Service Management
A cryptographic service is a standalone partition on a Thales Luna Network HSM, or an HA group consisting of multiple partitions, each configured on a different Thales Luna Network HSM. Services are assigned to, and owned by, a specific organization. Only members of the organization that owns the service are able to deploy and use the service for their cryptographic applications.
You can use CCC to import, create, and manage cryptographic services. To manage services on a device, the device must be authorized to allow CCC to log in as the HSM SO. After you add and authorize a device, you can discover and import any partitions that are already provisioned on the device, or create new services on the device. Once you import or create a service, you can manage it with CCC.
Discovering and Importing Unmanaged Partitions
Devices you add to CCC may already contain partitions and HA groups. Alternatively, although it is not recommended, an Administrator may have created partitions or HA groups on a managed device using the command line tools after you added the devices to CCC. To discover and import unmanaged partitions:
-
Click the Crypto Services tab, and select Import Partitions in the navigation frame. If you do not have a currently saved partition import table, the Import Partitions splash page will appear and you need to continue to step 2. Otherwise, the currently saved partition import table will be displayed and you need to go to step 3. The Import Partitions page shows when the table was first created and last edited. Your data may not be preserved, depending on your browser settings. If you have configured your browser to discard history on exit, all data will be lost.
If the number of partitions specified for import exceeds the partitions available, the Import Partitions option is disabled. Reduce the number of partitions for import to a value equal to or less than the number of available partitions, and then re-attempt import.
Importing partitions that have both the STC and PPSO policies into CCC allows you to view partition information, but functionality is reduced as CCC is not established as a secure endpoint for the existing STC connection. You can detach or delete the service, or change the service name, description, and organization.
-
Click the Get Started button to begin the discovery process. The Finding Partitions progress dialog is displayed. The discovery process may take some time to complete, depending on the number of devices that must be queried. When the discovery is complete, a table listing all of the discovered partitions is displayed. Edits to the table are saved automatically and persist between login sessions.
-
The discovered partitions are returned in a table, sorted by service type (standalone partitions or partition HA groups), which you must then edit to provide the information required to create services for the discovered partitions (service name, organization, and optional description). You can choose to import all of the discovered partitions, or you can delete any partitions from the table that you do not want to import at that time. To add a partition or HA group as a service in CCC, you must enter a service name and choose the organization that will own the service. You can also enter an optional description for the service.
Although CCC attempts to identify the partitions by service type (standalone partition or partition HA group), it is strongly recommended that you examine the data in the table and verify its accuracy, especially for any HA groups that have been identified. For example, you may want to log in to each client that uses an HA group to verify that the HA group members match those listed in the table.
-
If you need to make any changes, you can do so as follows:
-
To move a partition to a different HA group, type the correct HA group name for the partition in the HA Group field.
-
To remove a partition from an HA group and make it a standalone service, delete the suggested HA group name from the HA Group field.
-
To add a partition identified as a standalone service to an HA group, type the name of the HA group you want to add it to in the HA Group field.
Any partitions that you delete from the table are removed from the current import only. You can import them later by running the Import Partitions function again.
-
-
For each HA group you want to import, log in to one of the clients that use the HA group and use the vtl haAdmin show command to determine the actual HA Group Label for the HA group. Delete the default HA Group label (HA_n), and replace it with the actual HA Group Label.
-
After you have verified the HA groupings and deleted any partitions from the table that you do not want to import at this time, edit the table to provide the following information for each partition or HA group. After you provide a service name, optional description, and organization for each partition or HA group, click Finish Imports to create a service for each partition or HA group.
Parameter Description HA Group Enter the HA Group Label string for the HA group as determined using the vtl haAdmin show command. Service Name Enter the name that will be used to identify the service in CCC. This is limited to 28 characters. Description Enter a description for the service. This field is optional. Organization Choose the organization that will own the service. If the organization does not exist, you must create it.
Canceling Partition Import
If you want to restart the import process click Cancel. The current table is deleted. Click Crypto Services > Import Partition to restart the discovery process and create a new table.
Creating and Managing Service Templates
When you create a service, you must specify a template for the service. Service templates specify the type, size, and capabilities of services created using the template. Service templates are reusable, allowing you to create templates for specific application types that can be used to quickly and easily create services for specific applications.
To add, copy, view, edit, or manage a service template, click the Crypto Services tab and select Service Templates in the navigation frame. All existing service templates are listed. You can sort the list of service templates by column, or use the search function to find a specific service template. Click the Copy Template icon to copy and edit a service template. Click the trash can icon in the Delete column to delete a service template (with confirmation).
To add a service template
-
Click the Crypto Services tab, and select Service Templates in the navigation frame.
-
Click the Add Service Template button. The Create Service Template dialog will appear on your screen.
-
Use the General option to enter a name and optional description for the service template. You can enter any strings you like.
-
Use the Set Capabilities option to specify the capabilities of services to be created as follows:
Parameter Description Service Type Select HSM Partition to create a standalone service on a single device, or select HSM Partition HA Group to create an HA group using two or more devices. Device Capabilities Specify the capabilities of the devices. If you select Performance, choose from Standard, Enterprise or Maximum performance. If you select Authentication, select PED or Password. Partition Settings Partition size (bytes): Use this parameter to specify the size of the partitions used to provide services.
Per-Partition SO: Click this checkbox if you want the services created using this template to have their own security officer (SO). Per-Partition SO is supported on devices with firmware 6.22 or higher, and with the Per-Partition SO capability upgrade (CUF) installed. Per-partition SO is mandatory for 7.x devices and is enabled by default.
Scalable Key Storage: If you've selected Thales Luna Network HSM 7 (Firmware 7.7.0 and above) from the list of HSM models, select the checkbox for Scalable Key Storage (SKS) to create a service having V1 type partition. If you leave the checkbox unchecked, V0 type partition will be created.
Secure Trusted Channel: Click this checkbox if you want the services created using this template to connect to Application Owner clients using Secure Trusted Channel (STC) instead of the default NTLS connection. Secure Trusted Channel is supported on devices with software 6.2.1 or higher, firmware 6.24.2 or higher, and the STC HSM policy enabled. When you create a service with the capability in the template, the STC status is "pending" until an Application Owner deploys the service, which enables the STC partition policy, and establishes the STC link. CCC no longer provides support for STC with Luna Network HSM. The option to create a partition using STC is not available with Luna Network HSM 7 (Firmware 7.7.0 and above). -
Use the Summary option to view a summary of the information you entered for the service template. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to create the service template.
Copying and Editing an Existing Service Template
You can copy an existing template and edit it as required to create a new service template. To copy and edit an existing service template:
-
Click on the Crypto Services tab, and select Service Templates in the navigation frame.
-
Find the service template you want to copy. To help find a service template, you can sort the service list by column heading, or use the search function.
-
Click on the Copy Template icon. The Create Service Template wizard is displayed, with the fields pre-filled with the values from the copied service template.
-
Complete the wizard, as described in Creating and Managing Service Templates.
Viewing or Editing the Service Template Attributes
You can sort the service template list by column heading, or use the search function to find a service template. When you find the service template you want, click on the service template to view or edit its attributes. To view or edit a service template's attributes:
-
Click on the Crypto Services tab, and select Service Templates in the navigation frame.
-
After finding the service template you want, click on the service template to view the attributes at the bottom of the page.
-
Use the following tabs to view or edit the service template attributes:
Parameter Description General Contains the service template name and an optional description. Click Edit to edit the information. Click Save when done, or click Cancel to discard the changes and exit edit mode. Capabilities Displays the type, size, and capabilities of services created using the template. Click Edit to edit the service template. Click Save when done, or click Cancel to discard the changes and exit edit mode.
Deleting Service Templates
You can delete a service template at any time. To delete a service template:
-
Click on the Crypto Services tab, and select Service Templates in the navigation frame.
-
After finding the device pool you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Creating New Services
To create a service, you must specify the service template for the service, the device(s) used to host the service, and the owner organization. After you add a service, you can view its capabilities and host device, but an Application Owner cannot deploy a service until it has been initialized. You can initialize a service when you create it, or you can leave it uninitialized. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service. Here's a video that demonstrates how you can create a new service:
To create a service:
-
Click on the Crypto Services tab, and select Services in the navigation frame.
-
Click the Create Service button. The Create Service wizard is displayed.
-
Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
Parameter Description General Enter a name and optional description for the service. This information is used to identify the service in CCC. You can enter any strings you like. After you add the service, you can change its name or description by editing the service attributes. Choose Template Choose a template from the list that defines the type of service you want to create. To help find a service template, you can sort the list by column heading, or use the search function. You can view service template details by hovering over the information icon associated with the service template. Add Devices Select the device, or devices, used to provide the service. If the service is an HSM partition HA group, you must specify each device (minimum of 2) that will be used to provide the HSM partition HA group. To select a device, click on the device in the Available Devices window and click Add to move it to the Selected Devices window. You can use the search function to help find a device, if necessary. To deselect a device, click on the device in the Selected Devices window and click Remove to move it to the Available Devices window. Assign Organization Choose the organization that will own the service from the list. To help find an organization, you can sort the organization list by column heading, or use the search function. After you add the service, you can change the organization that owns the service by editing the service attributes. Summary Displays a summary of the information you entered for the service. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to create the service. If successful, a success message is displayed and the service is added. You are prompted to initialize the service. Otherwise, an error is displayed, and you can click Go Back to update the device information, as required, to resolve the issue.
Initializing a Service
You must initialize a service before you can use it. To initialize a service:
-
Specify or create initial credentials for the roles that will own or use the service. For services without PPSO enabled, initialize the credentials for the partition owner (crypto officer) role. For services with PPSO enabled, initialize the credentials for the partition SO and crypto officer roles. You also have the option to initialize the crypto user role.
-
Specify or create cloning domain for the service. You can only clone objects between HSMs that are in the same cloning domain. Cloning is used to perform operations such as backup/restore.
You can initialize a service when you create it, or you can leave it uninitialized until it is ready to be deployed. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service.
If you are upgrading from an older version of CCC to CCC 3.9 and you want to create an HA service using an existing partition, you need to manually reset the password to ensure that the new password is of 8 or more characters.
Initializing a PED-authenticated Service
To initialize a PED-authenticated service, you need a remote PED and the orange PED key(s) encoded with the Remote PED Vector (RPV) for the Thales Luna Network HSM appliance(s) that provides the service. You also need to imprint or provide the role and domain PED keys for the service. as follows:
-
For non-PPSO services, you initialize the credentials for the partition owner (crypto officer) and set the cloning domain for the service, by providing or imprinting the crypto officer (black) and domain (red) PED keys.
-
For PPSO services, you initialize the credentials for the partition SO, crypto officer, and (optionally) crypto user roles, and set the cloning domain for the service, by providing or imprinting the partition SO (blue), crypto officer/crypto user (black/gray), and domain (red) PED keys.
Contact the CCC Administrator to get any keys you may require. To use a remote PED with CCC, you need to install the Thales Luna HSM client, including the Remote PED Server option, on the computer you will use to access CCC, or on a separate computer you will use for the remote PED. After installing the Thales Luna HSM client, use LunaCM to configure the Remote PED Server so that you can connect to it from CCC. Refer to the Thales Luna HSM documentation for more information.
To initialize a PED-authenticated service
-
Click on the Crypto Servicestab, and select Services in the navigation frame to display a list of all currently provisioned services. Any uninitialized services have an Initialize button in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
-
Click on the Initialize Service link for the service you want to initialize. The Initialize Service wizard is displayed. Complete the wizard as follows:
Parameter Description Define Partition Enter a label for the partition used to provide the service. Initialize Roles Enter the IP address of your remote PED server. The default port is auto-filled. If you are not using the default port, enter the Remote PED server port. For PPSO services, enter the challenge password for the crypto officer and (optionally) crypto user roles. The challenge password is the password used to authenticate to the role after it is activated. Click Next and respond to the prompts on-screen and on the PED. For non-PPSO services, the PED generates and displays a 16-digit challenge password. Record this challenge password. It is necessary for service activation. Activate Roles To activate the roles you initialized, click the Activate Crypto Officer and (optionally) Activate Crypto User checkboxes. You cannot activate the crypto user without also activating the crypto officer. You can activate the roles later for PPSO services, if desired, by editing the service attributes. For services which have the both the PPSO and the STC feature enabled in the template, you can activate the roles any time until an application user deploys the service, which establishes the STC link and precludes further changes through CCC. Click Finish to initialize the service. Observe the progress messages to verify success.
Initializing a Password-Authenticated Service
To initialize a password-authenticated service, you need to enter passwords for the roles you wish to initialize, and specify the cloning domain for the service, as follows:
-
For non-PPSO services, you enter an initial password for the crypto officer and set the cloning domain for the service.
-
For PPSO services, you enter an initial password for the partition SO, crypto officer, and (optionally) crypto user roles, and set the cloning domain for the service.
To initialize a password-authenticated service:
-
Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all currently provisioned services. Any uninitialized service has an Initialize Service button in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
-
Click the Initialize Service link for the service you want to initialize. The Initialize Service wizard is displayed. Complete the wizard as follows:
Parameter Description Define Partition Enter a label for the partition used to provide the service. Initialize Roles Set the initial password for the Crypto Officer. For PPSO services, you also set the initial password for the Security Officer, and optionally for the Crypto User. Click Finish to initialize the service. Observe the progress messages to verify success. For a service which used STC and PPSO, after the service is deployed you cannot initialize the Crypto User role through CCC.
If you are upgrading from an older version of CCC to CCC 3.9 and you want to create an HA service using an existing partition, you need to manually reset the password to ensure that the new password is of 8 or more characters.
Activating a PED-Authenticated Service
You can activate a role on a PED-authenticated service to allow the role to authenticate to the service using a challenge password only, without PED interaction. You can activate a service when you initialize it, or later, by selecting the service and navigating to the Partitions tab.
You can activate PPSO services only. Use LunaCM to activate a non-PPSO service. Services that have both PPSO and STC enabled cannot be activated after the service is deployed to an Application Owner. This is because after the STC link is established, the Partition SO can only access and modify the partition through the STC link with the Thales Luna HSM client, not through CCC.
Managing Services
After you have added or created a service, you can view or edit its attributes, remove it from CCC, or delete it if it is no longer required. To manage your services, click on the Crypto Services tab, and select Services in the navigation frame. All existing services are listed. You can sort the service list by column, or use the search function to find a specific service:
-
Click the dropdown button in the Remove column to detach or delete the service (with confirmation).
-
Click the Initialize button in the Initialization State column to initialize a currently uninitialized service.
-
There is a Status column displaying an icon for each service. A green icon indicates that all the associated devices are up and running.
When you click on a service, its attributes are displayed at the bottom of the page, arranged by tabs.
Viewing or Editing Service Attributes
Click on a service to display its attributes the bottom of the page. To help find a service, you can sort the service list by column heading, or use the search function. To view or edit service attributes:
-
Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all added services.
-
After finding the service you want, click on the service to display its attributes.
-
Click on a tab to view, edit, or refresh the service attributes, as follows:
Parameter Description General Displays the service name and description, the organization that owns the service, who created the service, and when it was created. You can edit the service name, description, organization, or HA group label. Capabilities Displays the service type, partition size, authentication type, and capabilities of the host device. The CCC administrator can view and edit the partition size in a service. Partitions Displays the name of the host devices. If the service is initialized, the names, labels, serial numbers, appliance versions, and device firmware versions of the partitions, and that provide the service are also displayed. The Admin user can add and initialize partitions to any single or HA service. One or more partitions can be removed from an HA service. For PPSO services, additional functions are available. Click Initialize Crypto User to set the initial credentials for the crypto user role. Click Activate Roles to activate a role so that it can use a challenge password to connect to a PED-authenticated service without PED interaction. You are prompted to enter the challenge passwords for the roles. This function applies only to PED-based services. Keys Displays the Label, Type, Handle, Fingerprint, Algorithm, and Bit Size of the keys present on partitions associated with a service. To view the key attributes, you must authenticate as the Crypto Officer by providing a Crypto Officer Password. For PED services, you must provide valid Remote PED Server IP Address and Port.
To view the attributes of a key on a partition, you need to disable the ipcheck property of NTLS on the HSM:
ntls ipcheck disable
- In case of a PED service, if the CO role is activated, you are not required to provide Remote PED Server IP address and port details. CCC establishes an NTLS session with the partitions to fetch the partition object information. You can use the Log Off Session button to terminate the NTLS session. A session that remains idle for 3 hours gets automatically terminated.- To ensure that this feature works properly, it's recommended that you use Lunaclient 7.1 or above on the CCC server.- It is recommended that you should not use the CCC server to create an NTLS connection via LunaCM or LunaSH as that can lead to errors while displaying key attributes. Instead, you can use the CCC Client to create an NTLS connection.- For non-PPSO PED HA services, activate the crypto officer manually.- As part of the key attributes retrieval on HA service, CCC will sync objects created across all member partitions of that HA group.- You are advised not to import CCC ROT partition as a service and view its keys. Doing so can potentially break the NTLS connection of ROT partition with CCC server.- Here's a video that demonstrates how you can view key material in a service:Clients Displays the status, host address, fingerprint, and last registration of the Thales Luna HSM client workstation(s) that the service is deployed on, if it is currently deployed. When an added partition is initialized or an initialized partition is removed from a service, status of clients already associated with the service changes to error status icon indicating that these clients must be re-registered to sync to the changes of the service.
Modifying partition size
After creating a service, the CCC administrator can view and edit the size of partitions in a service to configure the partition's size as per their required usage. The restriction on the partition size is defined as below:
-
The minimum partition size can be 1000 bytes.
-
The maximum partition size can be 99999999 bytes.
To modify partition size:
-
Click the Crypto Services tab, and select Services in the navigation frame to display a list of all added services.
-
Click a service. A list of attributes in the form of tabs appears on the screen.
-
Click Capabilities.
-
Click Edit button displayed under Capabilities tab.
-
Enter a new numeric value in the Partition size (bytes) text box.
The CCC administrator is not allowed to enter the alphanumeric value in the Partition size (bytes) text box. If CCC administrator enters an value to configure the partition size which is not allowed as per available device memory size, a modal window with an error message appears on the screen.
-
Click Save. If the updated partition size is saved successfully, a modal window displays with a success message.
-
Click Close to close the modal window.
In case CCC stops functioning due to a network issue, then the updates are rolled back and an error message displays to notify the CCC administrator to try again later.
If one or more devices are offline while saving the updated partition size, an error message displays to notify the CCC administrator to try again when all the devices are online.
If no space is available on devices while modifying the partition size, an error message displays.
Adding a Partition to a Service
As a CCC administrator, you can add a partition to either bring failover support by converting single partition service to HA, or to increase the redundancy by adding more members to the HA group. To add a partition to a service:
-
Click Crypto Services tab, and selected Services in the navigation frame to display a list of all added services.
-
Click a service. A list of attributes in the form of tabs appears on your screen.
-
Click Partitions.
-
Click Add Partitions. The Add Partitions modal window appears on your screen.
-
Click Add to add the devices displayed under Available Devices or click Close to close the Add Partitions modal window.
The devices which are already associated with service will not appear under the Available Devices list.
-
Click Next. The confirmation modal window displays.
-
Click Add Partitions to add the partitions to the service. Once the CCC administrator clicks Add Partitions, a modal window with success message appears on the screen.
-
Click Initialize now to initialize the added partitions or No, close to close the modal window.
The new uninitialized partitions added are displayed in a separate grid with header Uninitialized Partitions below the initialized partitions with Initialize Partitions option on the right.
Initializing an added partition
You must initialize an added partition before you begin to use this partition. You can initialize an added partition as a CCC administrator or an application owner. To initialize an added partition:
-
Click the Initialize now link that appears on success modal window while adding a new partition.
-
The Initialize New Partitions modal window appears with following three tabs:
-
Important
-
Define Partition
-
Initialize Role
The Important tab displays a caution to initialize new partitions with same cloning domain and role credentials to prevent zeroizing of the existing partitions.
-
-
Click Next. The Define Partition tab displays with disabled Partition Label.
-
Enter the Cloning Domain and confirm it.
-
Click Next. The Initialize Roles tab appears on the screen.
-
Enter the Crypto Officer Password and confirm it.
-
Select Initialize Crypto User checkbox to initialize Crypto User credentials.
-
Click Initialize New Partitions. The Partitions successfully initialized modal appears on the screen.
-
Click Close to close the modal.
-
Use the following settings, in case of PPSO password and PED services:
CU Status New Partition Old Partition Behavior Initialization Status Initialize CU Yes Already initialized No change on old partition New: Initialized
Old: InitializedInitialize CU Yes Not initialized Old partition will also be initialized New: Initialized
Old: InitializedInitialize CU No Already initialized No change on old partition New: Uninitialized
Old: InitializedInitialize CU No Not initialized No change on old partition New: Uninitialized
Old: Uninitialized -
In case of PPSO PED services, use the following settings:
CU Status New Partition Old Partition Behavior Initialization Status Activate CU Yes Already activated No change on old partition New: Activated
Old: ActivatedActivate CU Yes Not activated Old partition will also be activated New: Activated
Old: ActivatedActivate CU No Already activated No change on old partition New: Not activated
Old: ActivatedActivate CU No Not activated No change on old partition New: Not activated
Old: Not activated
When an added partition is initialized or an initialized partition is removed from a service, status of clients associated with the service changes to error status icon indicating that these clients must be re-registered to sync to the changes of the service.
The CCC Administrator can also initialize a partition by clicking "Initialize Partitions" option under Firmware column of Uninitialized Partitions section and follow steps 2-9 to initialize an added partition.
If you are upgrading from an older version of CCC to CCC 3.9 and you want to create an HA service using an existing partition, you need to manually reset the password to ensure that the new password is of 8 or more characters.
Initializing New Partitions
To Initialize New Partitions from the list of all provisioned services:
-
Click on the Crypto Services tab, and select Services in the navigation frame to display a list of all currently provisioned services.
-
Click Initialize New Partitions link in the Initialization State column.
Any provisioned services that have some of the new partitions in uninitialized state have an Initialize New Partitions link in the Initialization State column.
Removing a Partition from HA Group
As a CCC administrator, you can remove a partition from an HA group to save the memory on the device or to re-use the partitions. It is important for CCC administrator to clone any required key material before deleting the partition. To remove a partition from HA group
-
Click Crypto Services tab, and select Services in the navigation frame to display a list of all added services.
-
Click a service. A list of attributes in the form of tabs displays.
-
Click Partitions.
-
Click the dropdown icon displayed in rightmost column and select Remove Partition. A confirmation dialog displays.
-
Click Yes remove partition in the dialog to remove the partition from an HA group or click No, cancel to close the dialog.
Once a partition is removed, the action cannot be undone.
Partition deletion functionality is applicable only on HA services. If the user tries to remove the last partition from a HA group, an error message displays.
The CCC administrator cannot perform partition removal operation on a single HSM service.
Detaching or Deleting Services
You can detach or delete a service if you no longer wish to manage it using CCC, or you can delete a service if it is no longer required. Detaching a service only removes it from CCC. It does not affect the associated partition(s) used to provide the service, or the objects they contain. Deleting a service removes it from CCC and deletes the partition(s) used to provide the service and any objects they contain. Services are normally deleted by the Application Owner.
To detach a service:
-
Click on the Crypto Services tab, and select Services in the navigation frame.
-
After finding the service you want, click the dropdown icon in the Remove column and select Detach service. A confirmation dialog appears on the screen.
To delete a service:
-
Click on the Crypto Services tab, and select Services in the navigation frame.
-
After finding the service you want, click the dropdown icon in the Remove column and select Delete service. A confirmation dialog appears on the screen.
Deleting a service deletes the partition(s) used to provide the service and all objects in the partition(s).
Migrate Service
CCC enables you to migrate objects from an existing service to a new service. Here's a video that demonstrates how you can leverage the service migration capabilities of CCC:
Refer to the following sections for details regarding the devices that are supported for migration, steps involved in the migration process, and troubleshooting:
Migrate Service - Supported Devices
CCC supports the following devices for service migration:
Source Device | Destination Device |
---|---|
6.x non PPSO PED | 6.x PPSO PED 7.x PED |
6.x PPSO PED | 6.x PPSO PED 7.x PED |
7.x PED | 6.x PPSO PED 7.x PED |
6.x non PPSO Password (Only if the source service/partition is originally created and roles are initialized through LUSH) | 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) |
6.x PPSO Password (Only if the source service/partition is originally created and roles are initialized through LUSH) | 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) |
7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) | 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) |
Migration is not possible when the source firmware is 7.7.x and target firmware is 7.4 or below.
Migration is not possible when source firmware is FM-ready/no-FM and target firmware is FM-disabled/FM-enabled.
Migrate Service - Steps Involved
The steps involved in migrating services are as follows:
To migrate a service, you need to disable the ipcheck property of NTLS on the HSM:
ntls ipcheck disable
The service migration process may take some time, depending on the number of objects and number of devices. You will not be able to perform other CCC functions till the time the process gets completed.
For Non PPSO PED service migration, ensure that the source partition is activated and the default challenge is not set.
The Migrate Service feature supports migration from one device to one or more target devices. Even if selected source service is an HA service, migration will be done only from its first partition, which will be displayed in the migration progress messages.
If sufficient partition licenses are not available, then Migrate Service button will be disabled.
It is recommended that you should take back up of the source partitions for which you are migrating the data.
If you are upgrading from an older version of CCC to CCC 3.9 and you want to create an HA service using an existing partition, you need to manually reset the password to ensure that the new password is of 8 or more characters.
-
Add the following devices to CCC:
-
The source device that needs to be migrated
-
All the target devices on which the migration is to be done
-
-
Ensure that the service that needs to be migrated is already present in CCC, or create a service of the partition that needs to be migrated.
The service will not be listed for selection unless the source HSM has cloning capability and is initialized.
-
Click Crypto Services - Migrate Service from the CCC landing page.
-
Click the Migrate Service button and perform the following tasks in the Migrate Service window:
a. Select Service: Select the service that you want to migrate and click Next. If selected service is an HA service, it’s first partition is considered as primary partition.
b. New Service: Enter information related to the new service, including HSM model, service name, partition size, organization name, and description (optional). Click Next when you are done. Decide partition size carefully since the destination SA consumes more space when migrating objects from 6x to 7x.
c. Select Devices: Select devices that you want to for the new service and click Next.
d. Define Partition: Enter the partition label and cloning domain (only in case of password authenticated devices). Click Next when you are done. You must initialize the new service partitions using the cloning domain and role credentials that are identical to those of the service that you've selected for migration.
e. Initialize Roles: Initialize crypto officer credentials by providing the necessary inputs. For password authenticated devices, provide security officer challenge and crypto officer challenge. For PED authenticated devices, provide Remote PED server IP address, remote PED server port, and crypto officer challenge.
f. Summary: Validate the details related to the parent service and child service and then click the Migrate Service tab. Wait for the service migration process to get completed. Note that the process may take some time, depending on the number of objects and number of devices. You will see a success message after the objects have been successfully migrated.
Migrate Service - Troubleshooting
Error Message | Solution |
---|---|
We ran into an error while creating a new service for these devices. | Use the import partition functionality to manually import partitions into CCC, either as multiple single partition services or as an HA group of multiple partitions. |
We ran into an error while migrating the key material to the following device(s): | To add devices on which migration has failed, use the add partition functionality for the newly created service. Next, run ccc_client to authorize the service. While authorizing the service, CCC also runs synchronization between all partitions of the service. |