High-Level Architecture
At the core of CCC is the CCC server, which hosts the CCC web application. The web application comprises an application container and service, providing interfaces for administrators and application owners to manage and deploy HSM resources. Alongside the web application, CCC requires the following components:
-
A Thales Luna Network HSM, which serves as the root of trust and secures communications between CCC and the managed HSM devices.
-
A PostgreSQL database, which can be deployed either on the same server as the CCC web application or on a separate server.
The following figure provides a high-level architectural view of CCC.
Server and Client Components
CCC is installed on a workstation that meets the minimum hardware and software requirements. CCC also includes a Java client, which is used to deploy a service created in CCC on a crypto application server.
Terms | References |
---|---|
Devices | Devices are referred as Luna Network HSMs. |
Services | Services are referred as one or more partitions in Luna Network HSMs. |
Clients | Clients are referred as Application owners who are responsible for deploying the services. |
Web Server
The CCC web server consists of a Java-based web application. It uses Java JDK and requires the Luna Network HSM client software to communicate with the root-of-trust HSM.
Databases
The data managed by CCC is stored in a PostgreSQL database. You can install the database on the CCC server or on an external server.
Root-of-Trust HSM
All communications between CCC and the HSMs on any managed devices are authenticated using a Thales Luna Network HSM. You can use a password-authenticated or PED-authenticated Luna Network HSM partition as the root of trust. You can use a FIPS-enabled HSM if FIPS compliance is required, or a non-FIPS-enabled HSM if you do not require FIPS compliance.
If the root-of-trust HSM is PED-authenticated, it must be activated (to allow password login) to work with CCC. You can activate (enable) or deactivate (disable) the root-of-trust HSM to control whether or not CCC has access to the HSMs on the managed devices.
Activation of a PED-authenticated HSM to allow password authentication is not the same as activation of CCC. Activation of CCC enables the root-of-trust HSM, which allows CCC to create and deploy services.
Crypto Command Center Client
The Crypto Command Center client is run on a crypto application server to set up the NTLS or STC links from the application server's Thales Luna Network HSM client to the devices used to host the service. STC links are available for devices with a minimum software version of 6.2.1 and a minimum firmware version of 6.24.2. The Crypto Command Center client is available for download from CCC.
Users
CCC supports two distinct user roles: Administrators and Application Owners.
Administrators
Administrators are responsible for creating organizations, adding user accounts, adding devices, and creating services on managed devices. Administrators can also generate reports for the managed devices and services.
Application Owners
Application owners are responsible for deploying the services created in CCC for their organization. Application Owners own the services and are free to deploy them as needed. When a service is no longer required, the Application Owner can release the service, making the resources used to provide the service available to the Administrator to create new services. The following table compares the capabilities of Administrators and Application Owners:
Feature | CCC Admin | CCC Application Owner |
---|---|---|
Service Creation | Yes | No |
Service Initialization | Yes | Yes |
Service Deployment | Yes | Yes |
Key Material Visibility | Yes | Yes |
Reporting | Yes | No |
Service Monitoring | Yes | Yes |
Device Monitoring | Yes | No |
Alerting and Notifications | Yes | No |
Licensing | Yes | No |
Support Catalog | Yes | No |
Software Center | Yes | Yes |
Directory Support | Yes | No |
Device Log Export | Yes | No |
Account Management | Yes | No |
Migrate Service | Yes | No |
Managed Devices
You can use CCC to manage Luna Network HSM devices. CCC can manage any Luna Network HSM device that is available over the network, including those located in the cloud. In order to manage a device, CCC must be able to log in to the device as the admin user. The admin credentials required to log in to the device are encrypted using an encryption key stored on the root-of-trust HSM, and stored in CCC.
STC is not available with Luna Network HSM 7 (Firmware 7.7.0 and above).
Device Requirements
For CCC to manage a Luna Network HSM device, the device must meet the minimum requirements. CCC can manage PED-authenticated and password-authenticated Thales Luna Network HSM devices.