Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Installing Crypto Command Center

Installing CCC using Podman

search
printsuggest an edit

Installing CCC using Podman

For a step-by-step walkthrough of installing CCC 4.3 using Podman, check out this video:


The steps involved in installing CCC using Podman are as follows:

1Install Podman using the procedure explained here.

2Install podman-compose using the procedure explained here.

3Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the environment file in a later step.

note

Note

In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the environment file in a later step.

4Download and extract the CCC package.

note

Note

Extract the CCC package inside the home directory of the user who is going to initialize the CCC container. For example, if the username is podmanuser, then the CCC package needs to be placed in the /home/podmanuser directory.

5Create a directory named ccc-certs:

mkdir -p /home/ccc/ccc-certs

6Change the ownership of /home/ccc directory: 

chown -R username:groupname /home/ccc
note

Note

Replace username with the appropriate username and groupname with the corresponding user group.

7Copy the CCC license file and paste it inside the ccc-certs directory.

note

Note

You have the option to upload the license file later, after logging in to CCC. You can do so by accessing the Administration tab from the menu bar at the top, followed by selecting the Licenses option from the navigation pane on the left, and then clicking the Upload button.

note

Note

If you are using a CA-signed certificate:
a. Create a PKCS#12 or JKS certificate.
b. Copy the certificate and paste it inside the ccc-certs directory.
c. Provide the following CA-signed certificate related details while updating the environment file in a later step:
- CA_CERTIFICATE
- CA_CERTIFICATE_FILE_NAME
- CA_CERTIFICATE_PASSWORD
- CA_CERTIFICATE_ALIAS

8Optional Step: To configure a CA-signed certificate for Luna Network HSM in the ccc_config.env file, begin by copying the CA-signed certificate into the ccc-certs folder. Next, open the ccc_config.env file and set the flag to enable the use of the CA-signed certificate by adding the line HSM_IP1_CA_CERT_ENABLE=Y. You will also need to specify the name of the certificate file, ensuring it matches the name of the file in the ccc-certs folder, for example, HSM_IP1_CA_CERT_NAME=rootca_12.pem. For environments with High Availability setups, repeat this process for the second HSM by adding the IP address and CA-signed certificate configuration. Set HSM_IP2_CA_CERT_ENABLE=Y and specify the certificate name with HSM_IP2_CA_CERT_NAME=<certificate_name>, ensuring the certificate name matches the file name in the ccc-certs folder.

9Optional Step: If you prefer to use a signed and verified image of CCC for enhanced security and reliability, follow the procedure described on the page Using a Signed and Verified CCC Container Image. Once you have completed the procedure, return to this page to continue with the CCC installation, following steps 10 through 20.

note

Note

This step is optional and provides an additional layer of security for your CCC installation. If you choose not to follow this procedure, you can continue with the CCC installation as outlined in steps 9 through 20.

10Optional Step: Configure the scheduler

11Go to the CCC package and load the Podman image.

podman load -i ccc-4.3.0.tar

12Navigate to the podman directory within the CCC package. Open the file named ccc_config.env within the podman directory and adjust the settings to align with your specific requirements.

note

Note

If you want to use an external database, you need to provide the required details while modifying the environment file.

note

Note

If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Both the partitions have the same PARTITION_LABEL
(iv) Both the partitions have the same domain
(v) Partition on the second device is specified under PARTITION_NAME2
(vi) REMEMBER_CREDENTIAL is set to Y

note

Note

Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.

note

Note

The secure service deletion functionality, designed to ensure an additional layer of authentication before service deletion, is enabled by default in CCC. If, for any specific requirement, you wish to deactivate this feature, please follow these instructions:
a. Locate the environment file situated within the podman or kubernetes directory.
b. Within the file, locate the flag labeled ENABLE_SAFE_SERVICE_DEL.
c. To disable the safe service deletion functionality, modify the value of the flag to N.
Please exercise caution and evaluate the potential implications before disabling this essential security measure.

note

Note

If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then you need to update the hostAliases section in the podman-compose.yml file, as indicated below:
extra_hosts: 
- "Hostname/DNS of HSM1:IP address of HSM1"
- "Hostname/DNS of HSM2:IP address of HSM2"

note

Note

If you use LDAPS, refer to the steps for configuring LDAPS for CCC on the Installing CCC page.

13Optional Step: To configure a CA-signed certificate for Luna Network HSM in the ccc_config.env file, begin by copying the CA-signed certificate into the ccc-certs folder. Next, open the ccc_config.env file and set the flag to enable the use of the CA-signed certificate by adding the line HSM_IP1_CA_CERT_ENABLE=Y. You will also need to specify the name of the certificate file, ensuring it matches the name of the file in the ccc-certs folder, for example, HSM_IP1_CA_CERT_NAME=rootca_12.pem. For environments with High Availability setups, repeat this process for the second HSM by adding the IP address and CA-signed certificate configuration. Set HSM_IP2_CA_CERT_ENABLE=Y and specify the certificate name with HSM_IP2_CA_CERT_NAME=<certificate_name>, ensuring the certificate name matches the file name in the ccc-certs folder.

14Optional Step: Within the podman directory, locate and open the file named podman-compose.yml. Check for lines beginning with # network_mode: host and # hostname: hostname. Remove the # symbol at the beginning of these lines to activate them. Finally, replace hostname with the IP address assigned to your machine. Although optional, we recommend completing this step for optimal configuration.

15Navigate to the podman directory, and ensure the secretfile file is accessible. Input all passwords, including those for the crypto officer, HSM1, HSM2, CCC administrator, CCC keystore, CCC credentialstore, CCC truststore, CA certificate, and CCC database, into the secretfile.

note

Note

Ensure that all passwords comply with the specified password policy rules.

16Run the following command to create secrets using the passwords stored in the secretfile:

podman secret create ccc_password secretfile
note

Note

After the installation process is finished, any passwords stored in the secretfile file will be automatically deleted for security reasons. However, if you wish to keep these passwords for future reference, you are advised to create a backup of this file.

17Verify that the necessary secrets are in place. Use the following command to list all the secrets along with their associated metadata:

podman secret ls

18Move the secretfile file from the podman directory to /home/ccc/ccc-certs directory:

mv secretfile /home/ccc/ccc-certs

19Build and start the CCC container. Once the required secrets are confirmed, you can build and start the CCC container. Run the following script to initiate the server:

sh start-ccc-server.sh
note

Note

If you encounter the error message ERRO[0000] failed to move the rootless netns slirp4netns process to the systemd user .slice: dial unix /run/user/0/bus: connect: permission denied while executing the sh start-ccc-server.sh command, it indicates a permission issue related to Podman's rootless networking setup. This error occurs when Podman is unable to access systemd's user slice due to insufficient permissions. This issue is not directly caused by Podman's switch to Netavark in version 4.x but may arise from your system's rootless configuration, particularly with slirp4netns. To resolve this, ensure that the user has access to the necessary systemd resources or try running the command with root privileges. For more details on Podman’s networking options and configuring Netavark, refer to the Podman Networking Documentation and the Netavark GitHub Repository.

20Decide how you would like to host the CCC container:


  • DNS: Select this option if you prefer to use a domain name for accessing CCC.

  • IP Address: Choose this option if you wish to host CCC using a specific IP address.

note

Note

If you choose the IP address option, you will be prompted to enter the IP address of the virtual machine where CCC will be deployed. Ensure the IP address is correctly configured and accessible within your network.

21Wait for a few minutes for the installation to complete. If you prefer to monitor the installation or troubleshoot any issues during the process, you can check the logs of the CCC container with the following command:

podman logs -f ccc

The -f option follows the log output in real time, allowing you to observe the container’s activity as the installation progresses. You can use this command to identify any potential errors or verify that the installation is proceeding smoothly.

22Launch CCC on any of the nodes using one of the following URLs, depending on whether the machine is identified by an IP address or hostname:


23Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:


  • Username: admin

  • Password: PASSWORD

24Change the password. You can now start exploring various functions and features of CCC.

note

Note

If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.

note

Note

If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.

note

Note

The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for the CCC server. Otherwise the OTP code will be rejected due to a validation error.

note

Note

If you ever choose to update any of the passwords within the secretfile file, remember to first remove the previous secrets by executing the command podman secret rm ccc_password, and then repeat steps 12 through 16.


On this page