Release Notes
The Crypto Command Center 4.2 Release Notes encompass a range of essential information, including new features, advisory notes, compatibility details, upgrade instructions, and resolved and known issues.
New features and enhancements
As CCC 4.2 debuts, users can anticipate strengthened security measures and smoother deployment processes, translating into enhanced user confidence and operational efficiency. Keycloak's security fixes and Wildfly's performance enhancements promise a safer and more reliable user environment, while upgraded Java and OS ensure seamless compatibility and improved workflow efficiency. Simplified import partitions and device-specific report generation processes empower users with streamlined operations, while fortified security measures safeguard sensitive data, reaffirming CCC's commitment to user trust and data integrity.
Enhancements to the import partitions feature
This update marks a significant enhancement to the Import Partitions feature, in line with our commitment to continuously improve our product to meet the evolving needs of our users. Previously, selecting partitions for import could be cumbersome, especially with numerous devices or a large number of partitions. In response, we've streamlined and optimized this process to enhance efficiency. Now, users have the ability to refine their search for importable partitions into CCC by selecting specific devices. By being able to specify the devices within which they want to search for importable partitions, users can streamline their workflow and focus their efforts more effectively.
Device-specific report generation
In this release, significant enhancements streamline report generation, featuring newfound capabilities for faster, more precise reports. Integration of device filters empowers users to tailor reports to specific devices, ensuring accuracy and relevance. Users now refine their report generation process, focusing on particular devices. This addition provides a versatile means to extract insights, enabling nuanced data analysis for more informed decision-making.
Expanded operational analysis in service monitoring
In the 4.2 release, we've enhanced our service monitoring feature to provide users with deeper insights into operational metrics. When navigating to the Service Monitoring page and examining a selected service's details, users can now track operation metrics across different timeframes: per minute, per hour, and per day, alongside the existing per-second metrics. This expanded analytical scope encompasses all operations or can be customized to focus on specific tasks such as decryption, encryption, signing, verification, key generation, and key derivation. By investigating detailed metrics across different timeframes, users can gain deeper insights into system behavior and detect any anomalous or suspicious activities more effectively. This enhancement further strengthens CCC's monitoring capabilities, allowing organizations to proactively identify and respond to potential security threats or breaches.
Signed and verified CCC container images
We are pleased to announce a new feature in this release: the utilization of signed and verified CCC container images. This enhancement significantly enhances system security and reliability, helping to mitigate potential security risks while fostering user trust. By following a straightforward set of steps, users can ensure that their CCC environment complies with industry standards and regulations. This feature enables the integration of signed and verified container images into the CCC ecosystem, further strengthening security and ensuring compliance.
Customized login screen messages
As a CCC administrator, you now have the ability to create personalized messages displayed as banners on the CCC login screen, visible to all users.To access this feature, navigate to the Administration tab from the top menu bar, then click on the Customization button in the left-side navigation pane. Choose the start and end times for message visibility, assign a category (informative, warning, or critical), and then compose your message. This empowers you to effectively communicate important information to all users accessing CCC.
FIPS status visibility
Understanding the FIPS status of your devices is crucial for making informed decisions regarding security, compliance, interoperability, and risk management. With this release, access the FIPS status of all devices managed via CCC by navigating to the Devices tab from the top menu bar, and then selecting the Devices button in the left-side navigation pane. With this enhanced visibility, you can confidently assess the security posture of your infrastructure and take proactive measures as needed.
System updates
In this release of CCC, we've focused on three key areas to improve the security, performance, and reliability of our platform. Below, we detail the key enhancements made in each domain:
Security fixes
In this release, we've prioritized security and performance enhancements through critical updates to CCC's components. Keycloak now incorporates vital security fixes, bolstering authentication and authorization processes for a safer user environment. Additionally, updates to Wildfly address security vulnerabilities while enhancing the stability and reliability of our application server, ultimately boosting CCC's overall performance. Lastly, we've upgraded to TLS version 1.3, enhancing security and speed. With improved encryption and faster connections, users now enjoy a more secure and efficient experience.
Performance enhancements
We've upgraded the underlying Java version from Java 8 to Java 11, taking advantage of the latest features and security enhancements while ensuring compatibility with modern systems. These updates ensure that CCC stays up-to-date with the latest security standards, providing our users with a more secure environment to work in.
Operating system update
In this update, CCC's base operating system has been upgraded, bringing a range of enhancements to improve performance, stability, and compatibility. Users can expect smoother operations with fewer interruptions, thanks to fixes addressing known issues and vulnerabilities. Additionally, the update ensures compatibility with the latest hardware and software technologies, facilitating seamless integration with other tools and systems. Performance optimizations contribute to faster boot times, smoother application performance, and reduced resource consumption, ultimately enhancing the overall efficiency of CCC.
Enhanced security measures for sensitive data handling
This CCC release introduces enhanced security measures aimed at safeguarding sensitive information. Following the creation of secrets, the secretfile is systematically transferred to a designated directory for cryptographic data storage, bolstering security by restricting access. Additionally, a meticulous approach is taken towards data disposal, with the original secretfile promptly deleted from the podman directory after securely transferring secrets to the designated location.
Feature matrix for CCC 4.2
Below are the minimum system requirements necessary to support the essential features and functionalities of CCC:
| Feature | Monitoring License Required | Minimum SA Version | Minimum SA Firmware |
|---|---|---|---|
| Service Provisioning | No | 6.x | 6.10.9 |
| Security Officer Per Partition (PPSO) | No | 6.x | 6.10.9 |
| Device & Service Reports | No | 6.x | 6.10.9 |
| Import Services | No | 6.x | 6.10.9 |
| Device Monitoring, Dashboard & Notifications | Yes | 6.x | 6.10.9 |
| Device Monitoring (Full) | Yes | 6.x | 6.20.0 |
| Service Monitoring | Yes | 7.3 | 7.3.0 |
| Device Logs | Yes | 6.x | 6.10.9 |
| Key Material Visibility | No | 6.x | 6.10.9 |
| External Directory Server over LDAP | No | NA | NA |
| Apply SW Package | No | 7.3 | NA |
| Update Firmware | No | 7.3 | NA |
| Migrate Service | No | 6.2.2 | 6.24.3 |
Advisory notes
This section outlines essential considerations for users to address before deploying the current release, aiming to facilitate informed decision-making and streamline implementation processes.
Potential performance impact with Rest API calls on partitions in CCC
Issue: A performance degradation issue has been identified when executing Rest API calls on partition resources in CCC while using firmware version 7.8.4 or later. Over time, these calls may significantly reduce the performance of cryptographic operations within CCC. This issue has not been observed with firmware versions 7.8.3 or earlier.
Suggested Action: Our engineering team is actively investigating the root cause. To prevent potential performance degradation, we recommend using firmware version 7.8.3 or earlier if you rely on Rest API calls on partition resources. If you choose to remain on firmware version 7.8.4, we suggest suspending or limiting the use of Rest API calls on partition resources in CCC until a resolution is available.
Supported Versions
We are committed to supporting the last three versions of CCC that have been released. Security patches and bug fixes are regularly applied to the latest versions within the 3.x and 4.x series. In the event of a critical security concern or bug, we may recommend upgrading to the latest version within your series to ensure optimal performance and security. While ongoing patches for older releases may not be provided, please rest assured that we strive to help you maximize the benefits of our software. If you encounter any questions or issues with a specific version, our team is readily available to assist you.
Security guidelines
Consult the security guidelines for CCC, which provide detailed recommendations and requirements to safeguard your CCC installation against various cyber threats, including Code Injection, Man-in-the-Middle (MITM), and Denial of Service (DoS) attacks, ensuring the protection of critical systems.
Server monitoring
We recommend monitoring your CCC server configuration with a server monitoring system. CCC cannot notify the users of a CCC instance deactivation in the event of a server outage or disconnection.
Thales Luna Network HSM 7.1 Monitoring HSM CPU Usage
The Thales Luna Network HSM 7.1 device firmware incorrectly reports the value for HSM CPU usage. The firmware will always populate the HSM CPU usage monitoring histogram value as 99.9%. This is not an accurate evaluation of the HSM devices performance by CCC.
Support for 5.x devices
CCC 4.2 does not support 5.x devices. If you are primarily managing 5.x devices, you may desire to defer this software upgrade at this time. If you are managing a combination of 5.x and 6.x devices, upgrading to CCC 4.2 will require upgrading your 5.x devices.
Thales Luna HSM 7.1 and newer device REST API
The REST API package comes pre-installed on Thales Luna Network HSM 7.1 and newer devices. As a user, you need to configure the REST API on the device. For better stability, use of the latest REST API versions is recommended, as listed below.
| REST API Version | Appliance Version | Firmware Version |
|---|---|---|
| v5 | 7.1.0-379 | 7.1.0 |
| v6 | 7.2.0-220 | 7.2.0 |
| v7 | 7.3.0-165 | 7.3.0 |
| v8 | 7.4.0-226 | 7.4.0 |
| v9 | 7.7.0-317 | 7.7.0 |
| v10 | 7.7.1-188 | 7.7.1 |
If STC is enabled, the webserver (REST API) of some Luna devices may need to be restarted.
ccc_client PED-Authenticated HSM Partition HA Group Service
If the user enters an incorrect challenge password when deploying a PED-authenticated HSM partition HA group service with ccc_client, the service will display as deployed but will not be operational. To deploy the service, relaunch ccc_client, select the service, and revoke access to that service. Then, deploy the service, as described in the CCC User Guide.
Database security
CCC does not currently support full disk encryption on a PostgreSQL database. As a result, the integrity of the database server is the responsibility of the user. We recommend keeping your database server in an environment that is secured by software data networks and firewalls. Customers are responsible for ensuring compliance with their organization's security policies.
Freemium license
The CCC Freemium virtual image is not available with CCC 4.2. However, the Freemium license file is still supported with CCC 4.2 premium build. The Freemium license is available as part of the CCC software package.
The CCC Administrator user can now use the Update License button to replace the Freemium license file with the premium license when the product evaluation is completed.
Mixed High Availability Device Partition Groups
7.x devices do not support mixed high availability (HA) device partition groups. You cannot create an HA partition group consisting of both 6.x and 7.x devices. HA partition groups can only consist of 6.x or 7.x device partitions.
Java 1.8.0-144 JDK memory leak
The Java 1.8.0-144 JDK is not supported by CCC. The Java 1.8.0-144 JDK has a known security leak. It is recommended that you upgrade to the latest version of Java 1.8.0. For more information about the Java 1.8.0-144 JDK memory leak, review Java JDK issue 8164293.
Limitations of Luna Appliance Software 7.3.3 and 7.3.4
If you are using a Luna Network HSM device having Luna appliance software version 7.3.3 or 7.3.4, you will not be able to use certain features of CCC.
Non availability of STC support
CCC no longer provides support for STC with Luna Network HSM. The option to create a partition using STC is not available with Luna Network HSM 7 (Firmware 7.7.0 and above).
Compatibility information
For information regarding the supported hardware, software, and managed devices, consult CCC User Guide.
Supported versions of CCC
The list of supported CCC versions can be found at Thales Customer Support Portal. As a user, you are advised to upgrade to the latest CCC version.
Upgrading CCC
To upgrade to the latest version of CCC, please refer to this link: Upgrading CCC
Resolved and known issues
This section lists the resolved and known issues in the product at the time of release. Workarounds are provided where available. The following table defines the severity of the issues that are listed.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Known issues
| Issue | Severity | Synopsis |
|---|---|---|
| CCC-8303 | M | Problem: If you login with a newly created user, and stay on the "change password" screen for five minutes with no activity, and then attempt a password change, you are redirected to a blank page. Workaround: This behavior indicates a timeout. You can reattempt login by clicking the back button or by re-entering the Thales Crypto Command Center address into the URL bar in the browser. |
| CCC-8319 | M | Problem: If you add a 6.x device, and then use LunaSH to alter the admin password and the REST API certificate, you cannot update either the admin password or the REST API certificate on Thales Crypto Command Center. If you add a 5.x device, and then use LunaSH to alter the admin password and the SSH host key, you cannot update either the admin password or the SSH host key on Thales Crypto Command Center. Workaround: Update Thales Crypto Command Center immediately after updating the admin password, SSH host key, or REST API certificate on the appliance. Do not perform any other configuration until Thales Crypto Command Center is updated. If you accidentally change both the device password and the device identity (SSH host key or REST API certificate) without updating Thales Crypto Command Center, use LunaSH to change the admin password back to the previous value. In Thales Crypto Command Center, verify the SSH key or REST API certificate. Then return to the device and change the admin password to the new desired password. Update the admin password in Thales Crypto Command Center. |
| CCC-8819 | M | Problem: If you create and deploy a service, change its organization, and then attempt to revoke access to the service, the full deregistration might not complete. For example, the revoke might not complete, the client entry might still be displayed in the service details tab, or the client might still be registered on the managed device partition(s). Workaround: If you attempted a revocation which did not complete, detach the service, re-import it, complete the normal application owner setup, and then revoke again. If you want to change a service's organization, first revoke client access, then change the organization, then deploy the service again. This ensures that future attempts to revoke access to the service will succeed. |
| CCC-9208 | M | Problem: Monitoring data does not update automatically in the General and Capabilities tabs on the Device page. Monitoring information is retrieved and stored by the device, but is not generated automatically in the Thales Crypto Command Center graphic user interface on the General tab and the Capabilities tab. Workaround: Click Refresh in the Capabilities tab to generate up-to-date monitoring data. |
| CCC-10174 | L | Problem: When sorting a Service Report, at times the Sort drop down menu loses its interface layer priority, appearing behind the entries in the Services List. Workaround: Minimize and expand the row where the issue is occurring. |
| CCC-12639 | M | Problem: If the ccc_client.jar is run without trusting the server certificate, it throws an exception when Option 4 (exit) is directly selected after the run. Workaround: Always trust the server certificate when the ccc_client.jar is run. |
| CCC-13259 | M | Problem: Sometimes when NFS server goes down in CCC High Availability setup, NFS clients becomes unresponsive. Workaround: Re-run enableNFSSharing.sh script on client side for NFS connection. |
| CCC-13260 | M | Problem: Sometimes when a new NFS client is added to an existing High Availability CCC setup, permissions on shared folder of existing NFS clients change to some unknown permission. Workaround: Change the permission on shared folder /usr/safenet/ccc/packages and /usr/safenet/ccc/lunalogs to lunadirector. |
| CCC-13948 | M | Problem: While migrating a large number of keys, the status bar displays a “null” message if object synchronization takes a long time. Workaround: You may encounter this error message in case a large number of keys are being migrated. However, the migration process will get completed despite this issue. |
| CCC-13980 | M | Problem: The Migrate Service button appears enabled for a moment when the partition limit is reached. Workaround: Even if you are able to click this button, you will not be able to perform Migrate Service operation after the partition limit is reached. |
| CCC-14306 | M | Problem: Unable to upgrade a device to firmware version 7.7.0 or 7.7.1. Workaround: Use LUSH to upgrade your device to firmware version 7.7.0 or 7.7.1. For details, refer to Luna HSM documentation. |
| CCC-14667 | M | Problem: A log off button appears if an incorrect Crypto Officer password is provided under the Keys section after creating and initializing a service on a PED device. Workaround: This is a known issue. Please ignore the log off button and enter the correct password. |
| CCC-15584 | M | Problem: While configuring the podman-compose.yml file during CCC installation, replacing the hostname with a DNS name may lead to unexpected behavior in CCC functionality. Workaround: This is a known issue. As a temporary measure, we recommend using an IP address instead of a DNS name until a permanent resolution is developed and implemented. |
| CCC-16064 | M | Problem: As a CCC 4.2.0 user, the Migrate Services feature is unavailable if your Luna Appliance Software is running one of the following patch versions: 7.8.3-550, 7.8.4-350, or 7.8.5-20. Workaround: To enable and use the Migrate Services feature, upgrade to CCC 4.3.0. This update ensures compatibility with the affected Luna Appliance Software versions and allows full functionality of the feature. |
| RAPI-1853 | M | Problem: Upgrading the Luna Network HSM appliance from version 7.7.1 to 7.8.1 using CCC is currently not possible due to a bug in the REST API. Workaround: To update the appliance from version 7.7.1 to 7.8.1, users must manually connect to the LunaSH command-line interface and execute the upgrade procedure step by step. |
Contacting Thales customer support
If you encounter a problem while installing, registering, or operating this product, refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Thales Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
Customer support portal
The customer support portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most common problems. The Customer Support Portal is a comprehensive, fully searchable database of support resources, including software and firmware downloads, release notes listing known problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also use the portal to create and manage support cases.
You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
Telephone support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Thales Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed on the support portal.
