Installing CCC using Podman

The steps involved in installing CCC using Podman are as follows:

Install Podman using the procedure explained here.

Install podman-compose using the procedure explained here.

Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the environment file in a later step.

In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the environment file in a later step.

Download and extract the CCC package.

Extract the CCC package inside the home directory of the user who is going to initialize the CCC container. For example, if the username is podmanuser, then the CCC package needs to be placed in the /home/podmanuser directory.

Create a directory named ccc-certs:

mkdir -p /home/ccc/ccc-certs

Change the ownership of /home/ccc directory:

chown -R username:groupname /home/ccc

Replace username with the appropriate username and groupname with the corresponding user group.

Copy the CCC license file and paste it inside the ccc-certs directory.

You have the option to upload the license file later, after logging in to CCC. You can do so by accessing the Administration tab from the menu bar at the top, followed by selecting the Licenses option from the navigation pane on the left, and then clicking the Upload button.

If you are using a CA-signed certificate:
a. Create a PKCS#12 or JKS certificate.
b. Copy the certificate and paste it inside the ccc-certs directory.
c. Provide the following CA-signed certificate related details while updating the environment file in a later step:
- CA_CERTIFICATE
- CA_CERTIFICATE_FILE_NAME
- CA_CERTIFICATE_PASSWORD
- CA_CERTIFICATE_ALIAS

Optional Step: To configure a CA-signed certificate for Luna Network HSM in the ccc_config.env file, begin by copying the CA-signed certificate into the ccc-certs folder. Next, open the ccc_config.env file and set the flag to enable the use of the CA-signed certificate by adding the line HSM_IP1_CA_CERT_ENABLE=Y. You will also need to specify the name of the certificate file, ensuring it matches the name of the file in the ccc-certs folder, for example, HSM_IP1_CA_CERT_NAME=rootca_12.pem. For environments with High Availability setups, repeat this process for the second HSM by adding the IP address and CA-signed certificate configuration. Set HSM_IP2_CA_CERT_ENABLE=Y and specify the certificate name with HSM_IP2_CA_CERT_NAME=<certificate_name>, ensuring the certificate name matches the file name in the ccc-certs folder.

Optional Step: If you prefer to use a signed and verified image of CCC for enhanced security and reliability, follow the procedure described on the page Using a Signed and Verified CCC Container Image. Once you have completed the procedure, return to this page to continue with the CCC installation, following steps 10 through 20.

This step is optional and provides an additional layer of security for your CCC installation. If you choose not to follow this procedure, you can continue with the CCC installation as outlined in steps 9 through 20.

Optional Step: Configure the scheduler

Go to the CCC package and load the Podman image.

podman load -i ccc-4.3.0_signed.tar

Navigate to the podman directory within the CCC package. Open the file named ccc_config.env within the podman directory and adjust the settings to align with your specific requirements.

If you want to use an external database, you need to provide the required details while modifying the environment file.

If you want to use an HA ROT, you need to follow the cloning protocol and ensure that:
(i) ROT_HA_ENABLE is set to Y
(ii) IP address for the second device is specified under HSM_IP2
(iii) Both the partitions have the same PARTITION_LABEL
(iv) Both the partitions have the same domain
(v) Partition on the second device is specified under PARTITION_NAME2
(vi) REMEMBER_CREDENTIAL is set to Y

Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.

The secure service deletion functionality, designed to ensure an additional layer of authentication before service deletion, is enabled by default in CCC. If, for any specific requirement, you wish to deactivate this feature, please follow these instructions:
a. Locate the environment file situated within the podman or kubernetes directory.
b. Within the file, locate the flag labeled ENABLE_SAFE_SERVICE_DEL.
c. To disable the safe service deletion functionality, modify the value of the flag to N.
Please exercise caution and evaluate the potential implications before disabling this essential security measure.

If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then you need to update the hostAliases section in the podman-compose.yml file, as indicated below:
extra_hosts:
- "Hostname/DNS of HSM1:IP address of HSM1"
- "Hostname/DNS of HSM2:IP address of HSM2"

If you use LDAPS, refer to the steps for configuring LDAPS for CCC on the Installing CCC page.

Optional Step: Within the podman directory, locate and open the file named podman-compose.yml. Check for lines beginning with # network_mode: host and # hostname: hostname. Remove the # symbol at the beginning of these lines to activate them. Finally, replace hostname with the IP address assigned to your machine. Although optional, we recommend completing this step for optimal configuration.

Navigate to the podman directory, and ensure the secretfile file is accessible. Input all passwords, including those for the crypto officer, HSM1, HSM2, CCC administrator, CCC keystore, CCC credentialstore, CCC truststore, CA certificate, and CCC database, into the secretfile.

Ensure that all passwords comply with the specified password policy rules.

Move the secretfile file from the podman directory to /home/ccc/ccc-certs directory:

mv secretfile /home/ccc/ccc-certs

Run the following command to create secrets using the passwords stored in the secretfile:

podman secret create ccc_password secretfile

After the installation process is finished, any passwords stored in the secretfile file will be automatically deleted for security reasons. However, if you wish to keep these passwords for future reference, you are advised to create a backup of this file.

Verify that the necessary secrets are in place. Use the following command to list all the secrets along with their associated metadata:

podman secret ls

Build and start the CCC container. Once the required secrets are confirmed, you can build and start the CCC container. Run the following script to initiate the server:

sh start-ccc-server.sh

If you encounter the error message ERRO[0000] failed to move the rootless netns slirp4netns process to the systemd user .slice: dial unix /run/user/0/bus: connect: permission denied while executing the sh start-ccc-server.sh command, it indicates a permission issue related to Podman's rootless networking setup. This error occurs when Podman is unable to access systemd's user slice due to insufficient permissions. This issue is not directly caused by Podman's switch to Netavark in version 4.x but may arise from your system's rootless configuration, particularly with slirp4netns. To resolve this, ensure that the user has access to the necessary systemd resources or try running the command with root privileges. For more details on Podman’s networking options and configuring Netavark, refer to the Podman Networking Documentation and the Netavark GitHub Repository.

Decide how you would like to host the CCC container:

DNS: Select this option if you prefer to use a domain name for accessing CCC.
IP Address: Choose this option if you wish to host CCC using a specific IP address.

If you choose the IP address option, you will be prompted to enter the IP address of the virtual machine where CCC will be deployed. Ensure the IP address is correctly configured and accessible within your network.

Wait for a few minutes for the installation to complete. If you prefer to monitor the installation or troubleshoot any issues during the process, you can check the logs of the CCC container with the following command:

podman logs -f ccc

The -f option follows the log output in real time, allowing you to observe the container’s activity as the installation progresses. You can use this command to identify any potential errors or verify that the installation is proceeding smoothly.

Launch CCC on any of the nodes using one of the following URLs, depending on whether the machine is identified by an IP address or hostname:

Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:

Username: admin
Password: PASSWORD

Change the password. You can now start exploring various functions and features of CCC.

If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.

If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.

The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for the CCC server. Otherwise the OTP code will be rejected due to a validation error.

If you ever choose to update any of the passwords within the secretfile file, remember to first remove the previous secrets by executing the command podman secret rm ccc_password, and then repeat steps 12 through 16.

Suggest A Change

Installing CCC using Podman

On this page