Crypto Services
CCC provides you with the ability to manage individual partitions within a Luna Network HSM or a set of partitions across multiple Luna Network HSMs. These managed partitions are referred to as services. Ownership of each service is exclusively tied to the organization to which it is allocated. Each service is configured with specific parameters tailored to facilitate cryptographic operations, aligned with the unique requirements of the organization. Authorization to deploy and utilize the service for cryptographic purposes is limited to members of the respective organization. To efficiently manage these services, you can use the Crypto Services tab of CCC, offering the following functionalities:
Before CCC can create or manage services on a Luna Network HSM device, it needs authorization to access the device as the Security Officer (SO).
Create, modify, and remove services
Below are the procedures for creating, modifying, and removing services on CCC.
Create a service
To create a service:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Services. This action will bring up a page displaying basic details of all existing services.
At the top right corner of the page, you'll find a Create Service button. Click on it to start the process of creating a new service.
In the subsequent Create Service wizard, fill in the required details:
| Parameter | Description |
|---|---|
| Service Name | Enter a name for the service you wish to create. This name helps in identifying and distinguishing the service, making it easier to manage and reference. |
| Description | Optionally, provide a brief overview of the service. This can offer valuable context for users or administrators managing the service. |
| Choose Template | Select the template that best matches the type of service you intend to create. Templates provide predefined configurations tailored to specific service types. |
| Add Devices | Add the necessary device(s) for the service. For HA services, select multiple devices. Note that only authorized devices meeting the template's requirements will be displayed for selection. |
| Assign Organization | Choose the organization that will own and manage the service. This ensures the service is utilized only by the designated organization. |
| Summary | Review the provided information for accuracy. If needed, click Go Back to make adjustments. Otherwise, click Finish to complete the service creation process. |
A pop-up window will confirm the service's creation and the reservation of necessary resources. Click the Initialize Now button located at the bottom of the pop-up window to commence the process of enabling the service.
You have the option to initialize a service immediately upon creation or leave it uninitialized until deployment. Uninitialized services can be initialized by the CCC Administrator or an Application Owner.
In the Initialize Service window that appears, enter the desired Partition Label and Cloning Domain. In case of PED authenticated services, enter the IP address of the remote PED server.
Create passwords for the Security Officer and Crypto Officer. If required, also create a password for the Crypto User.
Click Finish to complete the process of service initialization. You are now ready to start using the service.
Here's a video that provides a demonstration of how to create a service using CCC, explaining each step of the process in detail:
Modify a service
To modify a service:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Services. This action will bring up a page displaying basic details of all existing services.
Click on the service that requires modification. This action will reveal the service-related details located towards the bottom of the page.
To view and make changes to the details associated with the service, navigate to the relevant tab.
| Tab | Description |
|---|---|
| General | Offers an overview of the service, encompassing details such as: - Service Name: The name assigned to the service. - Description: A brief description outlining the purpose or function of the service. - HA Group Label: If the service is part of an HA group, this label indicates its association with that group. - Owner Organization: The organization that owns and is responsible for managing the service. - Service Creation Details: Information regarding when the service was created and by whom. This includes details such as the creator's name or identifier and the date of creation. |
| Capabilities | Provides detailed insights into various aspects of the service, including: - Service Type: Specifies the type of service being offered. - Host Device Type: Indicates the type of device hosting the service. - Partition Size: Specifies the size of the partition allocated for the service, measured in bytes. - Per Partition SO Status: Indicates whether the Security Officer functionality is enabled or disabled for each individual partition within the service. - Scalable Key Storage Status: Specifies whether scalable key storage functionality is enabled or disabled for the service, allowing for efficient management of cryptographic keys. - Device Capabilities: Provides information about the overall capabilities of the hosting device, including performance metrics, authentication mechanisms, and backup capabilities. |
| Partitions | Provides the following information about the partitions that constitute the service: - Status: Indicates the current status of the partition - Name: Represents the unique identifier or name assigned to the partition. - Label: Refers to the descriptive label associated with the partition. - Serial Number: Identifies the unique serial number assigned to the partition. - Associated Device Name: Specifies the name of the device with which the partition is associated. - Appliance Version: Indicates the version of the appliance software running on the device. - Device Firmware Version: Specifies the version of the firmware installed on the device hosting the partition. Add Partitions: Click the Add Partitions button to begin the process of adding a new partition. In the Add Partitions window, choose the Luna Network HSM device you wish to use for creating the partition. Click Next to confirm your selection, then click Add Partition at the bottom. This action will create a new partition on the selected device. Initialize Crypto User: Click the Initialize Crypto User button to begin the process of initializing a Crypto User. Then, provide the Crypto Officer and Crypto User passwords, and finally, click the Initialize button. This action enables the Crypto User to securely perform cryptographic operations within the system. Delete Partition: As a CCC administrator, you have the capability to remove a partition from an HA group. This can be done to free up memory on the device or to repurpose the partitions. However, before deleting the partition, it's crucial to clone any necessary key material. To remove a partition from the HA group, hover over the partition that you want to remove and then click the Delete Partition button located next to the Device Firmware column. After that, you'll be required to authenticate as the HSM security officer, and then proceed to click the Delete Partition button to remove the partition. |
| Keys | Displays the following key attributes: - Label: The identifier or name associated with the key. - Type: The type or category of the key. - Handle: The unique identifier assigned to the key within the system. - Fingerprint: A cryptographic hash or digest representing the key's contents. - Algorithm: The cryptographic algorithm used by the key - Bit Size: The length of the key in bits, indicating its cryptographic strength. To view the attributes of a key on a partition, you must disable the Authenticate: To access the Keys tab, you need to enter the Crypto Officer password generated during service creation and then click the Authenticate button. Please note that this process may take some time, as it involves establishing an NTLS connection between the Luna Network HSM and partition(s). For PED services, you need to provide a Remote PED Server IP Address and Remote PED Port, in addition to the Crypto Officer password. However, this requirement is waived if you had activated the Crypto Officer role at the time of service creation. Log Off Session: The Log Off Session button is used to manually terminate an NTLS session established between the HSM and partition(s). Terminating the current session ensures that no further communication or access is allowed between the HSM and partition(s). It's important to note that if an NTLS session remains idle for 3 hours, the system will automatically end the session to ensure security and prevent unauthorized access. It's recommended that you avoid using the CCC server to create an NTLS connection via LunaCM or LunaSH. This is because such actions can result in errors when displaying key attributes. Instead, utilize the CCC Client to establish an NTLS connection, which ensures smoother functionality and reduces the likelihood of encountering errors during key attribute retrieval. When retrieving key attributes in an HA service, CCC will synchronize objects created across all member partitions of that HA group. This synchronization ensures consistency and coherence in the data and attributes across the HA environment, facilitating seamless management and operation of cryptographic resources. Importing the CCC ROT partition as a service and viewing its keys is discouraged. Doing so can potentially disrupt the NTLS connection of the ROT partition with the CCC server. This precaution is necessary to prevent any unintended interruptions or errors in communication between the CCC server and the ROT partition, ensuring the stability and reliability of cryptographic operations. View Key Material: Here's a video that showcases how to view key material within a service. By watching the video, you can gain a better understanding of the process involved in accessing and managing key material, thereby enhancing your proficiency in utilizing cryptographic services effectively. |
| Clients | Provides detailed information about the Luna HSM client workstations associated with the service. The displayed data includes: - Status: Indicates whether the client workstation(s) are currently active or experiencing any errors. - Host Address: Shows the network address of each client workstation. - Fingerprint: Provides a unique identifier for each client workstation. - Last Registration: Displays the timestamp of the last registration of each client workstation with the service. Additionally, it's important to note that When a partition is added or removed from a service and undergoes initialization, the status of existing client associations within the service is flagged with an error status icon. This signifies that these clients require re-registration to synchronize with the updated configuration of the service. |
Remove a service
Within CCC, you have the option to detach or delete a service. Detaching a service removes it from CCC but does not impact the associated partition(s) or the objects within them. Deleting a service, on the other hand, removes it from CCC and also deletes the partition(s) and any objects contained within them. Typically, services are deleted by the Application Owner. To detach or delete a service:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Services. This action will bring up a page displaying basic details of all existing services.
Locate the service you wish to remove, then hover over it and click the Remove button. You will then be prompted to choose between detaching or deleting the service. Select the appropriate option based on your needs.
Confirm your action when prompted. The selected service will then be either detached or deleted, depending on your choice.
Add, modify, copy, and delete service templates
Below are the procedures for adding, modifying, and copying service templates on CCC.
Add a service template
To add a service template:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.
At the top right corner of the page, you'll find a Add Service Template button. Click on it to start the process of adding a new service template.
In the Create Service Template wizard, proceed to populate the essential fields across multiple tabs according to the subsequent instructions.
Enter the following information in the General tab:
| Parameter | Description |
|---|---|
| Template Name | Enter a name for the template you wish to create. This name helps in identifying and distinguishing the template, making it easier to manage and reference. |
| Description | Optionally, provide a brief overview of the template. This can offer valuable context for users or administrators managing the template. |
Enter the following information in the Set Capabilities tab:
| Parameter | Description |
|---|---|
| HSM Model | Choose the specific Luna Network HSM device you intend to utilize for generating the template. |
| Device Capabilities | Specify the capabilities of the Luna Network HSM device you've selected, ensuring alignment with your operational requirements. |
| Service Type | Select either HSM Partition to establish an autonomous service on a single device, or HSM Partition HA Group to configure a High Availability (HA) group spanning multiple devices. |
| Partition Settings | - Partition Size (bytes): Determine the size of the partitions utilized for delivering services. - Per-Partition SO: Opt to assign each service created from this template its own Security Officer (SO). Note that this feature requires firmware version 6.22 or higher and the Per-Partition SO capability upgrade (CUF). For devices running firmware version 7.x, this feature is mandatory and enabled by default. - Secure Trusted Channel (STC): Choose this option to enable services created from this template to establish connections with Application Owner clients using Secure Trusted Channel (STC) instead of the standard NTLS connection. Ensure your device meets the necessary requirements for STC, including software version 6.2.1 or higher, firmware version 6.24.2 or higher, and the STC HSM policy enabled. Note that CCC no longer supports STC with Luna Network HSM, and the option to create partitions using STC is unavailable for Luna Network HSM 7 with firmware version 7.7.0 and above. - Scalable Key Storage (SKS): If you've selected Thales Luna Network HSM 7 (Firmware 7.7.0 and above), enable this option to create a service with a V1 type partition. Leave the checkbox unchecked to create a partition with V0 type. |
Review the details of your service template using the Summary tab. If any information needs modification, click Go Back to make the necessary adjustments. Once everything is accurate, click Finish to finalize the creation of your template. A confirmation pop-up will appear, signaling the successful creation of your service template. You'll then have the option to create a service using this template immediately by clicking Yes, Create Service, or you can choose to close and create a service later. If you opt to create the service now, you'll be directed to the Create Service wizard, as outlined in the Create a Service section.
Modify a service template
To modify a service:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.
Click on the service template that requires modification. This action will reveal the template-related details located towards the bottom of the page.
Access and adjust the details associated with the service template by navigating to the appropriate tab.
Within the General tab, review and update the following details:
| Parameter | Description |
|---|---|
| Template Name | Assign a descriptive name to the template for easy identification and management. |
| Description | Optionally, provide a brief overview to offer context for users or administrators managing the template. |
Within the Capabilities tab, review and update the following details:
| Parameter | Description |
|---|---|
| HSM Model | Choose the specific Luna Network HSM device you intend to utilize for generating the template. |
| Device Capabilities | Specify the capabilities of the Luna Network HSM device you've selected, ensuring alignment with your operational requirements. |
| Service Type | Select either HSM Partition to establish an autonomous service on a single device, or HSM Partition HA Group to configure a High Availability (HA) group spanning multiple devices. |
| Partition Settings | - Partition Size (bytes): Determine the size of the partitions utilized for delivering services. - Per-Partition SO: Opt to assign each service created from this template its own Security Officer (SO). Note that this feature requires firmware version 6.22 or higher and the Per-Partition SO capability upgrade (CUF). For devices running firmware version 7.x, this feature is mandatory and enabled by default. - Secure Trusted Channel (STC): Choose this option to enable services created from this template to establish connections with Application Owner clients using Secure Trusted Channel (STC) instead of the standard NTLS connection. Ensure your device meets the necessary requirements for STC, including software version 6.2.1 or higher, firmware version 6.24.2 or higher, and the STC HSM policy enabled. Note that CCC no longer supports STC with Luna Network HSM, and the option to create partitions using STC is unavailable for Luna Network HSM 7 with firmware version 7.7.0 and above. - Scalable Key Storage (SKS): If you've selected Thales Luna Network HSM 7 (Firmware 7.7.0 and above), enable this option to create a service with a V1 type partition. Leave the checkbox unchecked to create a partition with V0 type. |
After making the desired modifications, click the Save button to ensure that your changes are applied and saved.
Copy a service template
To copy a service template:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.
Hover over the service template that you want to copy, and then click the Copy button. Doing so will bring up the Create Service Template wizard, with the fields pre-filled with the values from the copied service template.
Complete the wizard, as described in the Add a service template section.
Delete a service template
To delete a service template:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.
Locate the template you wish to delete, then hover over it and click the Delete button.
Confirm your action when prompted. The selected template will then be deleted.
Import Partitions
To import a partition:
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Import Partitions. This action will bring up the Import Partitions page.
Click on the Get Started button. This action will prompt the display of a list of HSM devices containing unmanaged partitions. Unmanaged partitions are those that have not yet been associated with a service, making them available for import into CCC.
Devices that are offline or unauthorized will not be listed.
Check the box located next to the name of the device to indicate which device or devices you want to scan for available partitions.
You have the flexibility to select multiple devices or choose all devices, depending on your needs.
After selecting the desired devices, click the Find Partitions button. Please note that the discovery process may take some time to finish, especially if there are many devices to query. Once the discovery process is complete, a table will be presented listing all the discovered partitions along with their respective details.
If you attempt to import more partitions than your CCC license permits, you'll receive a popup notification indicating that you've exceeded the partition limit. To proceed with the import, you'll need to adjust the number of partitions you want to import so that it equals or is fewer than the number of partitions allowed by your CCC license.
If you are importing a partition that has both STC and PPSO policies enabled, you won't be able to use certain features of CCC. This restriction exists because CCC doesn't have the necessary permissions to securely interact STC connection that is already established within the partition being imported.
While CCC tries to identify the partitions based on their service type (either standalone or part of a partition HA group), it's advisable to review the information displayed in the table and confirm its accuracy, particularly for HA groups.
Use the Remove button located at the far right of each partition row to delete any partitions that you do not wish to import. You have the option to either import all of the discovered partitions or remove specific partitions from the list before proceeding with the import process. When you import a partition or HA group into CCC, you need to:
-
Provide a name for the HA group, if the partitions you are importing belong to an HA Group.
-
Provide a name for the service.
-
Optionally, include a description for the service.
-
Select the organization that will own the service.
Any changes you make to the table, such as adding, removing, or modifying partitions, will be automatically saved. These changes will remain in effect even if you log out of your session and log back in later.
If you're importing an HA group, it's essential to verify the correct HA Group Label associated with it. You can do this by logging in to any client that uses the HA group and using the command vtl haAdmin show to retrieve the actual HA Group Label. Once you have the correct label, you should delete the default label (HA_n) and replace it with the actual one to ensure accurate identification and management of the HA group within the CCC system.
Ater you have completed importing partitions and made any necessary adjustments, you should click the Finish Import button. Doing so will finalize the import process. Upon successful completion, you will receive a message confirming the success of the import operation. Subsequently, the newly imported partitions will be visible on the Services page.
Migrate services
CCC enables you to migrate or transfer key objects between services. Explore comprehensive guidance in the following sections:
Identify compatible devices
CCC facilitates service migration between the following devices:
| Source Device | Destination Device |
|---|---|
| 6.x non PPSO PED | 6.x PPSO PED 7.x PED |
| 6.x PPSO PED | 6.x PPSO PED 7.x PED |
| 7.x PED | 6.x PPSO PED 7.x PED |
| 6.x non PPSO Password (Only if the source service or partition was originally created and roles were initialized through LUSH) | 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) |
| 6.x PPSO Password (Only if the source service/partition is originally created and roles are initialized through LUSH) | 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) |
| 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) | 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) |
Migration cannot be performed if the source firmware version is 7.7.x and the target firmware version is 7.4 or lower.
Migration cannot be performd if the source firmware is FM-ready or FM-not-ready, and the target firmware is FM-disabled or FM-enabled.
Follow migration steps
To migrate a service, follow these steps:
The duration of the service migration process varies based on the number of objects and devices involved. During this period, other CCC functions will be inaccessible.
For Non PPSO PED service migration, ensure that the source partition is activated and that the default challenge is not set.
If the selected source service is an HA service, migration will be conducted solely from its first partition.
If there is an insufficient number of partition licenses available, the Migrate Service button will remain disabled.
It's advisable to create a backup of the source partitions before initiating the data migration process.
When upgrading from an older version of CCC and creating an HA service using an existing partition, manually resetting the password is necessary to ensure that the new password comprises at least 8 characters.
Disable the ipcheck property of NTLS on the HSM by executing the following command:
ntls ipcheck disable
Add the source device, which requires migration, along with all target devices intended for migration, to CCC.
Ensure that the service slated for migration is either already present in CCC or create a new service for migration.
The service will only appear for selection if the source HSM has cloning capability and is initialized.
Click on the Crypto Services tab located in the menu bar at the top of the screen.
In the left-hand navigation pane, select Migrate Service. This action will bring up the Migrate Service page.
Initiate the service migration process by clicking the Migrate Service button. Follow the prompts in the Migrate Service wizard that appears.
In the Select Service tab of the wizard, select the service that you wish to migrate and proceed by clicking Next.
If selected service is an HA service, it’s first partition is considered as primary partition.
In the New Service tab, provide the necessary details, such as the New Service Name, Organization, HSM Model, Partition Size, and Description (optional). Click Next when all the details are entered.
Proceed to the Select Devices tab and choose the device(s) intended to provide the new service. Click Next when you are done.
In the Define Partition tab, enter the partition label and cloning domain (in case of password authenticated devices). Click Next once completed.
During the initialization of new service partitions in the migration process, it's crucial to use the same cloning domain and role credentials as the service chosen for migration. This ensures consistency and compatibility between the original service and the migrated partitions.
Navigate to the Initialize Roles tab and enter the passwords for Security Officer, Crypto Officer, and, if applicable, Crypto User. For PED authenticated devices, provide the remote PED server IP address, remote PED server port, and Crypto Officer password.
Use the Summary tab to review and validate all entered details. Once confirmed, proceed by clicking the Migrate Service button. Wait for the completion of the service migration process. Please be patient as the duration may vary depending on the number of objects and devices involved. Upon successful migration, a confirmation message will be displayed.
View migration video
Below is a video presentation illustrating the effective utilization of CCC's service migration functionalities:
Troubleshoot migration issues
| Error Message | Solution |
|---|---|
| Failed to create a new service for a device. | Manually import partitions into CCC using the import partition feature. You can import them either as a standalone service or as part of an HA group service. |
| Failed to migrate key material to a device. | To include a device where migration has failed, utilize the add partition feature for the newly created service. Then, authorize the service using the ccc_client tool. During the authorization process, CCC conducts synchronization across all partitions of the service. |
