.22 or above:
i. Activate the Crypto Officer role by logging in. The PED prompts you for the black PED key.
lunacm: role login -name Crypto Officer
ii. Change the role's challenge password.
lunacm: role changePW -name Crypto Officer -old -new
iii. If you expect the Crypto User to be using the service regularly, log that role in and change its challenge password. You are prompted for the Crypto User PED key.
lunacm: role login -name Crypto User
role changePW -name Crypto User -old oldpassword -new newpassword>
iv. Once you've entered the Crypto User PED key, log out from the role. Repeat these steps for every partition in the HSM HA Group.
lunacm: role logout
-
Disconnect the remote PED:
lunacm: ped disconnect
-
Return to the ccc_client.jar session and enter the group challenge to continue and complete the service deployment.
Accessing the Service
After you authorize your client to access a service, you can use the service to run client applications, such as ckdemo, multitoken, or your own custom applications.
If the service is provided by a PED-authenticated, FIPS Level 3 device, you must log into the device using a PED and a black PED key before you can begin using the service. You will need to present the black PED key each time you use the service to run a client application, unless you activate the partition that provides the service. Partition activation eliminates the need to present the black PED key each time you use the service, by allowing you to log in to the activated partition using a password. You can use the LunaCM utility to activate a partition only if the activation policy for the partition is set to on. Refer to Thales Luna HSM Documentation for details.
Note
You cannot use CCC to log in, change partition policies, or activate partitions on devices that do not have the REST API enabled. You can perform these tasks through Thales Luna HSM Client utilities.