Configure SSL Certificate: Open the ccc_config.env file and enable the SUBJECT_ALT_NAME flag by setting it to Y. Then, add the CCC IP address to the SUBJECT_ALT_NAME_IP flag.

Restart the CCC Container: You need to restart the CCC container, based on your environment.

Create an Application Owner Account: Create an application owner account and ensure that the application owner logs in to CCC and changes the password.

Set Up the Server Environment: Access the server where your Luna HSM client is installed. Execute the sudo command for Linux systems, and for Windows systems, launch an Administrator command prompt.

Navigate to CCC Client: Go to the directory where you've stored the CCC client.

Run CCC Client: Launch the CCC client using the following command:

java -jar ccc_client.jar -user <username> [-password <password>] [-otp <otp code>] -host <CCC_server_hostname_or_IP> [-port <CCC_server_port>]

If you enter a password, use single quotes (Linux) or double quotes (Windows).

For OTP, use the -otp parameter or provide the code when prompted.

The -port parameter is optional; default is 8181.

Accept CCC Server Certificate: If the CCC server certificate isn't imported, you'll be asked to accept it.

Create Client Certificate: If absent, a client certificate for NTLS connections is generated. Enter an IP or hostname for partition registration.

Set Trusted Keystore Password: If you decide to trust the certificate permanently, set a trusted keystore password.

Select Service to Authorize: Choose from a list of available services for your organization.

Authorize Access: Select option 1 to authorize access. This grants access to the chosen service.

In cases where a partition is added or removed from an existing service, the CCC application owner has the option to utilize the "Repair Access" feature. This feature establishes an NTLS link with the new service partition, which is then incorporated into the client's high-availability (HA) group.

Confirm Service Authorization: When prompted with the message "Would you like to authorize access to the service 'Service_with_a_smile'? (Y/N):", respond with 'y'. After confirmation, a success message will indicate that access to the 'Service_with_a_smile' service has been granted.

To authorize a service for either a PPSO-enabled PED-authenticated HA Group or a Non-PPSO-enabled PED-authenticated HA Group, follow the steps detailed below. In both scenarios, access to the service will be provided upon completion of the authorization process.

Prepare for Access Authorization: Prior to proceeding with authorization, ensure that every partition within the HA group has been assigned an identical challenge password and has undergone activation.

Activate Service: Activate the service through the CCC user interface.

Initiate Authorization Process: To initiate the authorization process, run the ccc_client.jar tool. When prompted with "Would you like to authorize access to service 'Self_service'? (Y/N):", respond with 'y'.

Ensure Challenge Password Alignment: If you are certain that each partition within the HA group shares the same challenge password, input 'y'. You will then be prompted to enter the challenge password. Upon successful password entry, a confirmation will confirm that access to the service has been granted.

If challenge passwords are not aligned across all partitions in the HA group, input 'n'. The following prompt will be displayed: "Process paused. If you wish to align the CO challenges and activate the CO roles now, open a new console and run LunaCM to perform these operations. Once you have done so, select 'Continue' below to proceed with this HA Group configuration." Set the challenge password for each listed member as necessary.

The option to support the "Repair Client" feature for partially initialized PPSO-STC services is not available.

Verify Challenge Password and Key: Prepare the 16-digit challenge password generated by the PED during service initialization, along with the partition owner/crypto officer (black) PED key.

If an incorrect challenge password is entered while deploying a PED-authenticated HSM Partition HA Group service using ccc_client, the service will be deployed but non-operational. To rectify this, redeploy the service by relaunching ccc_client, selecting the service, and revoking access.

Run ccc_client.jar: Execute the ccc_client.jar command, and continue until you encounter the prompt to input the group challenge. Each member of the HSM Partition HA Group service will be accessible as a slot in LunaCM.

Start Luna HSM Client Session: Launch a Thales Luna HSM client session by opening a command prompt or terminal window, then initiating LunaCM:
Windows: C:\Program Files\SafeNet\LunaClient\bin\lunacm
Linux: /usr/safenet/lunaclient/data/bin/lunacm

Check Firmware Versions: Review the list of available slots and take note of the firmware versions. If the partitions have firmware 6.22 or higher (released alongside software version 6.0), role commands are required in LunaCM for the subsequent steps. Firmware below 6.22 necessitates partition commands.

lunacm:> slot list

Select a Slot: Set the current slot to a slot containing one of the HSM Partition HA Group members:

lunacm:> slot set -slot [slot_number]

Connect the PED: Establish a connection with your remote PED server:

ped connect -ip [PED_IP]

Handle Firmware: Follow the appropriate steps based on your device's firmware version (below 6.22 or above 6.22):

Firmware Version Below 6.22

If using devices with firmware below 6.22, perform the following actions:

i. Log in to the partition and attend to the PED for orange (remote PED) and black (Partition Owner/Crypto Officer) PED keys:

lunacm:> partition login

ii. Set the challenge password for the partition:

lunacm:> partition changepw -p [new_challenge_password]

iii. Log out of the partition:

lunacm:> partition logout

iv. Log in to the partition. Attend to the PED:

lunacm:> partition login

v. Activate the partition:

lunacm:> partition activate

Firmware Version Above 6.22

If using devices with firmware above 6.22, perform the following actions:

i. Activate the Crypto Officer role by logging in. The PED prompts you for the black PED key:

lunacm: role login -name "Crypto Officer"

ii. Change the role's challenge password:

lunacm: role changePW -name "Crypto Officer" -old [old_challenge_password] -new [new_challenge_password]

iii. If the Crypto User regularly utilizes the service, log in to that role and change its challenge password. You will be prompted for the Crypto User PED key:

lunacm: role login -name "Crypto User"

role changePW -name "Crypto User" -old [old_password] -new [new_password]

iv. Log out from the Crypto User role. Repeat these steps for every partition in the HSM HA Group:

lunacm: role logout

Disconnect the Remote PED: lunacm: ped disconnect

Resume ccc_client.jar Session: Return to the ccc_client.jar session, input the group challenge, and continue to complete the service deployment.

Initiate Terminal or Command Prompt: Begin by launching the Terminal on Linux or opening an Administrator command prompt on Windows. This should be done on the server where the Luna HSM client has been installed.

If you are utilizing a hard token, proceed to initialize it on a Windows computer following the guidelines provided in the Thales Luna HSM documentation.

Navigate to CCC Client Directory: Navigate to the directory where you've stored the CCC client.

Execute CCC Client: Run the CCC client (ccc_client.jar) using the following command:

java -jar ccc_client.jar -user <username> [-password <password>] [-otp <otp code>] -host <CCC_server_hostname_or_IP> [-port <CCC_server_port>]

Enclose the password in single quotation marks (for Linux) or double quotation marks (for Windows), if included in the command.

Include the -otp parameter or respond when prompted for OTP-enabled accounts.

The -port parameter is optional; default port 8181 is used if not specified.

Confirm CCC Server Certificate: When prompted, verify and confirm the CCC server certificate. This message appears only if the certificate hasn't been imported on this client.

Create NTLS Client Certificate: If not already present, the client certificate for NTLS connections to service partitions is generated. Provide an IP or hostname for registration with partitions.

Enter Trusted Keystore Password (Optional): Choose to trust the certificate permanently if prompted, and input the trusted keystore password for the Java JDK on the Luna HSM client workstation. The default password is changeit.

Select Service for Authorization: A list of available services for your organization that can be deployed will be displayed. Choose the service you want to authorize for your client.

Authorize Service Access: Authorize access to the selected service by choosing option 1.

When employing both STC and Per-Partition SO for your service, please be aware that CCC lacks the capability to revoke STC access. This design choice has been made to mitigate the potential risk of rendering the partition(s) devoid of client connections, thus preventing any possibility of recovering partition access.

Create STC Client ID: If no STC client ID exists on the application server, create one by entering 'Y' and specifying a Client Name for registration on the partition(s).

Enter Partition SO Credentials (PPSO Enabled): For devices with the Per-Partition Security Officer (PPSO) feature enabled, provide Partition SO credentials to establish the connection.

For password-authenticated devices, you are prompted for the PSO password.

For PED-authenticated devices, provide the Remote PED IP and port. The remote PED will prompt for the orange Remote PED key and the blue Partition Security Officer key.

Change STC Client ID: The STC client ID label is displayed. You can change the label registered on the partition(s) if desired.

The deployment process for an STC service is now concluded. However, if you are in the process of authorizing a PED-authenticated HSM Partition HA Group service, please refer to the following procedure to successfully finalize the service deployment.

Check Authorization Prerequisites: Before authorizing, ensure each partition in the HA group has the same challenge password and is activated. If PPSO is enabled, activate through the CCC UI. Otherwise, continue in this section.

Provide the Challenge Password: If challenge passwords match and partitions are activated, proceed with 'y' and provide the challenge password. Upon success, a confirmation message is displayed. If not successful, an error indicating mismatched challenge passwords will appear. In this case, re-run ccc_client.jar, answer 'n' to the challenge passwords prompt, and complete the procedure.

If you haven't set the same challenge password for all partitions in the HA group, type 'n'. This will pause the process and prompt you to align the CO challenges and activate the CO roles by opening a new console and running LunaCM. Once you've completed those actions, select 'Continue' to proceed with configuring this HA Group. Remember to set the challenge password for each member listed.