Device Management
You can use the Device Management panel, accessible through the Devices tab located in the menu bar at the top, to efficiently manage devices within the system. Perform tasks such as adding, viewing, editing, or managing devices. The panel provides detailed insights into device attributes like General, Connection, Device Pool, Authorization, Capabilities, Services, and Rebooting.
Parameter | Description |
---|---|
General | Displays the appliance version, device address and port. You can update this information as required to re-establish a connection to the device if its software version address or credentials are changed outside of CCC. |
Connection | Displays the appliance version, device address and port. You can update this information as required to re-establish a connection to the device if its software version address or credentials are changed outside of CCC. CCC connects to devices using the REST API, on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is installed with the 7.1 software. It requires configuration. |
Device Pool | Displays the device pool that the device belongs to, if any. You can add the device to a device pool, or change its existing device pool. You can add a device to only one device pool. |
Authorization | Displays authorization status of the device. Before you can authorize a device, it must be added to the system. When authorizing a device, you are required to input the HSM SO credentials associated with that specific device. These credentials enable the CCC to access the device as the HSM SO, which allows provisioning of services on the device.
RE-AUTHORIZING A DEVICE You need to re-authorize the device whenever its HSM SO credentials are changed. To do so: For managing 7.7.0 and 7.7.1 Luna HSM devices with CCC, the Root of trust HSM has to be running firmware 7.7.0 or above. In addition, while activating CCC ROT, you need to select the checkbox stating that This device is running firmware 7.7 and above. If you are updating the HSM SO credentials of multiple devices, perform the above-mentioned steps separately for each device. You can use an FM-enabled ROT to manage only FM-enabled Luna SA devices. |
Capabilities | Displays the device capabilities. You can query the device to update the capabilities stored in the device attributes in case the device capabilities have changed after the device was added to CCC, such as after the application of a capability update file (CUF). 7.x Thales Luna Network HSMs require PPSO partitions. PPSO is enabled by default on Thales Luna Network HSM 7.x devices. |
Services | Displays the services provisioned on the device. |
Rebooting | Enables you to reboot a device if required. |
Adding Devices
To add a device:
-
Click on the Devices tab, and select Devices in the navigation frame.
-
Click the Add Device button. The Add Device wizard is displayed.
-
Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
General | Enter a name and optional description for the device. This information is used to identify the device in CCC. You can enter any strings you like. |
Set Connection |
CCC connects to devices using REST API on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is bundled with 7.1 and above software and requires only configuration. If you add a device using a hostname, CCC does not check to verify that the same device has not already been added using its IP address. As a result, you can add the same device twice – once using its hostname, and once using its IP address. To avoid this issue, we recommend that you always use either hostnames or IP addresses when adding devices. |
Verify Connection | Review the device certificate and check the I have reviewed and trust this host key or I have reviewed and trust this certificate checkbox to accept. If the host key or certificate is not as expected, investigate and correct the problem. |
Select Device Pool | Select a device pool for the device, if desired. |
Summary |
Displays a summary of the information you entered for the device. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to add the device. If successful, a success message is displayed and the device is added. You are prompted to authorize the device. Otherwise, an error is displayed, and you can Go Back to update the device information as required to resolve the issue. If you want to authorize the device now, click Authorize now. You are prompted for the HSM SO password or remote PED address, as relevant. |
After you add a device, you can view its capabilities, but you cannot create services on the device until it has been authorized. To authorize a device, you must supply the HSM SO credentials for the device. You can authorize a device when you add it, or you can authorize it at a later time.
The CCC administrator can add a Luna HSM 7.7.0 or Luna HSM 7.7.1 or Luna HSM 7.4 device with FM capability enabled or disabled. If the FM capability is enabled on a device, no services can be created, but device monitoring is supported.
CCC administrator can add a Luna HSM 7.7.0 (non-FM), or Luna HSM 7.7.1 (non-FM), or Luna HSM 7.4 FM capability enabled or disabled device. If the FM capability is enabled on a device, no services can be created, but device monitoring is supported.
Displaying FM Status of a Device
To display whether a device is FM enabled or disabled, click Devices in the main navigation. To help find if a device is FM enabled or not, you can select a device displayed in Devices report.
To display FM status:
-
Click on the Devices tab, and select Devices in the navigation frame.
-
Click on a device from the list of devices.
-
Select Capabilities tab. A new field "Functional Module (FM)" with three options is available:
-
Enabled
-
Disabled
-
Not Supported
-
The "Not Supported" option is available only for FM incapable devices. It means for the devices prior to Luna SA 7.4, the Functional Module (FM) is not supported.
Managing Device Upgrade
To upgrade managed devices:
Inform all application users connected to the devices that their services will be temporarily unavailable during the upgrade process. We recommend scheduling the upgrade during a planned maintenance window to minimize disruptions.
Refer to the Thales Luna Network HSM documentation for detailed instructions on upgrading the software of your Luna Network HSM.
Upgrade the Luna Network HSM software as detailed in Luna HSM documentation.
Once the upgrade is complete, configure the REST API on your devices to enable seamless communication:
-
Obtain the REST API secure package suitable for your Luna HSM device. Transfer the secure package to the HSM using SCP/PSCP.
-
Log in to the HSM using Security Officer credentials. Install the REST API secure package according to the provided instructions. Refer to the Thales Luna Network HSM documentation for detailed installation steps.
-
Configure the REST API web service to use a specific network interface within the HSM. Valid options for network interfaces are: all, eth0, eth1, or bond0. Use the command
lunash:>webserver bind -netdevice
to bind the web service to the desired network interface. -
Enable the REST API web service on the HSM. Use the command
lunash:>webserver enable
to activate the web service. -
Generate a certificate specifically for the REST API service. It's recommended to use an RSA certificate type for this purpose. Use the command
lunash:>webserver certificate generate -keytype rsa -restart
to generate the certificate and restart the service for the changes to take effect.
In CCC, navigate to the Devices list and select the recently upgraded device.
Click the Connection tab and click Edit.
In the Appliance Version section, select the appropriate version.
Adjust the Host Address and Port Number as required. Save your changes.
Under the Certificate section, click Verify to view the device certificate.
Review the certificate, check the box indicating that you have reviewed and trust the certificate, and then click Accept.
Update the version of the Thales Luna HSM Client on any crypto application servers that access the devices' services. The device is now ready to process incoming cryptographic requests from application users.
Deleting Devices
You can delete a device from CCC only if it is not currently providing any services. To delete a device:
-
Click on the Devices tab, and select Devices in the navigation frame.
-
After finding the device you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Device Pools
You can place your devices into device pools, if desired, to help manage your devices. Placing a device into a device pool has no effect on which users or organizations can use the device. You can add a device to one device pool only.
To add, view, edit, or manage a device pool, click on the Devices tab, and select Device Pools in the navigation frame. All existing device pools are listed. You can sort the list of device pools by column, or use the search function to find a specific device pool. Click on the trash can icon button in the Delete column to delete the device pool (with confirmation).
When you click on a device pool, its attributes are displayed at the bottom of the page. The information in the device attributes are arranged by tab, as follows:
General | Displays the device name and description. You can edit this information. |
Devices | Displays the devices in the device pool. |
Adding Device Pools
You can create as many device pools as you like. Device pools can contain an unlimited number of devices. To add a device pool:
-
Click on the Devices tab, and select Device Pools in the navigation frame.
-
Click the Add Device Pool button. The Create Device Pool dialog is displayed.
-
Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:
General | Enter a name and optional description for the device pool. You can enter any strings you like. |
Add Devices |
You can add devices to the device pool if desired. All devices that are not currently members of a device pool are listed in the Available Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool. To add a device to the device pool, select a device from the Available Devices list and click Add. To remove a device from the device pool, select a device from the Selected Devices list and click Remove. |
Summary | Displays a summary of the information you entered for the device pool. If the information is not correct, click Go Back and update the information as required. Otherwise, click Create to create the device pool. |
Viewing or Editing Device Pool Attributes
You can sort the device pool list by column heading, or use the search function to find a device pool. When you find the device pool you want, click on the device pool to view or edit its attributes. To view or edit the attributes of a device pool:
-
Click on the Devices tab, and select Device Pools in the navigation frame.
-
After finding the device pool you want, click on the device pool to display the device pool's attributes at the bottom of the page.
-
Use the following tabs to view or edit the device pool attributes:
General |
Contains the device pool name and an optional description. Click Edit to edit the information. Click Save when done, or Cancel to discard the changes and exit edit mode. |
Devices |
Lists the devices in the device pool: Click the Jump to icon to view detailed information for the device. Click Edit to update the device pool. All devices that are not currently members of a device pool are listed in the Available Devices list. The devices in the device pool are listed in the Selected Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool: To add a device to the device pool, select a device from the Available Devices list and click Add>>. To remove a device from the device pool, select a device from the Selected Devices list and click << Remove. Click Save when you are done, or click Cancel to discard the changes, and then exit the Edit mode. |
Deleting Device Pools
You can delete a device pool at any time. If the device pool contains devices, they are no longer associated with the device pool and become Available Devices. To delete a device pool:
-
Click on the Devices tab, and select Device Pools in the navigation frame.
-
After finding the device pool you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.
Troubleshooting Device Connection
CCC can lose its connection to a device for multiple reasons. The Device Status column in the Devices List signifies the severity of the issue.
Device connection lost but device visible
If CCC has lost its connection to a device, but the device is still visible within the Devices List, there has been some alteration to the HSMs configuration and you must verify the credentials and certificate shared between the device and CCC.
To reconnect a device visible in the CCC Devices List
-
Click on the Devices tab, and select Devices in the navigation frame.
-
Select the malfunctioning device to display its attributes.
-
Verify the administrator credentials associated with the device are correct.
-
Click Verify to confirm that the device certificate matches the certificate stored by CCC. If the device is not Authorized, click Authorize Device. You will be prompted for the HSM SO password.
Device Connection lost and device not visible in CCC
If the device is no longer visible in the CCC Devices List, the device has been deleted. If you would like to use this device, you must add the device to CCC.
Absence of a device that was not deleted from CCC may signify corruption in the CCC database. In this event, we recommend following the best practices for ensuring and maintaining database integrity as defined by your Organization's security infrastructure.
General Device Troubleshooting Tips
If you continue to experience problems with the HSM device we recommend connecting to the device using a secure channel, such as the PuTTY SSH client (putty.exe), and verifying the following before attempting to restore the device connection:
-
Ensure that the date and time are set correctly
-
Ensure that NTLS is bound to the correct Ethernet port
-
Ensure that the REST API is installed and configured on the device
-
Ensure the webserver on the device is configured and running
-
Ensure that the client is registered with the correct ip/hostname
-
Ensure that the client is given access to the correct partition
-
Check the output of the syslog for any information on errors