Central to CCC is the CCC server. The CCC server is a workstation where the CCC web application is installed. The CCC web application includes an application container and service, which provides the administrator and application owner interfaces for managing and deploying HSM resources. In addition to the web application, CCC also requires the following components:

• A Thales Luna Network HSM that serves as the root of trust and authenticates communications between CCC and managed HSM devices.

• A PostgreSQL database. The database can be installed either on the same server or on a different server used for hosting the CCC web application.

The following figure provides a high-level architectural view of CCC.

Server and Client Components

CCC is installed on a workstation that meets the minimum hardware and software requirements. CCC also includes a Java client, which is used to deploy a service created in CCC on a crypto application server.

Terms	References
Devices	Devices are referred as Luna Network HSMs.
Services	Services are referred as one or more partitions in Luna Network HSMs.
Clients	Clients are referred as Application owners who are responsible for deploying the services.

Web Server

The CCC web server consists of a Java-based web application. It uses Java JDK and requires the Luna Network HSM client software to communicate with the root-of-trust HSM.

Databases

The data managed by CCC is stored in a PostgreSQL database. You can install the database on the CCC server or on an external server.

Root-of-Trust HSM

All communications between CCC and the HSMs on any managed devices are authenticated using a Thales Luna Network HSM. You can use a password-authenticated or PED-authenticated Luna Network HSM partition as the root of trust. You can use a FIPS-enabled HSM if FIPS compliance is required, or a non-FIPS-enabled HSM if you do not require FIPS compliance.

If the root-of-trust HSM is PED-authenticated, it must be activated (to allow password login) to work with CCC. You can activate (enable) or deactivate (disable) the root-of-trust HSM to control whether or not CCC has access to the HSMs on the managed devices.

Activation of a PED-authenticated HSM to allow password authentication is not the same as activation of CCC. Activation of CCC enables the root-of-trust HSM, which allows CCC to create and deploy services.

Crypto Command Center Client

The Crypto Command Center client is run on a crypto application server to set up the NTLS or STC links from the application server's Thales Luna Network HSM client to the devices used to host the service. STC links are available for devices with a minimum software version of 6.2.1 and a minimum firmware version of 6.24.2. The Crypto Command Center client is available for download from CCC.

Users

CCC supports two distinct user roles: Administrators and Application Owners.

Administrators

Administrators are responsible for creating organizations, adding user accounts, adding devices, and creating services on managed devices. Administrators can also generate reports for the managed devices and services.

Application Owners

Application owners are responsible for deploying the services created in CCC for their organization. Application Owners own the services and are free to deploy them as needed. When a service is no longer required, the Application Owner can release the service, making the resources used to provide the service available to the Administrator to create new services. The following table compares the capabilities of Administrators and Application Owners:

Feature	CCC Admin	CCC Application Owner
Service Creation	Yes	No
Service Initialization	Yes	Yes
Service Deployment	Yes	Yes
Key Material Visibility	Yes	Yes
Reporting	Yes	No
Service Monitoring	Yes	Yes
Device Monitoring	Yes	No
Alerting and Notifications	Yes	No
Licensing	Yes	No
Support Catalog	Yes	No
Software Center	Yes	Yes
Directory Support	Yes	No
Device Log Export	Yes	No
Account Management	Yes	No
Migrate Service	Yes	No

Managed Devices

You can use CCC to manage Luna Network HSM devices. CCC can manage any Luna Network HSM device that is available over the network, including those located in the cloud. In order to manage a device, CCC must be able to log in to the device as the admin user. The admin credentials required to log in to the device are encrypted using an encryption key stored on the root-of-trust HSM, and stored in CCC.

STC is not available with Luna Network HSM 7 (Firmware 7.7.0 and above).

Device Requirements

For CCC to manage a Luna Network HSM device, the device must meet the minimum requirements. CCC can manage PED-authenticated and password-authenticated Thales Luna Network HSM devices.