Release Notes
CCC 4.4: April 2025
The CCC 4.4 Release Notes outline the technical scope of version 4.4, including functional updates, compatibility requirements, and resolved issues. This document guides administrators and engineers in planning, upgrading, and validating deployments so that environments remain secure, stable, and compliant with supported configurations. Inside, you will find:
▪ New Features and Enhancements
New Features and Enhancements
The latest release of CCC introduces several key enhancements designed to improve security, usability, and performance. Single Sign-On (SSO) with OpenID Connect is now supported, allowing seamless authentication through your organization’s identity provider. The platform has also been upgraded to Angular 18, delivering faster real-time updates, improved state management, and quicker load times across all devices. In addition, CCC now supports Luna appliance software version 7.9.0, ensuring compatibility with the latest cryptographic advancements and reinforcing integration with the Luna platform. Together, these updates enhance operational efficiency and strengthen CCC’s role in secure key management at enterprise scale.
Single sign-on now available in Crypto Command Center
CCC now supports SSO through OpenID Connect, a modern and trusted standard for secure authentication. This enhancement enables direct connectivity with your organization’s identity provider, streamlining access management for administrators and offering users a faster, more intuitive login experience. With OpenID Connect, there's no need to manage multiple credentials—just one secure sign-in across all environments.
CCC supports any Identity Provider that uses the OpenID Connect protocol. However, it has been officially tested only with STA and Okta. If you're using a different provider, run end-to-end tests before going live. For help, contact Thales support.
CCC upgraded to Angular 18 for enhanced performance and reliability
CCC has been upgraded to Angular 18, enhancing platform performance, responsiveness, and reliability. Key improvements include zoneless change detection, enabling faster real-time updates such as instant threat alerts and dashboard refreshes. With stable signals, state management is now more consistent, strengthening critical features like live logs, key lifecycle visibility, and encryption control access. Enhanced server-side rendering supports faster load times, even in constrained network environments—while Angular’s latest TypeScript and build optimizations help accelerate our update cycles. For enterprise users, this means a more efficient interface to monitor key management operations, respond to incidents, and deploy updates securely across infrastructure. Whether accessed via desktop or mobile, CCC now scales more effectively to meet evolving security and compliance needs. With Angular 18, this upgrade reinforces our commitment to performance, resilience, and continuous innovation in cryptographic key management.
Support for Luna appliance software version 7.9.0
CCC now supports Luna appliance software version 7.9.0, integrating the latest advancements from the Luna platform. This update strengthens compatibility with modern security standards, boosts operational stability, and enhances interoperability across your cryptographic infrastructure. With support for Luna software version 7.9.0, CCC ensures secure, efficient key lifecycle management, empowering your organization to maintain compliance and performance at scale.
Feature matrix for CCC 4.4
Below are the minimum system requirements necessary to support the essential features and functionalities of CCC:
Feature | Minimum SA Version | Minimum SA Firmware |
---|---|---|
Device Monitoring (Full) | 7.3.0 | 7.3.0 |
Apply SW Package | 7.3.0 | 7.3.0 |
Update Firmware | 7.3.0 | 7.3.0 |
Service Monitoring | 7.4.0 | 7.4.0 |
Advisory Notes
This section outlines essential considerations for users to address before deploying the current release, aiming to facilitate informed decision-making and streamline implementation processes.
Luna HSM 7.8.4 and Later – REST API Performance Degradation – Patch Available
Issue: A significant reduction in cryptographic operation performance occurs over time when executing REST API calls on partition resources with Luna HSM firmware 7.8.4 or later. This issue has not been observed in firmware 7.8.3 or earlier. Customers using CCC may also experience this impact.
Root Cause: Our engineering team is actively investigating the root cause of this issue.
Suggested Action: To resolve the performance issue, apply the appropriate patch for your firmware version. For 7.8.5-20, use the REST API Patch KB0028956, and for 7.8.4-350, use the REST API Patch KB0028955. If you’re unable to apply the patch immediately, you can either downgrade to Firmware version 7.8.3 or earlier to maintain performance with REST API calls and CCC, or suspend or limit REST API calls on partition resources and CCC until the patch is installed. For detailed instructions and additional guidance, refer to our Knowledge Base article KB0029000.
Supported Versions
We are committed to supporting the last three versions of CCC that have been released. Security patches and bug fixes are regularly applied to the latest versions within the 3.x and 4.x series. In the event of a critical security concern or bug, we may recommend upgrading to the latest version within your series to ensure optimal performance and security. While ongoing patches for older releases may not be provided, please rest assured that we strive to help you maximize the benefits of our software. If you encounter any questions or issues with a specific version, our team is readily available to assist you.
Security Guidelines
Consult the security guidelines for CCC, which provide detailed recommendations and requirements to safeguard your CCC installation against various cyber threats, including Code Injection, Man-in-the-Middle (MITM), and Denial of Service (DoS) attacks, ensuring the protection of critical systems.
Server monitoring
We recommend monitoring your CCC server configuration with a server monitoring system. CCC cannot notify the users of a CCC instance deactivation in the event of a server outage or disconnection.
Thales Luna Network HSM 7.1 Monitoring HSM CPU Usage
The Thales Luna Network HSM 7.1 device firmware incorrectly reports the value for HSM CPU usage. The firmware will always populate the HSM CPU usage monitoring histogram value as 99.9%. This is not an accurate evaluation of the HSM devices performance by CCC.
ccc_client PED-Authenticated HSM Partition HA Group Service
If the user enters an incorrect challenge password when deploying a PED-authenticated HSM partition HA group service with ccc_client, the service will display as deployed but will not be operational. To deploy the service, relaunch ccc_client, select the service, and revoke access to that service. Then, deploy the service, as described in the CCC User Guide.
Database security
CCC does not currently support full disk encryption on a PostgreSQL database. As a result, the integrity of the database server is the responsibility of the user. We recommend keeping your database server in an environment that is secured by software data networks and firewalls. Customers are responsible for ensuring compliance with their organization's security policies.
Freemium license
The CCC Freemium virtual image is not available with CCC 4.4. However, the Freemium license file is still supported with CCC 4.4 premium build. The Freemium license is available as part of the CCC software package.
The CCC Administrator user can now use the Update License button to replace the Freemium license file with the premium license when the product evaluation is completed.
Limitations of Luna Appliance Software 7.3.3 and 7.3.4
If you are using a Luna Network HSM device having Luna appliance software version 7.3.3 or 7.3.4, you will not be able to use certain features of CCC.
Non availability of STC support
Please be advised that CCC no longer provides support for STC in conjunction with Luna Network HSM. As a result, the functionality to create a partition using STC is unavailable with Luna Network HSM 7 (firmware 7.7.0 and above). Nevertheless, CCC remains capable of monitoring your existing STC services to ensure their continued performance and stability. However, note that CCC is unable to configure or manage these services on your behalf.
Compatibility Information
For information regarding the supported hardware, software, and managed devices, consult CCC User Guide.
Supported versions of CCC
The list of supported CCC versions can be found at Thales Customer Support Portal. As a user, you are advised to upgrade to the latest CCC version.
Upgrade Instructions
To upgrade to the latest version of CCC, please refer to this link: Upgrading CCC
Resolved and Known Issues
This section lists the resolved and known issues in the product at the time of release. Workarounds are provided where available. The following table defines the severity of the issues that are listed.
Priority | Classification | Definition |
---|---|---|
C | Critical | No reasonable workaround exists. |
H | High | Reasonable workaround exists. |
M | Medium | Medium level priority problems. |
L | Low | Lowest level priority problems. |
Known issues
Issue | Severity | Synopsis |
---|---|---|
CCC-16277 | M | Problem: While CCC is fully compatible with Luna appliance software version 7.9.0, users may encounter a failure during the upgrade from version 7.8.5 to 7.9.0. The issue stems from a problem with the HSM REST API package, which disrupts the standard automated upgrade path. As a result, the upgrade does not complete successfully, requiring manual intervention via LUSH to proceed. Workaround: To bypass the upgrade failure caused by the HSM REST API package, perform the upgrade manually using LUSH. This approach allows the appliance to be successfully updated to version 7.9.0, enabling continued integration with CCC while the packaging issue is under review.. |
CCC-8303 | M | Problem: If you login with a newly created user, and stay on the "change password" screen for five minutes with no activity, and then attempt a password change, you are redirected to a blank page. Workaround: This behavior indicates a timeout. You can reattempt login by clicking the back button or by re-entering the Thales Crypto Command Center address into the URL bar in the browser. |
CCC-8819 | M | Problem: If you create and deploy a service, change its organization, and then attempt to revoke access to the service, the full deregistration might not complete. For example, the revoke might not complete, the client entry might still be displayed in the service details tab, or the client might still be registered on the managed device partition(s). Workaround: If you attempted a revocation which did not complete, detach the service, re-import it, complete the normal application owner setup, and then revoke again. If you want to change a service's organization, first revoke client access, then change the organization, then deploy the service again. This ensures that future attempts to revoke access to the service will succeed. |
CCC-9208 | M | Problem: Monitoring data does not update automatically in the General and Capabilities tabs on the Device page. Monitoring information is retrieved and stored by the device, but is not generated automatically in the Thales Crypto Command Center graphic user interface on the General tab and the Capabilities tab. Workaround: Click Refresh in the Capabilities tab to generate up-to-date monitoring data. |
CCC-10174 | L | Problem: When sorting a Service Report, at times the Sort drop down menu loses its interface layer priority, appearing behind the entries in the Services List. Workaround: Minimize and expand the row where the issue is occurring. |
CCC-12639 | M | Problem: If the ccc_client.jar is run without trusting the server certificate, it throws an exception when Option 4 (exit) is directly selected after the run. Workaround: Always trust the server certificate when the ccc_client.jar is run. |
CCC-13259 | M | Problem: Sometimes when NFS server goes down in CCC High Availability setup, NFS clients becomes unresponsive. Workaround: Re-run enableNFSSharing.sh script on client side for NFS connection. |
CCC-13948 | M | Problem: While migrating a large number of keys, the status bar displays a “null” message if object synchronization takes a long time. Workaround: You may encounter this error message in case a large number of keys are being migrated. However, the migration process will get completed despite this issue. |
CCC-13980 | M | Problem: The Migrate Service button appears enabled for a moment when the partition limit is reached. Workaround: Even if you are able to click this button, you will not be able to perform Migrate Service operation after the partition limit is reached. |
CCC-14306 | M | Problem: Unable to upgrade a device to firmware version 7.7.0 or 7.7.1. Workaround: Use LUSH to upgrade your device to firmware version 7.7.0 or 7.7.1. For details, refer to Luna HSM documentation. |
CCC-14667 | M | Problem: A log off button appears if an incorrect Crypto Officer password is provided under the Keys section after creating and initializing a service on a PED device. Workaround: This is a known issue. Please ignore the log off button and enter the correct password. |
CCC-16025 | M | Problem: When migrating a V1 service from 7.8.x appliances to a new partition in CCC, the migration may fail, accompanied by an error message. The operation logs show an "Unsupported Cloning Protocol" message, indicating a protocol mismatch during the migration process. Workaround: There is currently no solution available for this issue. |
RAPI-1853 | M | Problem: Upgrading the Luna Network HSM appliance from version 7.7.1 to 7.8.1 using CCC is currently not possible due to a bug in the REST API. Workaround: To update the appliance from version 7.7.1 to 7.8.1, users must manually connect to the LunaSH command-line interface and execute the upgrade procedure step by step. |
RAPI-4205 | M | Problem: When adding a device in CCC, if the admin password contains a space character, the device cannot be added due to a bug in the REST API. Workaround: There is currently no solution available for this issue. |
Contacting Thales Customer Support
If you encounter a problem while installing, registering, or operating this product, refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Thales Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
Customer support portal
The customer support portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most common problems. The Customer Support Portal is a comprehensive, fully searchable database of support resources, including software and firmware downloads, release notes listing known problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also use the portal to create and manage support cases.
You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
Telephone support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Thales Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed on the support portal.