Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Setting Up

Installing Crypto Command Center

search

Installing Crypto Command Center

Installing Crypto Command Center

The installation procedure explained on this page is intended for system administrators and other qualified professionals who are responsible for installing and configuring Thales Crypto Command Center for their organization.

Before You Begin

Before you begin Crypto Command Center (CCC) installation, review the minimum hardware and software requirements that are listed here.

Install CCC

You can install CCC using either Podman or Kubernetes.

Install CCC using Podman

The steps involved in installing CCC using Podman are as follows:

Install Podman using the procedure explained here.

Install podman-compose using the procedure explained here.

Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the environment file in a later step.

In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the environment file in a later step.

Download and extract the CCC package.

Extract the CCC package inside the home directory of the user who is going to initialize the CCC container. For example, if the username is podmanuser, then the CCC package needs to be placed in the /home/podmanuser directory.

Copy the CCC license file and paste it inside the ccc-certs directory under the CCC package.

You have the option to upload the license file later, after logging in to CCC. You can do so by accessing the Administration tab from the menu bar at the top, followed by selecting the Licenses option from the navigation pane on the left, and then clicking the Upload button.

If you are using a CA-signed certificate:
a. Create a PKCS#12 certificate with an alias named s1as. For example, the following command creates a PKCS#12 file called certificate.p12 by combining the signed certificate (saved in the file signed_Certificate.cer) and the private key (saved in the file certificate.key):
openssl pkcs12 -export -in signed_Certificate.cer -inkey certificate.key -out certificate.p12 -name s1as -CAfile <CAs_Cert.cer> -caname root
b. Copy the certificate and paste it inside the ccc-certs directory under the CCC package.
c. Provide the following CA-signed certificate related details while updating the environment file in a later step:
- CA_CERTIFICATE
- CA_CERTIFICATE_FILE_NAME (Ensure that the CA_CERTIFICATE_FILE_NAME provided does not include the extension of the certificate file. For example, if the CA-signed certificate is created with the name 'caSigned.p12', then only provide 'caSigned' in this field. Including the file extension may cause issues with the certificate validation process.)
- CA_CERTIFICATE_PASSWORD

Go to the CCC package and load the Podman image.


podman load -i ccc-4.0.0.tar

Go to the podman directory inside the CCC package and make changes to the environment file.


vi ccc_config.env

If you want to use an external database, you need to provide the required details while modifying the environment file.

If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Password for the second device is specified under HSM_PASSWORD2
(iv) Both the partitions have the same PARTITION_LABEL
(v) Both the partitions have the same CRYPTO_OFFICER_PASSWORD
(vi) Both the partitions have the same domain
(vii) Partition on the second device is specified under PARTITION_NAME2
(viii) REMEMBER_CREDENTIAL is set to Y

Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.

If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then you need to update the hostAliases section in the podman-compose.yml file, as indicated below:
extra_hosts: 
- "Hostname/DNS of HSM1:IP address of HSM1"
- "Hostname/DNS of HSM2:IP address of HSM2"

If you are an LDAPS user, follow these steps to configure LDAPS for CCC:
Additional Steps for LDAPS Users.

Build a CCC container.


podman-compose up -d

If you want to run the CCC container in an environment with SELinux in enforcing mode, follow these instructions:
Running CCC with SELinux in enforcing mode

Run the following command to check the logs of CCC container, if needed.


podman logs -f ccc

Launch CCC on any of the nodes using one of the following URLs, depending on whether the machine is identified by an IP address or hostname:


Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:


  • Username: admin

  • Password: PASSWORD

Change the password. You can now start exploring various functions and features of CCC.

If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.

If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.

The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for CCC. Otherwise the OTP code will be rejected due to a validation error.


Install CCC using Kubernetes

The steps involved in installing CCC using Kubernetes are as follows:

Log on to both the Linux machines that you intend to use for CCC installation.

There should be full network connectivity between these machines. During installation, you will be using one of the machines as the Master node and the other one as the Worker node. Depending on your requirements, you can have more than one Master node and Worker node.

Set up Kubernetes Cluster on the Master node as well as the Worker node, using the steps explained here. Kubernetes enables you to install CCC and all its dependencies in a cluster of containers that run on virtualized host OS.

Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the configuration settings in a later step.

In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the configuration settings in a later step.

Download and extract the CCC package on the Master node as well as the Worker node.

Extract the Crypto Command Center package inside your home directory.

Create a directory named ccc-certs: 


mkdir -p /home/ccc/ccc-certs

Copy the CCC license file and paste it inside the ccc-certs directory under the CCC package.

You have the option to upload the license file later, after logging in to CCC. You can do so by accessing the Administration tab from the menu bar at the top, followed by selecting the Licenses option from the navigation pane on the left, and then clicking the Upload button.

If you are using a CA-signed certificate:
a. Create a PKCS#12 certificate with an alias named s1as. For example, the following command creates a PKCS#12 file called certificate.p12 by combining the signed certificate (saved in the file signed_Certificate.cer) and the private key (saved in the file certificate.key):
openssl pkcs12 -export -in signed_Certificate.cer -inkey certificate.key -out certificate.p12 -name s1as -CAfile <CAs_Cert.cer> -caname root
b. Copy the certificate and paste it inside the ccc-certs directory under the CCC package.
c. Provide the following CA-signed certificate related details while updating the environment file in a later step:
- CA_CERTIFICATE
- CA_CERTIFICATE_FILE_NAME (Ensure that the CA_CERTIFICATE_FILE_NAME provided does not include the extension of the certificate file. For example, if the CA-signed certificate is created with the name 'caSigned.p12', then only provide 'caSigned' in this field. Including the file extension may cause issues with the certificate validation process.)
- CA_CERTIFICATE_PASSWORD

Go to the Crypto Command Center package on the Worker node and import the CCC images:


ctr -n=k8s.io images import ccc-4.0.0.tar

Run the following command on the Worker node to list all the images: 


crictl images

Go the the ccc directory in the Master node and open the kubernetes sub-directory.

Create secrets by running the following command: 


kubectl create secret generic ccc-password \
--from-literal=CCC_TRUSTSTORE_PASSWORD='password' \
--from-literal=CCC_KEYSTORE_PASSWORD='password' \
--from-literal=CCC_CREDENTIALSTORE_PASSWORD='password' \
--from-literal=HSM_PASSWORD1='password' \
--from-literal=CRYPTO_OFFICER_PASSWORD='password' \
--from-literal=HSM_PASSWORD2='password' \
--from-literal=CCC_ADMIN_PASSWORD='password' \
--from-literal=CA_CERTIFICATE_PASSWORD='password' \
--from-literal=CCC_DB_PASSWORD='password'

Modify the configuration settings on the Master node as per your requirements: 


vi config-map.yaml

If you want to use an external database, you need to provide the required details while modifying the configuration settings.

If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Password for the second device is specified under HSM_PASSWORD2
(iv) Both the partitions have the same PARTITION_LABEL
(v) Both the partitions have the same CRYPTO_OFFICER_PASSWORD
(vi) Both the partitions have the same domain
(vi) Partition on the second device is specified under PARTITION_NAME2
(vii) REMEMBER_CREDENTIAL is set to Y

Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.

If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then you need to update the hostAliases section in the deployment.yaml file, as indicated below:
hostAliases:
- ip: "IP address of HSM1"
hostnames:
- "Hostname/DNS of HSM1"
- ip: "IP address of HSM2"
hostnames:
- "Hostname/DNS of HSM2"

Edit the deployment.yaml file on the Master node if you are using LDAPS:


vi deployment.yaml

If you are an LDAPS user, follow these steps to configure LDAPS for CCC:
Additional Steps for LDAPS Users.

Launch CCC:


sh launch.sh

If you want to run the CCC container in an environment with SELinux in enforcing mode, follow these instructions:
Running CCC with SELinux in enforcing mode

Check whether CCC installation is successful by verifying the output of the following command: 


sudo kubectl get all -o wide

Launch CCC on any of the nodes using one of the following URLs, depending on whether the machine is identified by an IP address or hostname:


Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:


  • Username: admin

  • Password: PASSWORD

Change the password. You can now start exploring various functions and features of CCC.


If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.

If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.

The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for CCC. Otherwise the OTP code will be rejected due to a validation error.

If you want to use HA configuration, you need to use an external database.

If you want to use HA configuration, run the following command to specify the number of replicas:
kubectl scale --replicas=2 deployment ccc-deployment


Running CCC with SELinux in enforcing mode

To run CCC with SELinux in enforcing mode, you need to implement the following modifications, depending on the orchestration mechanism you've used during CCC installation:

If you don't make these changes, you may encounter a permission issue. This is because your data is being backed up in the pgdata directory outside of the container to ensure persistence.

Podman

In case of Podman, add the following key value in the podman-compose.yml file:

security_opt:
    - label:disable



Kubernetes

In case of Kubernetes, add the following key value in the deployment.yml file:

securityContext:
    seLinuxOptions:
       type: "spc_t"



Additional Steps for LDAPS users

In case you are using LDAPS, refer to the steps below, depending on whether you installed CCC using Podman or Kubernetes:


Podman Users

If you've used Podman for CCC installation:

Place the LDAPS certificate in the ccc_package/ccc-certs directory.

Modify the extra_hosts configuration in the podman-compose.yml file, as indicated below:

extra_hosts:
- "Hostname/DNS of LDAPs:IP address of LDAPs"

Run the podman-compose up command to start the CCC container.

Import an SSL certificate into the truststore by running the following command:


podman exec ccc bash -c 'cd scripts && sh ldaps.sh <alias> <certificate-name> <admin-password>'

This will execute a script called ldaps.sh, which will import the SSL certificate using the specified alias and certificate name, and the admin password enclosed in single quotes.

If your admin password contains one or more special characters, you need to add a backslash before every special character to ensure proper execution of the command. For example, if your admin password is "Temp@123$", the command that you need to run would be:
podman exec ccc bash -c 'cd scripts && sh ldaps.sh <alias> <certificate-name> Temp\@123\$'

Kubernetes Users

If you've used Kubernetes for CCC installation:

Place the LDAPS certificate in the /home/ccc/ccc-certs directory.

Modify the hostAliases configuration in the deployment.yaml file, as indicated below:

hostAliases:
- ip: "IP address of LDAPs"
hostnames:
- "Hostname/DNS of LDAPs"

Run the sh launch.sh command to start the CCC container.

Import an SSL certificate into the truststore by running the following command:


kubectl exec <pod-name> -- bash -c 'cd scripts && sh ldaps.sh <alias> <certificate-name> <admin-password>'

This will execute a script called ldaps.sh, which will import the SSL certificate using the specified alias and certificate name, and the admin password enclosed in single quotes.

If your admin password contains one or more special characters, you need to add a backslash before every special character to ensure proper execution of the command. For example, if your admin password is "Temp@123$", the command that you need to run would be:
kubectl exec <pod-name> -- bash -c 'cd scripts && sh ldaps.sh <alias> <certificate-name> Temp\@123\$'