Authentication Model
The user, device, and service management functions of CCC requires it to store the following information:
-
The user passwords for the CCC users. This information is used to control access to CCC. These passwords are hashed and stored in the database, and are not extracted from that location.
CCC stores passwords for local users only. CCC does not store passwords for the users imported from a Directory.
-
The Admin password for the managed devices. This information is used to allow CCC to log in to a managed device using REST API. The Admin password is encrypted using an encryption key stored in the root-of-trust HSM, before being stored in the database. When it is required to log in to a device, the password is extracted from the database and decrypted using the encryption key stored in the root-of-trust HSM.
In addition, all communications between CCC and the device HSMs are authenticated using a key pair stored on the root-of-trust HSM. The key pair is created when you first activate CCC. The public key is copied to the device HSM when you authorize a device. The private key is used to sign messages sent to the HSM. The public key is used to verify the messages received by the HSM. The authentication model is illustrated below:
Password Management
CCC manages three different types of credentials, each handled in a different way for security and compliance.
| Password Type | What It Is Used For | How CCC Handles It |
|---|---|---|
| User Passwords | Used by Administrators and Application Owners to sign in to CCC. | Stored only for local CCC users. Passwords are hashed and stored in the CCC database for verification. CCC does not store passwords for users authenticated through LDAP, Active Directory, or SSO. |
| Device Passwords | Used by CCC to connect to and manage Luna Network HSM devices. Includes the device administrator password and the HSM Security Officer (SO) password. | The device administrator password is encrypted using a key stored in the Root of Trust HSM and saved in the database. The HSM SO password is used only at authorization time and is never stored in the database. |
| Root of Trust Partition Password | Used by CCC to access the Root of Trust partition during activation. | If Remember credentials is selected during activation, the partition label and password are encrypted using AES-GCM and cached only in the JVM memory of the CCC Application Server. When the partition is deactivated or the CCC Application Server shuts down, the cached credentials are automatically erased. |
Modes of Operation
CCC operates in one of two modes, depending on whether Root of Trust authentication is enabled.
| Mode | Description |
|---|---|
| Deactivated | Root of Trust authentication is disabled and CCC operates in a limited, read-only state. |
| Activated | Root of Trust authentication is enabled and all CCC and CCC Client functions are available. This includes full device, service, and key management operations. |
You can activate and deactivate CCC as required. For higher security, CCC can be activated only during controlled HSM maintenance windows, and kept deactivated at all other times.
Root-of-Trust Authentication
All communications between CCC and the device HSMs are secured by the root-of-trust HSM. When you first activate CCC, a public/private key pair is generated on the root-of-trust HSM. When you authorize a device, the public key is copied from the root-of-trust HSM to the device HSM. This enables CCC to log in to the device as the HSM SO, using the root-of-trust HSM credentials. Thereafter, any message sent from CCC to the device HSM is authenticated by signing the message with the private key on the root-of-trust HSM, and then verifying the message with the public key when it is received by the device HSM.
