Redeploying a Service
When you no longer need an HSM service, you can revoke access using the CCC client. After revocation, the service is de-registered, and the NTLS or STC link is taken down, making the slot unavailable to the Thales Luna HSM client. To revoke and prepare for redeployment, follow these steps:
Run these commands using sudo (Linux) or launch an Administrator command prompt (Windows) on the crypto application server that will use the service.
Go to the directory where ccc_client.jar is installed:
| Operating System | Directory Path |
|---|---|
| Linux | cd /usr/safenet/lunaclient/bin |
| Windows | C:\Program Files\SafeNet\LunaClient\ |
Revoke a user’s access to the CCC service by running one of the following commands as an administrator. This disables the specified user’s ability to authenticate to the CCC server.
Option 1: Password Authentication
java -jar ccc_client.jar -user <username> -revoke -host <CCC_server_hostname_or_IP> -password <password> -otp <otp_code> -port <CCC_server_port>
When using -password, enclose the password in single quotes on Linux or double quotes on Windows. For -otp, either include the -otp parameter with the code or enter the code when prompted. If -port is not specified, the client defaults to port 8181.
Option 2: Access Token Authentication
java -jar -DKEYCLOAK_PORT=<keycloak_port> ccc_client.jar -user <username> -revoke -host <CCC_server_hostname_or_IP> -access_token <access_token> -otp <otp_code> -port <CCC_server_port>
Use the access token obtained through a prior login to authenticate. For -otp, either include the -otp parameter with the code or enter the code when prompted. If -port is not specified, the client defaults to port 8181.
Review and accept the CCC server certificate, if prompted. If the certificate has already been imported on this client, this prompt will not appear.
Connecting ... Server certificate is not trusted. Select one of the following options to proceed: 1: Show the certificate details 2: Trust the certificate this time only 3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts 4: Exit Enter an option(1-4): Enter 1 to display the certificate. Enter 2 to trust the certificate for this deployment only. Enter 3 to permanently trust the certificate. Enter 4 to exit the client without deploying the service.
Enter the trusted keystore password when prompted.
Enter the trusted keystore password:
Enter the password for the trusted Java keystore on the Thales Luna HSM client workstation. The default password is changeit, unless modified.
Select the service to revoke from the list of available services.
Logging in ... Querying current services... Please select the service you want to configure: 1) Service_with_a_smile - No description 2) Now_thats_service - Password 3) Self_service - PED 4) Exit
Choose option 3 to revoke access.
Please select the action you want to execute: 1) Authorize Access 2) Repair Access 3) Revoke Access 4) Exit Option: 3
Confirm the revocation when prompted.
Would you like to revoke access to service 'Service_with_a_smile'? (Y/N): y Access to service 'Service_with_a_smile' was successfully revoked. Done
If the service is configured to use both Secure Trusted Channel (STC) and Per-Partition Security Officer (SO), CCC cannot revoke access. The Partition SO must manually manage STC client revocation through LunaCM. This approach ensures that at least one authorized client connection remains active. Without an active connection, access to the partition becomes unrecoverable, potentially disrupting services. Before revoking access, verify that an alternate, trusted connection is available to maintain partition access.
Redeploy the service using one of the following authentication methods after access has been revoked:
Option 1: Password Authentication
java -jar ccc_client.jar -user username -host CCC_server_hostname_or_ipaddress -password password -otp otp_code -port CCC_server_port
Option 2: Access Token Authentication
java -jar -DKEYCLOAK_PORT=keycloak_port ccc_client.jar -user username -host CCC_server_hostname_or_ipaddress -access_token access_token -otp otp_code -port CCC_server_port
Application Owner users can generate an access token through the CCC GUI by logging in, navigating to the Access Token section, and selecting Get Access Token. Once the token is displayed in the prompt, it should be copied for use.
The access token is time-bound. If it expires, users must repeat the steps to generate a new one.
