Redeploying a Service
When you no longer need an HSM service, you can revoke access using the CCC client. After revocation, the service is de-registered, and the NTLS or STC link is taken down, making the slot unavailable to the Thales Luna HSM client. To revoke and prepare for redeployment, follow these steps:
Run these commands using sudo (Linux) or launch an Administrator command prompt (Windows) on the crypto application server that will use the service.
Go to the directory where ccc_client.jar is installed:
| Operating System | Directory Path |
|---|---|
| Linux | cd /usr/safenet/lunaclient/bin |
| Windows | C:\Program Files\SafeNet\LunaClient\ |
Run ccc_client.jar to revoke access to the service::
java -jar ccc_client.jar -user [-password ] -host [-port ]
The -port parameter is optional. If not specified, the default port 8181 is used. For example:
java -jar ccc_client.jar -user myname@myorg -host cccserver
Review and accept the CCC server certificate, if prompted. If the certificate has already been imported on this client, this prompt will not appear.
Connecting ... Server certificate is not trusted. Select one of the following options to proceed: 1: Show the certificate details 2: Trust the certificate this time only 3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts 4: Exit Enter an option(1-4): Enter 1 to display the certificate. Enter 2 to trust the certificate for this deployment only. Enter 3 to permanently trust the certificate. Enter 4 to exit the client without deploying the service.
Enter the trusted keystore password when prompted.
Enter the trusted keystore password:
Enter the password for the trusted Java keystore on the Thales Luna HSM client workstation. The default password is changeit, unless modified.
Select the service to revoke from the list of available services.
Logging in ... Querying current services... Please select the service you want to configure: 1) Service_with_a_smile - No description 2) Now_thats_service - Password 3) Self_service - PED 4) Exit
Choose option 3 to revoke access.
Please select the action you want to execute: 1) Authorize Access 2) Repair Access 3) Revoke Access 4) Exit Option: 3
Confirm the revocation when prompted.
Would you like to revoke access to service 'Service_with_a_smile'? (Y/N): y Access to service 'Service_with_a_smile' was successfully revoked. Done
If the service is configured to use both Secure Trusted Channel (STC) and Per-Partition Security Officer (SO), CCC cannot revoke access. The Partition SO must manually manage STC client revocation through LunaCM. This approach ensures that at least one authorized client connection remains active. Without an active connection, access to the partition becomes unrecoverable, potentially disrupting services. Before revoking access, verify that an alternate, trusted connection is available to maintain partition access.
