Viewing and Initializing Services
After you log in to CCC, you'll find a list of services that are available. Some of these services may have already been initialized by the CCC Administrator, while others could be awaiting initialization. A service must be initialized before it can be deployed.
Viewing Service Attributes
To view the attributes associated with a service:
Click Crypto Services from the menu bar at the top to access the list of available services.
Select the service you want to inspect for its attributes. You can sort the service list by column heading or use the search function.
Click on a tab to view the corresponding attributes:
Attribute | Description |
---|---|
General | Provides partition-related details, including its name, description, associated organization, creation date, and the identity of the creator. You can use the Edit button to modify the service name, description, and organization. |
Capabilities | Informs you regarding the features associated with the partition, including its type, host device type, partition size, per partition security officer status, scalable key storage status, performance type, authentication method, and backup type. You can modify the partition size through this tab, if needed. |
Partitions | Shows the status, name, label, and serial number of the partition, along with the associated device name, appliance version, and firmware version. You can also use the buttons available in this tab to add partitions and to initialize a crypto user. |
Keys | Provides information about the keys located on the partition associated with a service, including details such as Label, Type, Handle, Fingerprint, Algorithm, and Bit Size. |
Clients | Specifies the hostnames of the machines with which the partition has an NTLS connection, providing information about with their status, finger print, and registration details. |
Initializing a Service
You must initialize a service before you can register it with your application server and begin using it with your applications. Initializing a service initializes the partition(s) used to provide the service on the host devices. CCC Admin users can initialize a service when they create it, or they can leave it uninitialized until it is ready to be deployed. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service. To initialize a service, you must specify or create the following details:
-
The initial credentials for the roles that will own or use the service. For services without PPSO enabled, you initialize the credentials for the partition owner (crypto officer) role. For services with PPSO enabled, you initialize the credentials for the partition SO and crypto officer roles. You also have the option to initialize the crypto user role.
-
The cloning domain for the service. You can only clone objects between HSMs that are in the same cloning domain. Cloning is used to perform operations such as backup/restore.
To initialize a password-authenticated service
To initialize a password-authenticated service:
-
Click on Services in the navigation frame to display a list of the services created for your organization that are available to be deployed. Any uninitialized services have an Initialize link in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
-
After finding the service you want, click on the Initialize link in the Initialization State column. The Initialize Service wizard is displayed.
-
Complete the wizard as follows and then click the Finish button to initialize the service:
Define Partition Enter a label and cloning domain for the partition used to provide the service.
Initialize Roles Set the initial password for the crypto officer. For PPSO services, you also set the initial password for the partition security officer, and optionally for the crypto user. Click Finish to initialize the service. Observe the progress messages to verify success. For a service which used STC and PPSO, after the service is deployed you cannot initialize the Crypto User role through CCC.
To initialize a PED-authenticated service
You require a remote PED to initialize a PED-based service. To use a remote PED with CCC:
-
Install the Thales Luna HSM client, including the remote PED server option, on the computer that you will use to access CCC, or on a separate computer you will use for the remote PED.
-
Configure the Remote PED Server on the computer you will use for the remote PED. Refer to Thales Luna HSM Documentation for more information.
-
Get an orange PED key encoded with the Remote PED Vector (RPV) for the Thales Luna Network HSM appliance that provides the service. Contact your CCC Administrator to get the key.
-
Click Crypto Services in the navigation frame to display a list of the services created for your organization that are available to be deployed. Any uninitialized services have an Initialize link in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
-
After finding the service you want, click the Initialize link in the Initialization State column. The Initialize Service dialog box will appear on the screen:
Define Partition Enter a label for the partition used to provide the service.
Initialize Roles 1. Enter the IP address of your remote PED server. The default port is auto-filled. If you are not using the default port, enter the Remote PED server port. For PPSO services, enter the challenge password for the crypto officer and (optionally) crypto user roles. The challenge password is the password used to authenticate to the role after it is activated.
2. Click Next and respond to the prompts on-screen and on the PED. For non-PPSO services, the PED generates and displays a 16-digit challenge password. Record this challenge password. It is necessary for service activation.
Activate Roles 1. To activate the roles you initialized, click the Activate Crypto Officer and (optionally) Activate Crypto User checkboxes. You cannot activate the Crypto User without also activating the Crypto Officer. You can activate the roles later, if desired, by editing the service attributes. For services which have the both the Per-Partition Security Officer and the Secure Trusted Channel feature enabled in the template, you can activate the roles any time until an application user deploys the service, which establishes the STC link and precludes further changes through CCC. Otherwise you can activate the roles at any time.
2. Click Finish to initialize the service. Observe the progress messages to verify success.