Viewing and Initializing Services
After you log in to CCC, you'll find a list of services that are available. Some of these services may have already been initialized by the CCC Administrator, while others could be awaiting initialization. A service must be initialized before it can be deployed.
Viewing Service Attributes
To view the attributes associated with a service:
Click Crypto Services from the menu bar at the top to access the list of available services.
Select the service you want to inspect for its attributes. You can sort the service list by column heading or use the search function.
Click on a tab to view the corresponding attributes:
| Attribute | Description |
|---|---|
| General | Provides partition-related details, including its name, description, associated organization, creation date, and the identity of the creator. You can use the Edit button to modify the service name, description, and organization. |
| Capabilities | Informs you regarding the features associated with the partition, including its type, host device type, partition size, per partition security officer status, scalable key storage status, performance type, authentication method, and backup type. You can modify the partition size through this tab, if needed. |
| Partitions | Shows the status, name, label, and serial number of the partition, along with the associated device name, appliance version, and firmware version. You can also use the buttons available in this tab to add partitions and to initialize a crypto user. |
| Keys | Provides information about the keys located on the partition associated with a service, including details such as Label, Type, Handle, Fingerprint, Algorithm, and Bit Size. |
| Clients | Specifies the hostnames of the machines with which the partition has an NTLS connection, providing information about with their status, finger print, and registration details. |
Initializing a Service
You must initialize a service before you can register it with your application server and begin using it with your applications. Initializing a service initializes the partition(s) used to provide the service on the host devices. CCC Admin users can initialize a service when they create it, or they can leave it uninitialized until it is ready to be deployed. Uninitialized services can be initialized by the CCC Administrator, or by an Application Owner that is a member of the organization that owns the service. To initialize a service, you must specify or create the following details:
-
The initial credentials for the roles that will own or use the service. For services without PPSO enabled, you initialize the credentials for the partition owner (crypto officer) role. For services with PPSO enabled, you initialize the credentials for the partition SO and crypto officer roles. You also have the option to initialize the crypto user role.
-
The cloning domain for the service. You can only clone objects between HSMs that are in the same cloning domain. Cloning is used to perform operations such as backup/restore.
To initialize a password-authenticated service
To initialize a password-authenticated service:
Click on Services in the navigation frame to display a list of the services created for your organization that are available to be deployed. Any uninitialized services have an Initialize link in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
After finding the service you want, click on the Initialize link in the Initialization State column. The Initialize Service wizard is displayed.
Follow the instructions below to configure the service parameters before clicking the Finish button
| Task | Description |
|---|---|
| Define Partition | Enter a Cloning Domain and a Partition Label. The cloning domain uniquely identifies the partition, while the label provides a clear, meaningful description. Ensure both fields reflect the intended usage. |
| Initialize Roles | Set the initial password for the Crypto Officer. For PPSO services, also set the password for the Partition Security Officer, and optionally for the Crypto User. Click Finish to initialize the service and check the progress messages to ensure successful completion. Note: For services using STC and PPSO, the Crypto User role cannot be initialized through CCC after deployment. |
To initialize a PED-authenticated service
You require a remote PED to initialize a PED-based service. To use a remote PED with CCC:
Install the Thales Luna HSM client, including the remote PED server option, on the computer that you will use to access CCC, or on a separate computer you will use for the remote PED.
Configure the Remote PED Server on the computer you will use for the remote PED. Refer to Thales Luna HSM Documentation for more information.
Get an orange PED key encoded with the Remote PED Vector (RPV) for the Thales Luna Network HSM appliance that provides the service. Contact your CCC Administrator to get the key.
Click Crypto Services in the navigation frame to display a list of the services created for your organization that are available to be deployed. Any uninitialized services have an Initialize link in the Initialization State column. To help find a service, you can sort the service list by column heading, or use the search function.
Find the service you want, and then click Initialize in the Initialization State column. This will open the Initialize Service dialog box:
| Task | Instructions |
|---|---|
| Define Partition | Enter a name for the partition that will provide the service. |
| Initialize Roles | 1. Enter the IP address of your remote PED server. The default port is already filled in. If you're using a different port, enter the correct Remote PED server port. 2. For PPSO services, enter the challenge password for the Crypto Officer and, if needed, the Crypto User. The challenge password is used for role authentication after activation. 3. Click Next and follow the instructions on-screen and on the PED device. If you're not using PPSO, the PED will generate a 16-digit challenge password. Write it down as you'll need it for service activation. |
| Activate Roles | 1. To activate the roles, check the Activate Crypto Officer box and, if applicable, the Activate Crypto User box. The Crypto Officer role must be activated first. 2. You can activate the roles later by editing the service attributes. If the template includes Per-Partition Security Officer and Secure Trusted Channel, roles can be activated until an application user deploys the service, which will lock the roles. 3. Click Finish to initialize the service, and watch the progress messages to confirm success. |
