CCC Quick Start Guide
Welcome aboard! This guide is for anyone who has installed CCC using Podman, Kubernetes, Helm, or Azure and is now ready to begin using it. We’ve brought everything together into a single, streamlined path that highlights the essentials every user needs. In 11 clear steps, you’ll see how to log in, activate CCC, connect and organize devices, create and initialize crypto services, bring your team on board, deploy applications, and monitor performance with confidence. The aim is to give you practical guidance that respects your time and helps you start working productively with CCC right away.
Step 1: Log In and Unlock CCC
Start here by logging in to CCC for the first time, securing your admin account, and unlocking features with the right license.
Open your browser and go to https://<hostname_or_ip>:8181.
If the page does not load, verify that the required firewall ports are open and that the CCC application containers are running.
Sign in with the default credentials. Immediately change the password to something strong.
Save your new password in a secure password manager.
Upload and activate your license. Choose Freemium (no-cost, up to 20 partitions with device monitoring, for testing only) or Premium (subscription or perpetual, for production, with partition limits and monitoring defined by your license entitlements).
A single license can cover multiple CCC instances in an HA setup. When a license expires, CCC provides a grace period; after it ends, admins can’t create/activate services or import partitions, and app owners can’t deploy services.
To know more, see Server Administration for login options, license activation, and root-of-trust setup details.
Step 2: Add Your First Device
Now let’s connect CCC to your first device so it can start managing and monitoring it securely.
Navigate to Devices — Devices — Add Device.
Type in the device’s IP or hostname, leave the port at 8443 unless told otherwise, and provide the Admin credentials.
Double-check the IP/hostname to avoid connection errors.
Verify and trust the device’s certificate.
Authorize with HSM Security Officer (SO) credentials.
If the device doesn’t appear, ensure it’s online and the port is open.
To know more, see Device Management for details on adding, authorizing, and managing devices.
Step 3: Organize Devices into Pools
Group your devices into pools to keep things tidy and manageable, especially when working with multiple devices.
Go to Devices — Device Pools — Add Device Pool.
Give your pool a clear name (e.g., “Production Cluster,” “Test Cluster,” or “EU Region”).
Add devices from the available list into your new pool.
Use descriptive pool names so their purpose is obvious at a glance.
If a device doesn’t join the pool, confirm it’s properly connected as outlined in Step 3.
To know more, see Device Pools for details on grouping devices to simplify management.
Step 4: Create a Crypto Service
Turn your device partitions into usable crypto services that your organization can actually consume.
Go to Crypto Services — Create Service.
Select the device or device pool you want to use.
Set the partition size to match your needs.
Assign the service to an Organization so the right team can use it.
Use smaller partitions for testing and larger ones for production.
If the service doesn’t appear, check device connectivity and confirm you haven’t hit license limits.
Confirm that the service has been created; it will appear with the status Uninitialized. You will initialize it in the next step.
To know more, see Crypto Services for guidance on creating and managing services.
Step 5: Initialize Your Service
Initialization establishes the core security credentials and cryptographic parameters required to make your service operational.
For password-authenticated services, set the partition label and create role passwords (Security Officer, Crypto Officer, and optionally Crypto User).
For PED-authenticated services, connect your Remote PED, follow the prompts, and record the challenge password.
Always store passwords and challenge codes securely in a trusted manager.
Confirm that the service is now marked as Initialized and ready for deployment.
If initialization fails, make sure your PED is connected properly or check that the credentials are correct.
To know more, see Create, modify, and remove services for details on initializing both password- and PED-authenticated services.
Step 6: Invite Your Team
Bring your teammates on board with secure access to CCC.
Go to Accounts — Users — Add User.
Assign the right role: Administrator (full control) or Application Owner (focused on initializing and monitoring services).
Link each user to the correct Organization so they see only what’s relevant.
Enable Require 2FA for stronger security.
Enable Single Sign-On (SSO) for enterprise setups: Go to Administration — Single Sign-On, then configure your Identity Provider (e.g., Okta, STA, or another OpenID Connect provider).
Use 2FA for all users to minimize security risks.
If SSO doesn’t work, double-check your Identity Provider settings and network connectivity.
To know more, see Account Management and Single Sign-On for details on roles, 2FA, user administration, and SSO setup.
Step 7: Deploy a Service with the CCC Client
Now it’s time to connect your applications to an HSM partition using the CCC client.
Download ccc_client.jar from the CCC portal.
Make sure Java 21 is installed on the system where you will run the CCC client.
Run the CCC client, accept the server certificate, and let it generate a client certificate.
Select your service from the list and confirm authorization when prompted.
Test the client on a small scale before rolling out to production.
If the client fails to connect, verify Java version compatibility.
To know more, see Deploying a Service for NTLS and STC deployment steps with the CCC client.
Step 8: Monitor Your Services
Service Monitoring gives you real-time visibility into how your crypto services are performing, so you can spot issues early and keep operations running smoothly.
Go to Monitoring & Reports — Service Monitoring.
Review key metrics such as operations per second, 90-day performance graphs, client connection status, and partition details.
Set up custom notifications to receive alerts on activity spikes, fluctuations, or downtime.
Focus notifications on high-priority events like service interruptions.
If monitoring data does not appear, confirm that your services are initialized and active.
Confirm that you now have a clear, real-time view of service health and performance.
To know more, see Service Monitoring for details on graphs, metrics, and custom alerts.
Step 9: Monitor Your Devices
Device Monitoring helps you keep track of the health and performance of your HSMs, ensuring they stay reliable and secure over time.
Go to Monitoring & Reports — Device Monitoring.
Check the device status indicators: Healthy, Requires Attention, or Critical Issue.
Review hardware metrics such as CPU usage, temperature, storage info, and utilization trends.
Investigate error or event logs regularly to detect issues early.
If a device appears as offline, check its network connectivity, NTLS communication status, web service availability, and power state to identify the cause.
Confirm that you now have full visibility into device health and performance.
To know more, see Device Monitoring for insights into hardware metrics, error logs, and troubleshooting.
Step 10: Generate Reports
Reports give you a clear snapshot of your services and devices, making it easy to share insights with stakeholders or dive deeper into analysis.
Go to Monitoring & Reports — Services Report or Devices Report.
Choose your format: PDF for quick sharing, or CSV for in-depth analysis and integration with other tools.
Use the hamburger menu to customize which fields appear in the report, so you only see what matters most.
Print directly from the interface or save the export for later use.
Automate consistency by scheduling recurring reports.
If reports seem incomplete, confirm that devices are online, authorized, and services are properly initialized.
To know more, see Reports for insights into creating reports, customizing fields, and exporting data.
Step 11: Maintain Your CCC Environment
Maintaining CCC is about preserving long-term reliability. Regular monitoring, backups, and updates ensure that your security operations remain stable, recoverable, and audit-ready.
Monitor license expiry dates and renew them in advance to avoid service disruption.
Back up the CCC database regularly to protect device configuration, audit data, and operational history.
Use the logging and diagnostics features in the CCC interface to monitor system health and detect issues early.
Keep device firmware up to date to maintain compatibility with CCC and receive the latest security and stability updates.
Synchronize LDAP or Active Directory regularly if CCC is integrated with external identity providers.
Set reminders for license renewals, backups, and periodic health checks to reduce the risk of unexpected outages.
If repeated or persistent errors appear, collect diagnostics from CCC and contact Thales Support for further investigation.
To know more, see Server Administration for maintenance best practices, logs, backups, firmware updates, and LDAP/AD sync.
Your CCC, Fully Activated
With these 11 steps, CCC is now established as the central hub for your cryptographic operations—secure, scalable, and audit-ready. You’ve set the foundation by logging in, activating the root of trust, organizing devices, creating services, onboarding users, and enabling monitoring and reporting. From here, CCC stands as your trusted control center, built to grow with your organization and safeguard its most critical assets.
