Redeploying a Service
When you are done using an HSM service, you can use the CCC client to revoke access to the service.
Revoking Access to a Service
When you revoke access to a service, the service is de-registered and the NTLS or STC link is taken down, so that the slot for the service is no longer available to the Thales Luna HSM client. To revoke access to an HSM service
-
Run these commands using sudo (Linux) or launch an Administrator command prompt (Windows) on the crypto application server that will use the service.
-
Go to the directory where ccc_client.jar is installed:
Linux cd /usr/safenet/lunaclient/bin Windows C:\Program Files\SafeNet\LunaClient\ -
Run ccc_client.jar:
java -jar ccc_client.jar -user
[-password ] -host [-port ] The -port parameter is optional. If not specified, the default port 8181 is used. For example:
java -jar ccc_client.jar -user myname@myorg -host cccserver
-
You are prompted to accept the CCC server certificate. This message is not displayed if you previously imported the certificate on this client:
Connecting ...
Server certificate is not trusted.
Select one of the following options to proceed:
1: Show the certificate details
2: Trust the certificate this time only
3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts
4: Exit
Enter an option(1-4):
Enter 1 to display the certificate.
Enter 2 to trust the certificate for this deployment only.
Enter 3 to permanently trust the certificate.
Enter 4 to exit the client without deploying the service.
-
You are prompted to enter the trusted keystore password:
Enter the trusted keystore password:
Enter the trusted keystore password for the Java JDK installed on the Thales Luna HSM client workstation. The default password is changeit.
-
A list of the services created for your organization, that are available to be deployed, are displayed. Select the service you want to revoke access to.
Logging in ...
Querying current services...
Please select the service you want to configure:
1) Service_with_a_smile - No description
2) Now_thats_service - Password
3) Self_service - PED
4) Exit
-
You are prompted to authorize or revoke access. Select option 3 to revoke access.
Please select the action you want to execute:
1) Authorize Access
2) Repair Access
3) Revoke Access
4) Exit
Option: 3
-
You are prompted to confirm the action.
Would you like to revoke access to service 'Service_with_a_smile'? (Y/N): y
Access to service 'Service_with_a_smile' was successfully revoked.
Done
If your service uses STC and Per-Partition SO together, CCC cannot revoke access. The Partition SO must manage STC client revocation through LunaCM. This method prevents the risk of leaving the partition(s) with no client connections, which would make partition access unrecoverable.