Release Notes
The release notes for Crypto Command Center 4.1 includes new features and enhancements, advisory notes, compatibility information, upgrade instructions, and resolved and known issues.
New Features and Enhancements
In CCC 4.1, notable enhancements have been introduced to reinforce security measures and streamline deployment:
Dual Authentication for Service Delete: The newly integrated Dual Authentication for Service Delete feature showcases CCC's dedication to advancing security standards in cryptographic service management. This added layer of security empowers organizations during service removal, ensuring meticulous safeguarding of critical resources. The process involves accessing the Crypto Services section to initiate removal, followed by specific steps depending on service type, and involving elements such as HSM SO passwords, IP addresses, and port details. This dual authentication capability prevents unauthorized deletions and errors, enhancing cryptographic operations' integrity. Enabled by default, advanced users can deactivate this feature with careful consideration of implications.
Support for CCC Installation using Helm: CCC's deployment methodology advances with the inclusion of Helm, streamlining installation and reinforcing its reputation as a cutting-edge cryptographic management solution. CCC installation using Helm providies benefits like streamlined installation, version management, scalability, and optimized resource utilization. Luna HSM integration enhances security, while Helm's flexibility accommodates various setups. Detailed instructions guide administrators through this process, ensuring an informed and efficient CCC deployment.
Podman Secrets: With the introduction of Podman Secrets feature, CCC strengthens the security of sensitive passwords. Administrators can create and manage secrets, mitigating unauthorized access risks and adhering to best practices. The process involves safeguarding data integrity by creating a secure backup of the secretfile and populating it with passwords. Podman Secrets underscores CCC's commitment to proactive security, fostering exploration of its functions in a secure environment.
SELinux in Enforcing Mode: Now, you have the option to install CCC while utilizing SELinux in enforcing mode. This security enhancement isolates cryptographic activities, prevents unauthorized access to cryptographic keys, and enforces strict access controls, all contributing to a more robust and secure environment for your crypto-related tasks.
Feature Matrix for CCC 4.1
This section outlines the minimum requirements to support major features and functionalities of CCC.
| CCC Feature | Requires Monitoring License | Minimum SA Version | Minimum SA Firmware |
|---|---|---|---|
| Service Provisioning | No | 6.x | 6.10.9 |
| Security Officer Per Partition (PPSO) | No | 6.x | 6.10.9 |
| Device & Service Reports | No | 6.x | 6.10.9 |
| Import Services | No | 6.x | 6.10.9 |
| Device Monitoring, Dashboard & Notifications | Yes | 6.x | 6.10.9 |
| Device Monitoring (Full) | Yes | 6.x | 6.20.0 |
| Service Monitoring | Yes | 7.3 | 7.3.0 |
| Device Logs | Yes | 6.x | 6.10.9 |
| Key Material Visibility | No | 6.x | 6.10.9 |
| External Directory Server over LDAP | No | NA | NA |
| Apply SW Package | No | 7.3 | NA |
| Update Firmware | No | 7.3 | NA |
| Migrate Service | No | 6.2.2 | 6.24.3 |
Advisory Notes
This section highlights important issues you should be aware of before deploying this release.
Security Guidelines
Consult the security guidelines for CCC, which provide detailed recommendations and requirements to safeguard your CCC installation against various cyber threats, including Code Injection, Man-in-the-Middle (MITM), and Denial of Service (DoS) attacks, ensuring the protection of critical systems.
Server Monitoring
We recommend monitoring your CCC server configuration with a server monitoring system. CCC cannot notify the users of a CCC instance deactivation in the event of a server outage or disconnection.
Thales Luna Network HSM 7.1 Monitoring HSM CPU Usage
The Thales Luna Network HSM 7.1 device firmware incorrectly reports the value for HSM CPU usage. The firmware will always populate the HSM CPU usage monitoring histogram value as 99.9%. This is not an accurate evaluation of the HSM devices performance by CCC.
Support for 5.x Devices
CCC 4.1 does not support 5.x devices. If you are primarily managing 5.x devices, you may desire to defer this software upgrade at this time. If you are managing a combination of 5.x and 6.x devices, upgrading to CCC 4.1 will require upgrading your 5.x devices.
Thales Luna HSM 7.1 and Newer Device REST API
The REST API package comes pre-installed on Thales Luna Network HSM 7.1 and newer devices. As a user, you need to configure the REST API on the device. For better stability, use of the latest REST API versions is recommended, as listed below.
| REST API Version | Appliance Version | Firmware Version |
|---|---|---|
| v5 | 7.1.0-379 | 7.1.0 |
| v6 | 7.2.0-220 | 7.2.0 |
| v7 | 7.3.0-165 | 7.3.0 |
| v8 | 7.4.0-226 | 7.4.0 |
| v9 | 7.7.0-317 | 7.7.0 |
| v10 | 7.7.1-188 | 7.7.1 |
If STC is enabled, the webserver (REST API) of some Luna devices may need to be restarted.
ccc_client PED-Authenticated HSM Partition HA Group Service
If the user enters an incorrect challenge password when deploying a PED-authenticated HSM partition HA group service with ccc_client, the service will display as deployed but will not be operational. To deploy the service, relaunch ccc_client, select the service, and revoke access to that service. Then, deploy the service, as described in the CCC User Guide.
Database Security
CCC does not currently support full disk encryption on a PostgreSQL database. As a result, the integrity of the database server is the responsibility of the user. We recommend keeping your database server in an environment that is secured by software data networks and firewalls. Customers are responsible for ensuring compliance with their organization's security policies.
Freemium License
The CCC Freemium virtual image is not available with CCC 4.1. However, the Freemium license file is still supported with CCC 4.1 premium build. The Freemium license is available as part of the CCC software package.
The CCC Administrator user can now use the Update License button to replace the Freemium license file with the premium license when the product evaluation is completed.
Mixed High Availability Device Partition Groups
7.x devices do not support mixed high availability (HA) device partition groups. You cannot create an HA partition group consisting of both 6.x and 7.x devices. HA partition groups can only consist of 6.x or 7.x device partitions.
Java 1.8.0-144 JDK Memory Leak
The Java 1.8.0-144 JDK is not supported by CCC. The Java 1.8.0-144 JDK has a known security leak. It is recommended that you upgrade to the latest version of Java 1.8.0. For more information about the Java 1.8.0-144 JDK memory leak, review Java JDK issue 8164293.
Limitations of Luna Appliance Software 7.3.3 and 7.3.4
If you are using a Luna Network HSM device having Luna appliance software version 7.3.3 or 7.3.4, you will not be able to use certain features of CCC.
Non Availability of STC Support
CCC no longer provides support for STC with Luna Network HSM. The option to create a partition using STC is not available with Luna Network HSM 7 (Firmware 7.7.0 and above).
Compatibility Information
For information regarding the supported hardware, software, and managed devices, consult CCC User Guide.
Supported Versions of CCC
The list of supported CCC versions can be found at Thales Customer Support Portal. As a user, you are advised to upgrade to the latest CCC version.
Upgrading CCC
To upgrade to the latest version of CCC, please refer to this link: Upgrading CCC
Resolved and Known Issues
This section lists the resolved and known issues in the product at the time of release. Workarounds are provided where available. The following table defines the severity of the issues that are listed.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Known Issues
| Issue | Severity | Synopsis |
|---|---|---|
| CCC-8303 | M | Problem: If you login with a newly created user, and stay on the "change password" screen for five minutes with no activity, and then attempt a password change, you are redirected to a blank page. Workaround: This behavior indicates a timeout. You can reattempt login by clicking the back button or by re-entering the Thales Crypto Command Center address into the URL bar in the browser. |
| CCC-8319 | M | Problem: If you add a 6.x device, and then use LunaSH to alter the admin password and the REST API certificate, you cannot update either the admin password or the REST API certificate on Thales Crypto Command Center. If you add a 5.x device, and then use LunaSH to alter the admin password and the SSH host key, you cannot update either the admin password or the SSH host key on Thales Crypto Command Center. Workaround: Update Thales Crypto Command Center immediately after updating the admin password, SSH host key, or REST API certificate on the appliance. Do not perform any other configuration until Thales Crypto Command Center is updated. If you accidentally change both the device password and the device identity (SSH host key or REST API certificate) without updating Thales Crypto Command Center, use LunaSH to change the admin password back to the previous value. In Thales Crypto Command Center, verify the SSH key or REST API certificate. Then return to the device and change the admin password to the new desired password. Update the admin password in Thales Crypto Command Center. |
| CCC-8819 | M | Problem: If you create and deploy a service, change its organization, and then attempt to revoke access to the service, the full deregistration might not complete. For example, the revoke might not complete, the client entry might still be displayed in the service details tab, or the client might still be registered on the managed device partition(s). Workaround: If you attempted a revocation which did not complete, detach the service, re-import it, complete the normal application owner setup, and then revoke again. If you want to change a service's organization, first revoke client access, then change the organization, then deploy the service again. This ensures that future attempts to revoke access to the service will succeed. |
| CCC-9208 | M | Problem: Monitoring data does not update automatically in the General and Capabilities tabs on the Device page. Monitoring information is retrieved and stored by the device, but is not generated automatically in the Thales Crypto Command Center graphic user interface on the General tab and the Capabilities tab. Workaround: Click Refresh in the Capabilities tab to generate up-to-date monitoring data. |
| CCC-10174 | L | Problem: When sorting a Service Report, at times the Sort drop down menu loses its interface layer priority, appearing behind the entries in the Services List. Workaround: Minimize and expand the row where the issue is occurring. |
| CCC-12639 | M | Problem: If the ccc_client.jar is run without trusting the server certificate, it throws an exception when Option 4 (exit) is directly selected after the run. Workaround: Always trust the server certificate when the ccc_client.jar is run. |
| CCC-13259 | M | Problem: Sometimes when NFS server goes down in CCC High Availability setup, NFS clients becomes unresponsive. Workaround: Re-run enableNFSSharing.sh script on client side for NFS connection. |
| CCC-13260 | M | Problem: Sometimes when a new NFS client is added to an existing High Availability CCC setup, permissions on shared folder of existing NFS clients change to some unknown permission. Workaround: Change the permission on shared folder /usr/safenet/ccc/packages and /usr/safenet/ccc/lunalogs to lunadirector. |
| CCC-13948 | M | Problem: While migrating a large number of keys, the status bar displays a “null” message if object synchronization takes a long time. Workaround: You may encounter this error message in case a large number of keys are being migrated. However, the migration process will get completed despite this issue. |
| CCC-13980 | M | Problem: The Migrate Service button appears enabled for a moment when the partition limit is reached. Workaround: Even if you are able to click this button, you will not be able to perform Migrate Service operation after the partition limit is reached. |
| CCC-14306 | M | Problem: Unable to upgrade a device to firmware version 7.7.0 or 7.7.1. Workaround: Use LUSH to upgrade your device to firmware version 7.7.0 or 7.7.1. For details, refer to Luna HSM documentation. |
| CCC-14667 | M | Problem: A log off button appears if an incorrect Crypto Officer password is provided under the Keys section after creating and initializing a service on a PED device. Workaround: This is a known issue. Please ignore the log off button and enter the correct password. |
| CCC-15423 | M | Problem: As a CCC Application Owner, I am unable to delete a service even though the Delete Service option is visible upon clicking the Remove button on the Services Screen. Workaround: As an Application Owner, it's important to note that you do not possess the necessary privileges to directly delete a service. To initiate the deletion of a service, you should reach out to your CCC Administrator and request the removal. The visibility of the Service Delete option for Application Owner users is due to a bug in the system. We appreciate your understanding as we work towards resolving this issue. |
Contacting Thales Customer Support
If you encounter a problem while installing, registering, or operating this product, refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Thales Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
Customer Support Portal
The customer support portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most common problems. The Customer Support Portal is a comprehensive, fully searchable database of support resources, including software and firmware downloads, release notes listing known problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also use the portal to create and manage support cases.
You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
Telephone Support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Thales Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed on the support portal.