Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Administration

Device Management

search
printsuggest an edit

Device Management

You can use the Device Management panel, accessible through the Devices tab located in the menu bar at the top, to efficiently manage devices within the system. Perform tasks such as adding, viewing, editing, or managing devices. The panel provides detailed insights into device attributes like General, Connection, Device Pool, Authorization, Capabilities, Services, and Rebooting.



Parameter Description
General Displays the appliance version, device address and port. You can update this information as required to re-establish a connection to the device if its software version address or credentials are changed outside of CCC.
Connection Displays the appliance version, device address and port. You can update this information as required to re-establish a connection to the device if its software version address or credentials are changed outside of CCC.
note

Note

CCC connects to devices using the REST API, on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is installed with the 7.1 software. It requires configuration.

Device Pool Displays the device pool that the device belongs to, if any. You can add the device to a device pool, or change its existing device pool. You can add a device to only one device pool.
Authorization Displays authorization status of the device. Before you can authorize a device, it must be added to the system. When authorizing a device, you are required to input the HSM SO credentials associated with that specific device. These credentials enable the CCC to access the device as the HSM SO, which allows provisioning of services on the device.

RE-AUTHORIZING A DEVICE

You need to re-authorize the device whenever its HSM SO credentials are changed. To do so:
1. Select the device that needs to be re-authorized.
2. Go to the Authorization tab and press the Re-authorize Device button.
3. Provide the HSM SO password and press the Authorize button.

note

Note

For managing 7.7.0 and 7.7.1 Luna HSM devices with CCC, the Root of trust HSM has to be running firmware 7.7.0 or above. In addition, while activating CCC ROT, you need to select the checkbox stating that This device is running firmware 7.7 and above.

note

Note

If you are updating the HSM SO credentials of multiple devices, perform the above-mentioned steps separately for each device.

note

Note

You can use an FM-enabled ROT to manage only FM-enabled Luna SA devices.

Capabilities Displays the device capabilities. You can query the device to update the capabilities stored in the device attributes in case the device capabilities have changed after the device was added to CCC, such as after the application of a capability update file (CUF).
note

Note

7.x Thales Luna Network HSMs require PPSO partitions. PPSO is enabled by default on Thales Luna Network HSM 7.x devices.

Services Displays the services provisioned on the device.
Rebooting Enables you to reboot a device if required.
copy link to clipboardAdding Devices

To add a device:

1Click on the Devices tab, and select Devices in the navigation frame.

2Click the Add Device button. The Add Device wizard is displayed.


3Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:


Section Description
General Enter a name and optional description for the device. This information is used to identify the device in CCC. You can enter any strings you like.
Set Connection 1. Enter the IP address or hostname for the device. If you are not using the default port (8443), enter the port you want to use to connect to the device.
2. Enter the credentials required to log into the device as the Admin user. This information is encrypted and stored in the database to be used by CCC to log into the device.
note

Note

CCC connects to devices using REST API on port 8443 (default). You must install and configure the REST API on 6.x and 7.0 devices. The REST API is bundled with 7.1 and above software and requires only configuration.

note

Note

If you add a device using a hostname, CCC does not check to verify that the same device has not already been added using its IP address. As a result, you can add the same device twice – once using its hostname, and once using its IP address. To avoid this issue, we recommend that you always use either hostnames or IP addresses when adding devices.
Verify Connection Review the device certificate and check the I have reviewed and trust this host key or I have reviewed and trust this certificate checkbox to accept. If the host key or certificate is not as expected, investigate and correct the problem.
Select Device Pool Select a device pool for the device, if desired.
Summary Displays a summary of the information you entered for the device. If the information is not correct, click Go Back and update the information as required. Otherwise, click Finish to add the device. CCC uses the information you provided to log in to the device.

If successful, a success message is displayed and the device is added. You are prompted to authorize the device. Otherwise, an error is displayed, and you can Go Back to update the device information as required to resolve the issue.

If you want to authorize the device now, click Authorize now. You are prompted for the HSM SO password or remote PED address, as relevant.
note

Note

After you add a device, you can view its capabilities, but you cannot create services on the device until it has been authorized. To authorize a device, you must supply the HSM SO credentials for the device. You can authorize a device when you add it, or you can authorize it at a later time.

note

Note

The CCC administrator can add a Luna HSM 7.7.0 or Luna HSM 7.7.1 or Luna HSM 7.4 device with FM capability enabled or disabled. If the FM capability is enabled on a device, no services can be created, but device monitoring is supported.

note

Note

CCC administrator can add a Luna HSM 7.7.0 (non-FM), or Luna HSM 7.7.1 (non-FM), or Luna HSM 7.4 FM capability enabled or disabled device. If the FM capability is enabled on a device, no services can be created, but device monitoring is supported.

copy link to clipboardDisplaying FM Status of a Device

To display whether a device is FM enabled or disabled, click Devices in the main navigation. To help find if a device is FM enabled or not, you can select a device displayed in Devices report. To display FM status:

1Click on the Devices tab, and select Devices in the navigation frame.

2Click on a device from the list of devices.

3Select Capabilities tab. A new field "Functional Module (FM)" with three options is available:


  • Enabled

  • Disabled

  • Not Supported

note

Note

The "Not Supported" option is available only for FM incapable devices. It means for the devices prior to Luna SA 7.4, the Functional Module (FM) is not supported.

copy link to clipboardManaging Device Upgrade

To upgrade managed devices:

1Inform all application users connected to the devices that their services will be temporarily unavailable during the upgrade process. We recommend scheduling the upgrade during a planned maintenance window to minimize disruptions.

2Refer to the Thales Luna Network HSM documentation for detailed instructions on upgrading the software of your Luna Network HSM.

3Upgrade the Luna Network HSM software as detailed in Luna HSM documentation.

4Once the upgrade is complete, configure the REST API on your devices to enable seamless communication:


  • Obtain the REST API secure package suitable for your Luna HSM device. Transfer the secure package to the HSM using SCP/PSCP.

  • Log in to the HSM using Security Officer credentials. Install the REST API secure package according to the provided instructions. Refer to the Thales Luna Network HSM documentation for detailed installation steps.

  • Configure the REST API web service to use a specific network interface within the HSM. Valid options for network interfaces are: all, eth0, eth1, or bond0. Use the command lunash:>webserver bind -netdevice to bind the web service to the desired network interface.

  • Enable the REST API web service on the HSM. Use the command lunash:>webserver enable to activate the web service.

  • Generate a certificate specifically for the REST API service. It's recommended to use an RSA certificate type for this purpose. Use the command lunash:>webserver certificate generate -keytype rsa -restart to generate the certificate and restart the service for the changes to take effect.

5In CCC, navigate to the Devices list and select the recently upgraded device.

6Click the Connection tab and click Edit.

7In the Appliance Version section, select the appropriate version.

8Adjust the Host Address and Port Number as required. Save your changes.

9Under the Certificate section, click Verify to view the device certificate.

10Review the certificate, check the box indicating that you have reviewed and trust the certificate, and then click Accept.

11Update the version of the Thales Luna HSM Client on any crypto application servers that access the devices' services. The device is now ready to process incoming cryptographic requests from application users.

copy link to clipboardDeleting Devices

You can delete a device from CCC only if it is not currently providing any services. To delete a device:

1Click on the Devices tab, and select Devices in the navigation frame.

2After finding the device you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.

copy link to clipboardDevice Pools

Device pools help organize your devices for easier management. Adding a device to a pool does not affect its accessibility for users or organizations. Each device can belong to only one device pool. To manage device pools:

1Click the Devices tab.

2Select Device Pools in the navigation panel. Here, you’ll see a list of all existing device pools. You can:


  • Sort the list by column.

  • Search for a specific device pool.

  • Delete a device pool by clicking the trash can icon in the Delete column (confirmation required).

3Click on a device pool to display its attributes at the bottom of the page. The attributes are organized into the following tabs:


Section Description
General Displays the device name and description. You can edit this information.
Devices Displays the devices in the device pool.
copy link to clipboardAdding Device Pools

You can create as many device pools as you like. Device pools can contain an unlimited number of devices. To add a device pool:

1Click on the Devices tab, and select Device Pools in the navigation frame.

2Click the Add Device Pool button. The Create Device Pool dialog is displayed.

3Complete the wizard as follows. You can click Cancel at any time to exit the wizard without saving your changes:


Section Description
General Enter a name and optional description for the device pool. You can enter any strings you like.
Add Devices You can add devices to the device pool if desired. All devices that are not currently members of a device pool are listed in the Available Devices list. You can sort the list of device pools by column, or use the search function to find a specific device pool.

To add a device to the device pool, select a device from the Available Devices list and click Add.

To remove a device from the device pool, select a device from the Selected Devices list and click Remove.
Summary Displays a summary of the information you entered for the device pool. If the information is not correct, click Go Back and update the information as required. Otherwise, click Create to create the device pool.
copy link to clipboardViewing or Editing Device Pool Attributes

You can sort the device pool list by column heading, or use the search function to find a device pool. When you find the device pool you want, click on the device pool to view or edit its attributes. To view or edit the attributes of a device pool:

1Click on the Devices tab, and select Device Pools in the navigation frame.

2After finding the device pool you want, click on the device pool to display the device pool's attributes at the bottom of the page.

3Use the following tabs to view or edit the device pool attributes:


Section Description
General Displays the device pool name and an optional description. Click Edit to modify the information, then click Save to apply changes or Cancel to discard them.
Devices Lists the devices in the device pool. Click the Jump to icon to view detailed information about a device. Click Edit to update the device pool. The Available Devices list shows devices not currently assigned to a pool, while the Selected Devices list shows devices in the pool. To add a device, select it from Available Devices and click Add>>. To remove a device, select it from Selected Devices and click << Remove. Click Save to apply changes or Cancel to discard them.
copy link to clipboardDeleting Device Pools

You can delete a device pool at any time. If the device pool contains devices, they are no longer associated with the device pool and become Available Devices. To delete a device pool:

1Click on the Devices tab, and select Device Pools in the navigation frame.

2After finding the device pool you want, click on the trash can icon in the Delete column. A confirmation dialog is displayed.

copy link to clipboardTroubleshooting Device Connection

CCC can lose its connection to a device for multiple reasons. The Device Status column in the Devices List signifies the severity of the issue.

copy link to clipboardDevice connection lost but device visible

If CCC has lost its connection to a device, but the device is still visible within the Devices List, there has been some alteration to the HSMs configuration and you must verify the credentials and certificate shared between the device and CCC.

copy link to clipboardTo reconnect a device visible in the CCC Devices List

1Click on the Devices tab, and select Devices in the navigation frame.

2Select the malfunctioning device to display its attributes.

3Verify the administrator credentials associated with the device are correct.

4Click Verify to confirm that the device certificate matches the certificate stored by CCC. If the device is not Authorized, click Authorize Device. You will be prompted for the HSM SO password.

copy link to clipboardDevice Connection lost and device not visible in CCC

If the device is no longer visible in the CCC Devices List, the device has been deleted. If you would like to use this device, you must add the device to CCC.

note

Note

Absence of a device that was not deleted from CCC may signify corruption in the CCC database. In this event, we recommend following the best practices for ensuring and maintaining database integrity as defined by your Organization's security infrastructure.

copy link to clipboardGeneral Device Troubleshooting Tips

If you continue to experience problems with the HSM device we recommend connecting to the device using a secure channel, such as the PuTTY SSH client (putty.exe), and verifying the following before attempting to restore the device connection:

  • Ensure that the date and time are set correctly

  • Ensure that NTLS is bound to the correct Ethernet port

  • Ensure that the REST API is installed and configured on the device

  • Ensure the webserver on the device is configured and running

  • Ensure that the client is registered with the correct ip/hostname

  • Ensure that the client is given access to the correct partition

  • Check the output of the syslog for any information on errors

On this page