Frequently Asked Questions
This section lists commonly asked questions and answers related to Thales Crypto Command Center.
What is Crypto Command Center?
Crypto Command Center (CCC) is a web-based application that provides users with a simple interface for centralized management of crypto resources on Luna Network HSMs. CCC features include:
-
Provisioning: Dynamically add and remove crypto resources.
-
Organizations: Manage organizational accounts as unique tenets.
-
User roles: Designate admin and users with corresponding privileges.
-
Device pools: Logically group devices based on environments, geolocations, and performance.
-
Service templates: Crypto resource recipes for quick deployment and standardization.
-
GUI: Manage your devices via a simple web interface.
-
High Availability: Improve high availability and uptime.
-
Virtualization: Run Thales CCC in a virtual environment such as VMware.
-
Monitoring: Actively monitor the status of your devices. View graphs of the HSM utilization and other counters and hardware sensors.
-
Reporting: Generate reports by device or by service. Reports can be viewed in the CCC app, or downloaded as CSV files.
What are the benefits of CCC?
-
Cost savings: CCC provides users with a simple interface to manage crypto resources, resulting in long-term cost savings.
-
Improved Performance: CCC enables users to manage HSMs from one, centralized location.
-
Improved Security: CCC enforces role separation, thus ensuring that key ownership is not compromised.
-
Managed device pools: CCC logically groups devices based on environments, geolocations, and performance.
-
Scalability: CCC dynamically provisions and de-provisions HSM crypto services.
-
Visibility: CCC reports on devices and crypto services and monitors the health of HSM devices
How Crypto Command Center works?
Crypto Command Center enables you to set up crypto service templates with predefined HSM capabilities that can be leveraged to provision services in a standardized and compliant manner. The application helps you create a centralized pool of high assurance cryptographic resources that can be extended to people and lines of businesses that need them. Crypto Command Center provides you the capabilities to monitor crypto resources, generate dynamic reports, and stay up to date on the status of managed HSM appliances.
What HSM devices does CCC support?
Currently CCC supports Luna Network HSM. Refer to the Hardware and Software Requirements section for more details.
Is CCC beneficial only for customers with a large number of HSMs?
That’s incorrect. CCC enhances operational efficiencies even for customers with a small number of HSMs. Enterprises that offer crypto as a service to organization stakeholders find CCC useful in centrally managing the crypto resources for applications across the enterprise. Through its simplicity it empowers more users to employ crypto resources and accelerate adoption. Plus, with the recently added monitoring features, there are even more benefits for customers managing a small pool of HSMs to use CCC.
How Crypto Command Center detects suspicious activities in Luna Network HSMs?
CCC actively monitors HSM partitions for irregular crypto operation patterns. If the crypto operations spike above an acceptable average, you will get notified about the irregular behavior. To avert false-positive alerts, you’ve been provided the flexibility to choose how sensitive the threshold is and how long the pattern has to persist before being notified.
What are the types of licenses available for CCC?
There are 3 core Thales CCC offerings: Freemium License, Premium Perpetual License and Premium Subscription License:
-
Freemium License: Is prepackaged and preconfigured with the Freemium virtual image for easy installation on the customer’s site, but is limited for use in a test environment. Otherwise this offering includes all the same features as the Thales CCC Premium license offerings, it entitles the user to 20 device partitions and the monitoring feature.
-
Premium Perpetual License: Is a one-time purchase license file that is intended for use in a production environment. It can provision an unlimited number of crypto services, up to the number indicated by the license agreement. It can also enable the monitoring feature.
-
Premium Subscription License: Is an annual subscription-based license file that is intended for use in a production environment. It can provision an unlimited number of crypto services, up to the number indicated by the license agreement. It can also enable the monitoring feature. The subscription license is more appropriate for users whose quantity of provisioned partitions/devices changes annually/regularly.
Does Thales CCC Freemium license include maintenance and support?
No. Thales CCC Freemium license does not include maintenance and support options.
Where can I buy the Freemium license?
A Freemium license can be obtained from the Crypto Command Center Freemium License page at no cost to the customer. The customer will be qualified for export rule compliance before the Freemium license is granted.
Where can I purchase a Thales CCC Premium license?
Thales CCC premium license can be purchased following Thales standard sales procedures. New customers can request to be contacted via the Get Crypto Command Center Premium page. Existing customers can contact their sales reps. The Thales CCC premium license file is delivered to the customer via email. Customers can obtain the Thales CCC software electronically.
What are the available premium licensing options for Thales CCC?
Refer to Get Crypto Command Premium page for details related to CCC premium licensing.
Is the Premium license refundable?
No.
Can a perpetual license be changed to a subscription license?
The license cannot be converted from perpetual to subscription. The customer must buy the new subscription license. The perpetual license is nonrefundable. The annual support contract associated with the perpetual license will be canceled.
Can a subscription license be changed to a perpetual license?
The license cannot be converted from subscription to perpetual. The customer must buy the new perpetual license. The timing of this changeover should correspond with the anniversary/expiry date of the annual subscription license.
Can a customer increase the number of provisioned services as part of perpetual license?
Yes, the old license agreement will remain in effect and will reflect the original quantity of perpetual licenses purchased. A new agreement will be created to reflect the incremental number of licenses subsequently purchased. The customer will pay the one-time perpetual license fee for the additional crypto services. Support contract for the first batch of licenses purchased may be co-termed with the support contract for the second contract of licenses.
Does creating a CCC root of trust uses up a CCC license?
No, you don't need a CCC license to create a CCC root of trust. However, you require a license for creating a service.
Can a customer reduce the number of provisioned services as part of perpetual license?
Customers can reduce the number of provisioned services any time prior to their license anniversary date. If services are cancelled prior to the anniversary date, customers will not be refunded for the unused portion of the maintenance fees for the remainder of the current year. The old license agreement will be cancelled and a new agreement will contain the reduced number of provisioned crypto services allowed. In the following year (next license anniversary date) the customer will pay maintenance for the new reduced provisioned crypto services total.
Can a customer increase the number of provisioned services as part of subscription license?
Yes, the old license agreement will remain in effect and will reflect the original quantity of subscription licenses purchased. A new agreement will be created to reflect the incremental number of licenses subsequently purchased. The agreement for the subsequent license purchases will correspond to the anniversary date of the subscription license, such that the anniversary dates of the subscription licenses align.
Is maintenance mandatory for perpetual license customers?
Maintenance is not mandatory for perpetual license customers. We recommend using maintenance as it will provide the user with various advantages/benefits.
If a customer buys a subscription license are they required to pay an annual maintenance fee?
No, the subscription fee includes annual maintenance.
What maintenance is available and how much does it cost?
Refer to the following table for details:
Maintenance | Period | % of List Price |
---|---|---|
Standard Maintenance Service | 1-2 Year | 16% |
Standard Maintenance Service | 3-5 Year | 13% |
Enhanced Maintenance Service | 1-2 Year | 21% |
Enhanced Maintenance Service | 3-5 Year | 18% |
Premier Maintenance Service | 1-2 Year | 26% |
Premier Maintenance Service | 3-5 Year | 23% |
Is Thales CCC sold in annual terms of 1yr, 2yr, 3yr, etc.?
Customers can purchase an annual subscription license. The subscription license must be renewed every year on the anniversary date of the license.
Can a customer reduce the number of provisioned services as part of subscription license?
Yes, the old license agreement will be cancelled. The new agreement will contain the new total number of provisioned crypto services allowed. The customer will not be refunded for the unused portion of the subscription fees. In the following year (next license anniversary date), the customer will only pay subscription fees for the new reduced provisioned crypto services.
How Crypto Command Center notifies users about suspicious activities or critical events?
CCC can be configured to send email notifications using corporate mail servers.
How can I configure Crypto Command Center without generating an SSL certificate?
You can obtain a signed certificate from a trusted public CA.
Can Crypto Command Center be installed on a Windows machine?
You require CentOS or Red Hat to install Crypto Command Center. However, you can package Crypto Command Center in a VM that can in turn run on a Windows machine.
Is there a limit to the number of crypto services that can be provisioned with Thales CCC?
There is no technical limit to the number of crypto services that can be provisioned with Thales Luna Network HSM. Customers can provision up to the number of crypto services indicated in their license agreement.
Will Crypto Command Center have access to my private keys?
No. Any communication that Crypto Command Center has with managed devices is encrypted and/or verified by the root of trust. The root of trust is an HSM (Luna SA) that acts as Crypto Command Center key store and trust anchor. These cryptographic operations happen entirely on the HSM and the keys never leave the root of trust. Crypto Command Center uses industry-standard encryption (AES-256, RSA-2048) on all communications with the HSM. Luna SA admin (lush) credentials are encrypted with a key that is stored on the Crypto Command Center Root of Trust HSM. This key cannot be extracted from the Root of Trust.
What type of user data is stored by PostgreSQL database and how is it protected?
The following table provides details regarding the user data stored by PostgreSQL database:
Data Type | Description | Compliance/Security requirements | Data in the clear or encrypted |
---|---|---|---|
User information | Administrator and Application Owner user details | NA | Clear |
User credentials | Administrator and Application Owner passwords | Yes | Encrypted |
Device info | Device details, including device IP, device capabilities, and certificates | NA | Clear |
Device credentials | Device SO, CO, and CU passwords | Yes | Encrypted |
Organization details | Internal to CCC for segregation of departments | NA | Clear |
Device pool details | For clubbing devices | NA | Clear |
Service template | Capabilities, including type, size, and functionality of the services created through the template | NA | Clear |
Service data | Name and description of the service, partition size, by whom it is initialized, and by and whom it is deployed | NA | Clear |
Device monitoring | Device monitoring related data | NA | Clear |
Notifications | SMTP username, email, and password | NA | Clear |
Logs | CCC related logs | NA | Clear |
Active directory | Directory configuration details | Yes | Encrypted |
What kind of protection does Crypto Command Center offer against cyberattacks?
-
Any communication that Crypto Command Center has with managed devices is encrypted and/or verified by the root of trust. The root of trust is an HSM (Luna SA) that acts as Crypto Command Center key store and trust anchor. These cryptographic operations happen entirely on the HSM and the keys never leave the root of trust. Crypto Command Center uses industry-standard encryption (AES-256, RSA-2048) on all communications with the HSM. Luna SA admin (lush) credentials are encrypted with a key that is stored on the Crypto Command Center Root of Trust HSM. This key cannot be extracted from the Root of Trust.
-
The HSM SO credentials (password or blue key data) are never cached. All authorization on the HSM is done through the secure indirect login feature of Luna SA, using Crypto Command Center Root of Trust HSM.
-
The Partition Owner credentials (password or black key) are never cached.
-
Crypto Command Center does not change the way applications interact with the HSMs. Applications continue to communicate directly with the HSM to authenticate and perform crypto operations. All security protections of Luna SA stay active on Crypto Command Center.
-
Crypto Command Center account passwords are stored salted and hashed. The application uses standard Java EE container security for user authorization. There is a small delay on login to make automated password guessing impractical.
Why do I require Crypto Command Center if my organization uses only a small number of Luna Network HSMs?
Crypto Command Center provides visibility into the HSMs. HSMs are used for mission-critical activities and being aware of their health and security is important regardless of the number of HSM units. You can use Crypto Command Center to set up alerts for important HSM events.
Is Crypto Command Center FIPS Compliant?
Crypto Command Center does not need to be FIPS compliant because it does not perform crypto operations. When a FIPS-validated HSM is in FIPS-mode operation, the HSM is responsible for enforcing the use of FIPS-approved connections. The FIPS-validated HSM will enforce FIPS-approved connections regardless of whether it is communicating with a trusted management system like Crypto Command Center or an unknown third party client. Crypto Command Center cannot reduce or negatively impact the assurance provided by the use of a FIPS-validated HSM.
Do I need to stop CCC services while installing an update?
If you are using CCC on a single server, there's no need to stop CCC services for updates. However, if you are using CCC in HA mode, it is recommended that you stop each instance of CCC separately while making the updates to ensure the overall system is not interrupted.
Where can I find information on security vulnerabilities that impact CCC?
Refer to Thales Security Updates for information on security vulnerabilities.
What is the default polling interval for Crypto Command Center?
The default polling interval for Crypto Command Center is 60 seconds. The polling interval determines the gap between the end of one poll and the start of next poll for each device.
How can I access CCC logs?
You can find the CCC logs at the following path: /home/ccc/server-logs/.