Troubleshooting
This section offers you solutions, workarounds, and explanations for issues related to CCC.
While running the CCC container in the SELinux enforcing mode, I’m encountering an error.
This occurs because your data is being backed up outside the container in the pgdata directory to maintain persistence. To resolve this problem, implement the following modifications:
Running CCC with SELinux in enforcing mode
I am unable to access the data within the ccc-certs, pgdata, and ccc directories as a non-container user.
The ccc-certs directory includes CCC licenses and certificates that must be uploaded within the CCC application. The pgdata directory contains CCC data, while the ccc directory records the logs generated by the CCC application. At first, all these folders are accessible to the user who intends to launch the CCC container. However, after the CCC container is initialized, the ownership of these directories is transferred to the user within the container. Consequently, non-container users will not be able to access the data stored in these directories. To gain access to the data in these directories, execute the following commands:
Podman
podman exec -it ccc bash
sudo chmod –R 777 /usr/safenet/ccc/server/standalone/log
sudo chmod –R 777 /usr/safenet/ccc/packages
sudo chmod –R 777 /usr/safenet/ccc/lunalogs
sudo chmod –R 777 /usr/safenet/ccc/user-certs
sudo chmod –R 777 /var/lib/postgresql
Kubernetes
kubectl exec -it <pod_name> bash
sudo chmod –R 777 /usr/safenet/ccc/server/standalone/log
sudo chmod –R 777 /usr/safenet/ccc/packages
sudo chmod –R 777 /usr/safenet/ccc/lunalogs
sudo chmod –R 777 /usr/safenet/ccc/user-certs
sudo chmod –R 777 /var/lib/postgresql
I'm unable to initialize the CCC container using data from the old CCC container database.
To ensure persistence, the CCC database is stored on the host machine. To initialize the CCC container using data from the old CCC container, you need to make the following changes:
Podman
In case of Podman, the /var/lib/postgresql directory of the CCC container is mapped to <ccc_distribution_folder>/podman/pgdata on the host machine. However, this mapping can be modified in the podman-compose.yml file. When the CCC container is initialized using the command "podman-compose up", it reads the volume mappings specified in the podman-compose.yml file and begins persisting data accordingly. If you want to relocate the ccc_distribution package and initialize it again, you must also move the pgdata folder to the new path <ccc_distribution_folder>/podman/pgdata to access the old data generated by CCC.
Kubernetes
In case of Kubernetes, the /var/lib/postgresql directory of the CCC container is mapped to /home/ccc/pgdata on the host machine. You can modify this setting in the postgres-data.yaml file, as required.
I cannot access CCC on Mozilla Firefox even after clicking the Accept the risk and continue button.
This issue is specific to Mozilla Firefox. You can either access CCC on Google Chrome or Microsoft Edge, or follow these steps to access CCC on Mozilla Firefox:
Click the Options tab from the menu on the right.
Click the Privacy and Security option from the navigation pane on left and then scroll down to the Certificates section.
Click the View Certificates button and then click the Servers tab from the Security Manager window that appears on the screen.
Click the Add Exception button at the bottom.
Enter the CCC path in the Add Security Exception window that appears on the screen.
Click the Get Certificate button and then click the Confirm Security Exception button after the certificate gets generated. You should now be able to access CCC on Mozilla Firefox.
I’m encountering the following error message while running the sh install.sh –check command: "This script must be executed by root privilege".
To overcome this issue, you need to log in as the root user.
I’m encountering the following error during CCC installation: "Perl command not installed".
To resolve this issue, you need to install Perl using the following command: Yum install perl
.
I’m encountering the following error during CCC installation: "[Error] openssl command not installed".
To resolve this issue, you need to install OpenSSL using the following command: Yum install openssl
.
I’m encountering an error while configuring CCC.
Run the sh config.sh –debug
command to see a detailed error log on your screen. Based on the error that is displayed in the error log, you can make the necessary changes and then run the sh config.sh
command again. In case you are not able to resolve the issue using the error log, take a screenshot of the error log and contact Thales Customer Support.
I’m encountering the following error when I run the sh config.sh –check command: "This script must be executed by root privilege".
To resolve this issue, you need to log in as the root user.
I’m encountering the following error during the CCC configuration: "[Error] User lunadirector does not exist".
To resolve this error, you need to re-install CCC.
I’m encountering the following error during CCC configuration: "[Error] ipcalc command not installed".
To resolve this error, you need to install ipcalc using the following command: Yum install initscripts
.
I’m encountering the following error during CCC configuration: "[Error] JCPROV_HOME is not defined".
To resolve this error, you need to check whether lunaclient has been installed properly.
I’m encountering the following error during CCC configuration: "[Error] JCPROV libraries not found. Please make sure you have LunaClient with JCProv installed on this machine".
To resolve this error, you need to check whether lunaclient has been installed properly.
I’m encountering the following database connection error at the time of configuration: “Server chose TLSv1, but that protocol version is not enabled or supported by the client” or “Server chose TLSv1.1, but that protocol version is not enabled or supported by the client”.
If you are using RHEL 8 operating system, you may get this error at the time of CCC configuration. This is because RHEL 8 has deprecated TLSv1.0 and TLSv1.1. To overcome this issue, either upgrade database TLS version to TLSv1.2 or above, or change policy on CCC server by running the update-crypto-policies --set LEGACY
command.
After re-configuring CCC, the server starts successfully but the CCC URL lands on a blank page.
This can be a result of configuration mismatch between the CCC and database. During CCC configuration, if you enter “no” in response to the message “The CCC database is already configured. Do you want to change the database configuration?”, ensure that the current configuration properties of the database are aligned with the previous settings. If there is any change in database configuration, enter “yes” in response to the above-stated message and then re-configure CCC with new database settings.
I’m encountering an error while uninstalling CCC.
Run the sh uninstall.sh -debug
command to see a detailed error log on your screen. Based on the error that is displayed in the error log, you can make the necessary changes and then run the sh uninstall.sh
command again. In case you are not able to resolve the issue using the error log, take a screenshot of the error log and contact Thales Customer Support.
I'm encountering the following message while activating CCC root of trust: "System already activated".
To resolve this issue, you need to:
Activate the ROT again by entering the partition label and password.
Select the checkbox mentioning that This device is running firmware 7.7 and above if you are using Luna HSM 7.7.0 or Luna HSM 7.7.1 having firmware 7.7.0 or 7.7.1.
Check the Remember credentials checkbox if you want CCC to cache your root of trust credentials.
Click the Activate button.
I'm encountering the following error in the Keys section when I type in the Crypto Officer password and press Enter: "An error has occurred in creating NTLS connection”.
You may be encountering this issue because the Luna Client installed on your system is old. To overcome this issue, you can try using Luna Client 7.1 and above. To obtain the latest version of Luna Client, contact Thales Customer Support.
Why am I seeing an error under the Device Status column of the Monitoring and Reports tab after changing the CCC root of trust?
You are seeing this error because you haven't reconfigured the devices after changing the CCC root of trust (ROT). To reconfigure the devices:
Login to CCC and navigate to Devices.
Select the device that is displaying the error under the Device Status column.
Click the Connection tab.
Press the Update Credentials button.
In the Update Rest API Credentials window that appears, enter your username and password and then press the Update button. A pop-up message will appear on your screen, indicating that the credentials have been successfully changed.
Click the Authorization tab and then press the Re-authorize Device button.
In the Authorize SO Login window that appears, enter the HSM SO password to grant CCC the right to login to the device, and then press the Authorize button.
In a short while, the Device Status icon will turn to green and you'll be able to perform the device monitoring tasks. In case you have another device that's reflecting the same error perform the above-mentioned procedure again for that device.
I'm encountering a yellow icon during the LDAP/LDAPs authentication process. Additionally, in the console.log file, I found the following error details:
Exception: KC-SERVICES0055: Error when authenticating to LDAP: LDAP response read timed out, timeout used: 60 ms.: javax.naming.NamingException: LDAP response read timed out, timeout used: 60 ms.
You are experiencing this issue due to a problem with the LDAP authentication process. To resolve the problem and prevent further LDAP authentication errors, please follow these steps:
Go to the machine where the CCC container is running.
Access the container by running the command "podman exec -it ccc bash."
Navigate to the directory /usr/safenet/ccc/server/bin.
Edit the standalone.conf file using the command "vi standalone.conf."
Append the following line and save the file: JAVA_OPTS="$JAVA_OPTS -Dcom.safenetinc.lunadirector.auth.ldapconnection.timeout=30000".
Navigate to the directory /usr/safenet/ccc/scripts.
Stop the server by executing "sh server.sh STOP."
Start the server again by executing "sh server.sh START."
End the container session by running the command “exit”.
Access the GUI of CCC and log in.
Activate the ROT (if required).
Add the directory again.
What steps should I take to resolve a root-of-trust issue that has arisen after changing the HSM Admin password for the device used in CCC root-of-trust creation?
To overcome this issue, you need to execute one of the following procedures, depending on the method you’ve used for CCC installation:
If you’ve installed CCC using Podman
Remove the stored secrets using this command:
podman secret rm ccc_password
Update the secret file in the Podman directory with the correct password.
Load the updated secret file:
podman secret create ccc_password secretfile
Restart the container by running the following commands in the Podman directory:
podman-compose down
podman-compose up
If you’ve installed CCC using Kubernetes
Delete the stored secrets using this command:
kubectl delete secrets ccc-password
Update the secret with the correct password using this command:
kubectl create secret generic ccc-password \
--from-literal=CCC_TRUSTSTORE_PASSWORD='password' \
--from-literal=CCC_KEYSTORE_PASSWORD='password' \
--from-literal=CCC_CREDENTIALSTORE_PASSWORD='password' \
--from-literal=HSM_PASSWORD1='password' \
--from-literal=CRYPTO_OFFICER_PASSWORD='password' \
--from-literal=HSM_PASSWORD2='password' \
--from-literal=CCC_ADMIN_PASSWORD='password' \
--from-literal=CA_CERTIFICATE_PASSWORD='password' \
--from-literal=CCC_DB_PASSWORD='password'
Restart the container by running the following commands in the Kubernetes directory:
kubectl delete -f deployment.yaml
kubectl delete -f config-map.yaml
sh launch.sh
If you’ve installed CCC using Helm
Delete the stored secrets with this command:
kubectl delete secrets ccc-password
Update the secret with the correct password using this command:
kubectl create secret generic ccc-password \
--from-literal=CCC_TRUSTSTORE_PASSWORD='password' \
--from-literal=CCC_KEYSTORE_PASSWORD='password' \
--from-literal=CCC_CREDENTIALSTORE_PASSWORD='password' \
--from-literal=HSM_PASSWORD1='password' \
--from-literal=CRYPTO_OFFICER_PASSWORD='password' \
--from-literal=HSM_PASSWORD2='password' \
--from-literal=CCC_ADMIN_PASSWORD='password' \
--from-literal=CA_CERTIFICATE_PASSWORD='password' \
--from-literal=CCC_DB_PASSWORD='password'
Restart the container by running the following command in the Helm directory:
helm uninstall ccc
helm install ccc .
How should I address a root-of-trust issue that arises after updating the Crypto Officer password for the HSM partition I used to establish CCC root-of-trust?
To resolve this issue, kindly follow the steps designed to address a similar issue: What steps should I take to resolve a root-of-trust issue that has arisen after changing the HSM Admin password for the device used in CCC root-of-trust creation?
How should I proceed when facing a root-of-trust issue on CCC following a change in the certificate of the HSM device used for CCC root-of-trust creation?
To address this problem, perform a container restart by executing the appropriate command based on the CCC installation method you've employed:
If you’ve installed CCC using Podman
podman-compose down
podman-compose up -d
If you’ve installed CCC using Kubernetes
kubectl delete -f deployment.yaml && kubectl delete -f config-map.yaml && sh launch.sh
If you’ve installed CCC using Helm
helm uninstall ccc && helm install ccc .
As a Kubernetes non-root user, how do I modify the volume path at the time of CCC installation?
The steps to modify the volume path are as below:
Find the relevant YAML file (for example, deployment.yaml
, lunalogs-volume.yaml
, packages-volume.yaml
, postgres-data.yaml
, serverlogs-volume.yaml
) in the Kubernetes folder.
Open the respective YAML file for editing.
Locate the path
field under the hostPath
section.
Update the path value with the desired volume path.
Save the changes made to the YAML file.
Apply the changes.
sh launch.sh