Redeploying a Service
When you no longer need an HSM service, you can revoke access using the CCC client. After revocation, the service is de-registered, and the NTLS or STC link is taken down, making the slot unavailable to the Thales Luna HSM client. To revoke and prepare for redeployment, follow these steps:
Note
Run these commands using sudo (Linux) or launch an Administrator command prompt (Windows) on the crypto application server that will use the service.
1Go to the directory where ccc_client.jar is installed:
| Operating System | Directory Path |
|---|---|
| Linux | cd /usr/safenet/lunaclient/bin |
| Windows | C:\Program Files\SafeNet\LunaClient\ |
2Run ccc_client.jar to revoke access to the service::
The -port parameter is optional. If not specified, the default port 8181 is used. For example:
java -jar ccc_client.jar -user myname@myorg -host cccserver
3Review and accept the CCC server certificate, if prompted. If the certificate has already been imported on this client, this prompt will not appear.
Connecting ... Server certificate is not trusted. Select one of the following options to proceed: 1: Show the certificate details 2: Trust the certificate this time only 3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts 4: Exit Enter an option(1-4): Enter 1 to display the certificate. Enter 2 to trust the certificate for this deployment only. Enter 3 to permanently trust the certificate. Enter 4 to exit the client without deploying the service.
4Enter the trusted keystore password when prompted.
Enter the trusted keystore password:
Enter the password for the trusted Java keystore on the Thales Luna HSM client workstation. The default password is changeit, unless modified.
5Select the service to revoke from the list of available services.
Logging in ... Querying current services... Please select the service you want to configure: 1) Service_with_a_smile - No description 2) Now_thats_service - Password 3) Self_service - PED 4) Exit
6Choose option 3 to revoke access.
Please select the action you want to execute: 1) Authorize Access 2) Repair Access 3) Revoke Access 4) Exit Option: 3
7Confirm the revocation when prompted.
Would you like to revoke access to service 'Service_with_a_smile'? (Y/N): y Access to service 'Service_with_a_smile' was successfully revoked. Done
Note
If the service is configured to use both Secure Trusted Channel (STC) and Per-Partition Security Officer (SO), CCC cannot revoke access. The Partition SO must manually manage STC client revocation through LunaCM. This approach ensures that at least one authorized client connection remains active. Without an active connection, access to the partition becomes unrecoverable, potentially disrupting services. Before revoking access, verify that an alternate, trusted connection is available to maintain partition access.
