Install CCC Using Podman without High Availability for CCC and the Database
You are about to deploy CCC on a Podman-based environment using a PostgreSQL database without high availability. The steps that follow walk you through preparing the required directories, certificates, container images, and configuration files so that CCC and its database start with the correct paths, permissions, and network settings. These steps ensure that the application and database containers are initialized in the required manner, aligned with CCC’s expected runtime environment, and configured consistently so that all components start with the correct prerequisites in place.
This deployment uses a single CCC node and a single PostgreSQL database node. No clustering, replication, shared storage, or infrastructure-level failover mechanisms are configured in this mode. If high availability is required, refer to the High Availability deployment guide.
Before you begin
Before you begin, ensure the following:
-
You have reviewed the minimum hardware and software requirements listed in the documentation and confirmed that your environment is supported.
-
You have downloaded the CCC package. To do so, you must log in to the Thales Customer Support Portal, download the CCC package to the target system, and extract it so that its contents are accessible before starting the installation.
-
You have downloaded the CCC license file. To do so, you must log in to the Thales Group Licensing Portal using the details provided in the entitlement email, activate your CCC license, and download the license file. A Freemium license file is included in the CCC package for evaluation purposes.
-
You have decided whether to use a signed and verified CCC container image for enhanced security and integrity validation. If you choose to do so, you must complete the procedure described in Using a Signed and Verified CCC Container Image before proceeding with the CCC installation. This step is optional and adds an extra layer of security. If you prefer not to enable image signing and verification, you can proceed with the installation as usual.
-
You have initialized a dedicated Luna HSM partition to act as the Root of Trust (ROT) for CCC, with the Crypto Officer (CO) role created, initialized, and activated. Before continuing, verify that the HSM partition is reachable and accessible from each host where CCC will be installed, and ensure that the HSM IP address, partition name, partition label, and required credentials are available, as you will be prompted to provide these values when editing the CCC application configuration file (ccc_config.env) and the associated secrets file (secretfile) during the installation.
Installation procedure
Install Podman on the host you’ll use to run CCC. Follow the official Podman guide at https://podman.io/getting-started/installation.
Extract the CCC package inside the home directory of the user who is going to initialize the CCC container. For example, if the username is podmanuser, then the CCC package needs to be placed in the /home/podmanuser directory.
Create a directory where CCC will store certificates used by Podman containers, ensuring a dedicated and organized location for all certificate-related files.
mkdir -p /home/ccc/ccc-certs
Change ownership of the /home/ccc directory to the user running CCC so the application can securely access required files and directories.
chown -R username:groupname /home/ccc
Copy your CCC license file into /home/ccc/ccc-certs directory so the installer finds it automatically on startup. If needed, you can upload the license later from the Administration - Licenses - Upload menu.
Navigate to the extracted CCC installation directory to begin the installation process. This directory contains two subdirectories: ccc-app and ccc-db.
cd /home/<extracted_directory>/
PostgreSQL setup
Navigate to the ccc-db directory where the database installation scripts and container images are located.
cd ccc-db/
Load the CCC database Podman image.
podman load -i ccc-db-4.5.0.tar
Navigate to the podman/ directory containing the configuration files for the database container.
Open the database configuration file and make the required changes, while leaving all other values unchanged. Save the file after applying these changes.
vi pg_config.env
| Parameter | Description | Example/Value |
|---|---|---|
| DB_HOST_IP | IP address of the host where the PostgreSQL database will be installed. | DB_HOST_IP=10.164.76.69 |
| DB_BASE_DIR | The database home directory where PostgreSQL will store data files, configuration files, and logs. | DB_BASE_DIR=/home/ccc |
| NETWORK_MODE | Specifies the database container network mode. Use host so the container shares the host’s network stack without port mapping. |
NETWORK_MODE=host |
Open the database secret file and define a database password of your choice, which is the credential used by the database service to authenticate access from CCC. Add the password as the value of DB_PASSWORD, and then save the file. This same password will later be reused as CCC_DB_PASSWORD, which is the configuration value the CCC application reads to connect to the database.
vi secretfile DB_PASSWORD=<your_password_here>
Ensure that all passwords entered during installation meet the required password policy criteria.
Run the database startup script located in the current directory to initialize the CCC database container. The script will display a configuration summary and prompt you to confirm the settings. When asked Do you want to proceed with these values? (Y/N), enter Y to continue with the installation.
sh start-ccc-database.sh
Verify the database startup by checking for the message CCC database container launched successfully along with the container name ccc-db, and then run podman logs -f ccc-db to confirm that the database is running without errors.
Exit the log view and then run podman ps to confirm that the CCC database container is up and running.
podman ps
If your organization requires the PostgreSQL database to use a CA-signed certificate instead of the default self-signed certificate, complete the procedure described in Replacing the CCC Database Server Certificate with a CA-Signed Certificate page before starting the database container. After completing the certificate replacement steps, return to this page and continue with the database initialization below.
CCC application setup
Navigate to the ccc-app directory to load the CCC application image. Then verify the image is successfully loaded.
cd ccc-app podman load -i ccc-4.5.0.tar podman images
Navigate into the podman directory inside the ccc-app directory so you can access and edit the CCC application configuration files.
vi ccc_config.env
Enter the following values in the configuration file, then save and close it once the updates are complete:
| Parameter | Description |
|---|---|
| HSM_IP | Specify the IP address of your HSM device. CCC will establish NTLS communication with this HSM and use it to build the root of trust. |
| PARTITION_NAME | Set the partition name to ROT_CCC. This is the partition created on the HSM device for NTLS and Root of Trust generation. |
| PARTITION_LABEL | Assign the label ROT_CCC to the Root of Trust partition created on the HSM. |
| CCC_LICENSE_FILE_NAME | Provide the name of the license file placed in /home/ccc/ccc-certs/ for automatic license upload during startup. |
| DATABASE_NODE | Specify the PostgreSQL database server node in the format IP-or-DNS:PORT. |
| CCC_BASE_DIR | Set the base directory on the system where CCC is installed for storing runtime files and logs. This directory is mounted into the CCC application container during startup and can be configured as required. For example: CCC_BASE_DIR=/var/opt/ccc |
| NETWORK_MODE | Set the value to host so the CCC application container shares the host’s network stack without requiring port mapping. |
To secure the CCC web interface and backend server with a CA-signed certificate (instead of using the default self-signed certificate), copy the CA-signed PKCS#12 or JKS certificate into the same ccc-certs directory and define the following variables in the ccc_config.env file: CA_CERTIFICATE, CA_CERTIFICATE_FILE_NAME, CA_CERTIFICATE_PASSWORD, and CA_CERTIFICATE_ALIAS. This procedure applies only to configuring the CA-signed certificate used to secure the CCC web interface and backend server. It is not related to the NTLS CA certificate used for communication with the Luna Network HSM.
If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Both the partitions have the same PARTITION_LABEL
(iv) Both the partitions have the same domain
(v) Partition on the second device is specified under PARTITION_NAME2
(vi) REMEMBER_CREDENTIAL is set to Y
The secure service deletion functionality, designed to ensure an additional layer of authentication before service deletion, is enabled by default in CCC. If, for any specific requirement, you wish to deactivate this feature, please follow these instructions:
a. Locate the environment file situated within the podman or kubernetes directory.
b. Within the file, locate the flag labeled ENABLE_SAFE_SERVICE_DEL.
c. To disable the safe service deletion functionality, modify the value of the flag to N. Please exercise caution and evaluate the potential implications before disabling this essential security measure.
If you are using LDAPS with Crypto Command Center, see the Setting up LDAPS page for detailed configuration steps.
Optional Step: To configure CCC to use a CA-signed certificate for NTLS communication with the Luna Network HSM (specifically for ROT), first ensure that the CA certificate has been obtained and installed on the HSM, as outlined in the Luna HSM documentation. Once complete, copy the CA certificate into the ccc-certs folder on the CCC host. Then, open the ccc_config.env file and enable the use of the CA certificate by setting HSM_IP1_CA_CERT_ENABLE=Y and specifying the certificate file name using HSM_IP1_CA_CERT_NAME=
Open the secret file and provide the required secure parameters. This file stores all sensitive passwords needed to establish NTLS with the HSM, create the Root of Trust, configure the CCC application, and connect to the database.
vi secretfile
Enter the following values and then save and close the secret file:
| Parameter | Description |
|---|---|
| HSM_PASSWORD | Provide the password for the HSM device corresponding to the HSM_IP you entered earlier. This password is required to establish NTLS. |
| CRYPTO_OFFICER_PASSWORD | Enter the Crypto Officer password for the HSM partition defined in PARTITION_LABEL. This is required to create the Root of Trust (ROT). |
| CCC_ADMIN_PASSWORD | Set the admin password used to log in to the CCC application UI. The default value is PASSWORD. |
| CCC_CREDENTIALSTORE_PASSWORD | Specify the password that the WildFly server will use to securely store internal credentials. |
| CCC_KEYSTORE_PASSWORD | Provide the password used to protect cryptographic keys stored in the CCC keystore. |
| CCC_TRUSTSTORE_PASSWORD | Enter the password used to secure certificates stored in the CCC truststore. |
| CCC_DB_PASSWORD | Supply the database password used by the CCC application to connect to the database. This value must be the same password you defined earlier as DB_PASSWORD in the database secretfile. |
The passwords in the secret file are required each time the CCC container is created or initialized. If the container is removed, recreated, upgraded, or redeployed, you must re-populate the required passwords in the secret file before starting the container.
CCC startup and validation
Run the server startup script to launch the CCC application container:
sh start-ccc-server.sh
If you see the error “ERRO[0000] failed to move the rootless netns slirp4netns process to the systemd user .slice: dial unix /run/user/0/bus: connect: permission denied” while running sh start-ccc-server.sh, it simply means Podman is attempting to use rootless networking but doesn’t have the necessary permissions to do so. This error occurs when Podman is unable to access systemd's user slice due to insufficient permissions. This issue is not directly caused by Podman's switch to Netavark in version 4.x but may arise from your system's rootless configuration, particularly with slirp4netns. To resolve this, ensure that the user has access to the necessary systemd resources or try running the command with root privileges. For more details on Podman’s networking options and configuring Netavark, refer to the Podman Networking Documentation and the Netavark GitHub Repository.
Choose how you want to host Crypto Command Center when prompted. You can manually enter the IP or DNS name by selecting option 1, or allow the installer to auto-detect the host IP by selecting option 2.
Review the configuration summary displayed after making your selection. When prompted with Do you want to proceed with these values? (Y/N, enter Y to continue. The script will then launch the Crypto Command Center container, and you should see a confirmation message such as Crypto Command Center container launched successfully.
Verify the application started without errors:
podman logs -f ccc
Exit the log view and then open a browser to log on to CCC using the host IP or DNS you provided during the startup prompt: https://host_ip:8181 or https://hostname:8181.
Log in as the default admin:
Username: admin Password: PASSWORD
Change the default password when prompted. After updating it, begin exploring the available functions and features of CCC.
If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.
If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.
The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for the CCC server. Otherwise the OTP code will be rejected due to a validation error.
This completes the deployment of Crypto Command Center in a standalone configuration using Podman with a single PostgreSQL backend.
