Viewing and Initializing Services
After logging in to CCC, you'll see a list of the services that are available to be deployed. This list includes the service name and its initialization state. Services may have already been initialized by the CCC Administrator, or they may be awaiting initialization. A service must be initialized before it can be deployed.
Viewing Service Attributes
-
Click Services in the navigation frame to display a list of all added services.
-
After finding the service you want to view, click on the service to display its attributes. You can sort the service list by column heading, or use the search function.
-
Click on a tab to view the service attributes:
General Displays the service name, description, and organization. Click Edit to change the name or description. This information is used to identify the device in CCC.
Capabilities Displays the service type, partition size, authentication type, and the capabilities of the host device. Partitions Displays the name(s) and serial number(s) of the partition(s) that provide the service, if the service is initialized. Keys Displays the Label, Type, Handle, Fingerprint, Algorithm, and Bit Size of the keys present on partitions associated with a service.. Clients Displays the host name of the Thales Luna HSM client workstation that the service is deployed on, if it is deployed.
Initializing a Service
You must initialize a service before you can register it with your application server and begin using it with your applications. Initializing a service initializes the partition(s) used to provide the service on the host devices. CCC Admin users can initialize a service when they create it, or they can leave it uninitialized until it is ready to be deployed. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service. To initialize a service, you must specify or create the following details:
-
The initial credentials for the roles that will own or use the service. For services without PPSO enabled, you initialize the credentials for the partition owner (crypto officer) role. For services with PPSO enabled, you initialize the credentials for the partition SO and crypto officer roles. You also have the option to initialize the crypto user role.
-
The cloning domain for the service. You can only clone objects between HSMs that are in the same cloning domain. Cloning is used to perform operations such as backup/restore.
To initialize a password-authenticated service
To initialize a password-authenticated service:
-
Click on Services in the navigation frame to display a list of the services created for your organization that are available to be deployed. Any uninitialized services have an Initialize link in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
-
After finding the service you want, click on the Initialize link in the Initialization State column. The Initialize Service wizard is displayed.
-
Complete the wizard as follows and then click the Finish button to initialize the service:
Define Partition Enter a label and cloning domain for the partition used to provide the service.
Initialize Roles Set the initial password for the crypto officer. For PPSO services, you also set the initial password for the partition security officer, and optionally for the crypto user. Click Finish to initialize the service. Observe the progress messages to verify success. For a service which used STC and PPSO, after the service is deployed you cannot initialize the Crypto User role through CCC.
To initialize a PED-authenticated service
You require a remote PED to initialize a PED-based service. To use a remote PED with CCC:
-
Install the Thales Luna HSM client, including the remote PED server option, on the computer that you will use to access CCC, or on a separate computer you will use for the remote PED.
-
Configure the Remote PED Server on the computer you will use for the remote PED. Refer to Thales Luna HSM Documentation for more information.
-
Get an orange PED key encoded with the Remote PED Vector (RPV) for the Thales Luna Network HSM appliance that provides the service. Contact your CCC Administrator to get the key.
-
Click Crypto Services in the navigation frame to display a list of the services created for your organization that are available to be deployed. Any uninitialized services have an Initialize link in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
-
After finding the service you want, click the Initialize link in the Initialization State column. The Initialize Service dialog box will appear on the screen:
Define Partition Enter a label for the partition used to provide the service.
Initialize Roles 1. Enter the IP address of your remote PED server. The default port is auto-filled. If you are not using the default port, enter the Remote PED server port. For PPSO services, enter the challenge password for the crypto officer and (optionally) crypto user roles. The challenge password is the password used to authenticate to the role after it is activated.
2. Click Next and respond to the prompts on-screen and on the PED. For non-PPSO services, the PED generates and displays a 16-digit challenge password. Record this challenge password. It is necessary for service activation.
Activate Roles 1. To activate the roles you initialized, click the Activate Crypto Officer and (optionally) Activate Crypto User checkboxes. You cannot activate the Crypto User without also activating the Crypto Officer. You can activate the roles later, if desired, by editing the service attributes. For services which have the both the Per-Partition Security Officer and the Secure Trusted Channel feature enabled in the template, you can activate the roles any time until an application user deploys the service, which establishes the STC link and precludes further changes through CCC. Otherwise you can activate the roles at any time.
2. Click Finish to initialize the service. Observe the progress messages to verify success.