Installing Crypto Command Center
The installation procedure explained on this page is intended for system administrators and other qualified professionals who are responsible for installing and configuring Thales Crypto Command Center for their organization.
Before You Begin
Before you begin Crypto Command Center (CCC) installation, review the minimum hardware and software requirements that are listed here.
Install CCC
You can install CCC using either Podman or Kubernetes.
Install CCC using Podman
The steps involved in installing CCC using Podman are as follows:
Install Podman using the procedure explained here.
Install podman-compose using the procedure explained here.
Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the environment file in a later step.
In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the environment file in a later step.
Download and extract the CCC package.
Extract the CCC package inside the home directory of the user who is going to initialize the CCC container. For example, if the username is podmanuser, then the CCC package needs to be placed in the /home/podmanuser directory.
Copy the CCC license file and paste it inside the ccc-certs directory under the CCC package.
You have the option to upload the license file later, after logging in to CCC. You can do so by accessing the Administration tab from the menu bar at the top, followed by selecting the Licenses option from the navigation pane on the left, and then clicking the Upload button.
If you are using a CA-signed certificate:
a. Create a PKCS#12 certificate with an alias named s1as. For example, the following command creates a PKCS#12 file called certificate.p12 by combining the signed certificate (saved in the file signed_Certificate.cer) and the private key (saved in the file certificate.key):
openssl pkcs12 -export -in signed_Certificate.cer -inkey certificate.key -out certificate.p12 -name s1as -CAfile <CAs_Cert.cer> -caname root
b. Copy the certificate and paste it inside the ccc-certs directory under the CCC package.
c. Provide the following CA-signed certificate related details while updating the environment file in a later step:
- CA_CERTIFICATE
- CA_CERTIFICATE_FILE_NAME (Ensure that the CA_CERTIFICATE_FILE_NAME provided does not include the extension of the certificate file. For example, if the CA-signed certificate is created with the name 'caSigned.p12', then only provide 'caSigned' in this field. Including the file extension may cause issues with the certificate validation process.)
- CA_CERTIFICATE_PASSWORD
Go to the CCC package and load the Podman image.
podman load -i ccc-4.0.0.tar
Go to the podman directory inside the CCC package and make changes to the environment file.
vi ccc_config.env
If you want to use an external database, you need to provide the required details while modifying the environment file.
If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Password for the second device is specified under HSM_PASSWORD2
(iv) Both the partitions have the same PARTITION_LABEL
(v) Both the partitions have the same CRYPTO_OFFICER_PASSWORD
(vi) Both the partitions have the same domain
(vii) Partition on the second device is specified under PARTITION_NAME2
(viii) REMEMBER_CREDENTIAL is set to Y
Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.
If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then you need to update the hostAliases section in the podman-compose.yml file, as indicated below:
extra_hosts:
- "Hostname/DNS of HSM1:IP address of HSM1"
- "Hostname/DNS of HSM2:IP address of HSM2"
If you are an LDAPS user, follow these steps to configure LDAPS for CCC:
Additional Steps for LDAPS Users.
Build a CCC container.
podman-compose up -d
If you want to run the CCC container in an environment with SELinux in enforcing mode, follow these instructions:
Running CCC with SELinux in enforcing mode
Run the following command to check the logs of CCC container, if needed.
podman logs -f ccc
Launch CCC on any of the nodes using one of the following URLs, depending on whether the machine is identified by an IP address or hostname:
Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:
-
Username: admin
-
Password: PASSWORD
Change the password. You can now start exploring various functions and features of CCC.
If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.
If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.
The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for CCC. Otherwise the OTP code will be rejected due to a validation error.
Install CCC using Kubernetes
The steps involved in installing CCC using Kubernetes are as follows:
Log on to both the Linux machines that you intend to use for CCC installation.
There should be full network connectivity between these machines. During installation, you will be using one of the machines as the Master node and the other one as the Worker node. Depending on your requirements, you can have more than one Master node and Worker node.
Set up Kubernetes Cluster on the Master node as well as the Worker node, using the steps explained here. Kubernetes enables you to install CCC and all its dependencies in a cluster of containers that run on virtualized host OS.
Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the configuration settings in a later step.
In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the configuration settings in a later step.
Download and extract the CCC package on the Master node as well as the Worker node.
Extract the Crypto Command Center package inside your home directory.
Create a directory named ccc-certs:
mkdir -p /home/ccc/ccc-certs
Copy the CCC license file and paste it inside the ccc-certs directory under the CCC package.
You have the option to upload the license file later, after logging in to CCC. You can do so by accessing the Administration tab from the menu bar at the top, followed by selecting the Licenses option from the navigation pane on the left, and then clicking the Upload button.
If you are using a CA-signed certificate:
a. Create a PKCS#12 certificate with an alias named s1as. For example, the following command creates a PKCS#12 file called certificate.p12 by combining the signed certificate (saved in the file signed_Certificate.cer) and the private key (saved in the file certificate.key):
openssl pkcs12 -export -in signed_Certificate.cer -inkey certificate.key -out certificate.p12 -name s1as -CAfile <CAs_Cert.cer> -caname root
b. Copy the certificate and paste it inside the ccc-certs directory under the CCC package.
c. Provide the following CA-signed certificate related details while updating the environment file in a later step:
- CA_CERTIFICATE
- CA_CERTIFICATE_FILE_NAME (Ensure that the CA_CERTIFICATE_FILE_NAME provided does not include the extension of the certificate file. For example, if the CA-signed certificate is created with the name 'caSigned.p12', then only provide 'caSigned' in this field. Including the file extension may cause issues with the certificate validation process.)
- CA_CERTIFICATE_PASSWORD
Go to the Crypto Command Center package on the Worker node and import the CCC images:
ctr -n=k8s.io images import ccc-4.0.0.tar
Run the following command on the Worker node to list all the images:
crictl images
Go the the ccc directory in the Master node and open the kubernetes sub-directory.
Create secrets by running the following command:
kubectl create secret generic ccc-password \
--from-literal=CCC_TRUSTSTORE_PASSWORD='password' \
--from-literal=CCC_KEYSTORE_PASSWORD='password' \
--from-literal=CCC_CREDENTIALSTORE_PASSWORD='password' \
--from-literal=HSM_PASSWORD1='password' \
--from-literal=CRYPTO_OFFICER_PASSWORD='password' \
--from-literal=HSM_PASSWORD2='password' \
--from-literal=CCC_ADMIN_PASSWORD='password' \
--from-literal=CA_CERTIFICATE_PASSWORD='password' \
--from-literal=CCC_DB_PASSWORD='password'
Modify the configuration settings on the Master node as per your requirements:
vi config-map.yaml
If you want to use an external database, you need to provide the required details while modifying the configuration settings.
If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Password for the second device is specified under HSM_PASSWORD2
(iv) Both the partitions have the same PARTITION_LABEL
(v) Both the partitions have the same CRYPTO_OFFICER_PASSWORD
(vi) Both the partitions have the same domain
(vi) Partition on the second device is specified under PARTITION_NAME2
(vii) REMEMBER_CREDENTIAL is set to Y
Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.
If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then you need to update the hostAliases section in the deployment.yaml file, as indicated below:
hostAliases:
- ip: "IP address of HSM1"
hostnames:
- "Hostname/DNS of HSM1"
- ip: "IP address of HSM2"
hostnames:
- "Hostname/DNS of HSM2"
Edit the deployment.yaml file on the Master node if you are using LDAPS:
vi deployment.yaml
If you are an LDAPS user, follow these steps to configure LDAPS for CCC:
Additional Steps for LDAPS Users.
Launch CCC:
sh launch.sh
If you want to run the CCC container in an environment with SELinux in enforcing mode, follow these instructions:
Running CCC with SELinux in enforcing mode
Check whether CCC installation is successful by verifying the output of the following command:
sudo kubectl get all -o wide
Launch CCC on any of the nodes using one of the following URLs, depending on whether the machine is identified by an IP address or hostname:
Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:
-
Username: admin
-
Password: PASSWORD
Change the password. You can now start exploring various functions and features of CCC.
If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.
If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.
The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for CCC. Otherwise the OTP code will be rejected due to a validation error.
If you want to use HA configuration, you need to use an external database.
If you want to use HA configuration, run the following command to specify the number of replicas:
kubectl scale --replicas=2 deployment ccc-deployment