Central to CCC is the CCC server. The CCC server is a Linux workstation where the CCC web application is installed. The CCC web application includes an application container and service, which provides the administrative and application owner interfaces for managing and deploying HSM resources. In addition to the web application, CCC also requires the following components:

• A Thales Luna Network HSM to serve as the root of trust, to authenticate communications between the CCC and managed HSM devices.

• A PostgreSQL or Oracle database. The database can be installed either on the same server or on a different server used for hosting the CCC web application.

The following figure provides a high-level architectural view of CCC.

Server and Client Components

CCC is installed on a Linux workstation running CentOS or Red Hat Enterprise Linux. The Customer Release Notes list specify supported versions of these operating systems. CCC also includes a Java client, which is used to deploy a service created in CCC on a crypto application server.

Terms	References
Devices	Devices are referred as Luna Network HSMs.
Services	Services are referred as one or more partitions in Luna Network HSMs.
Clients	Clients are referred as Application owners who are responsible for deploying the services.

Web Server

The CCC web server consists of a Java-based web application. It uses the Java JDK and requires the Thales Luna Network HSM client software to communicate with the root-of-trust HSM.

Databases

The data managed by CCC is stored in a PostgreSQL or Oracle database. You can install the database on the CCC server, or on an external server.

Root-of-Trust HSM

All communications between CCC and the HSMs on any managed devices are authenticated using a Thales Luna Network HSM. You can use a password-authenticated or PED-authenticated Thales Luna Network HSM partition as the root of trust. You can use a FIPS-enabled HSM if FIPS compliance is required, or a non-FIPS-enabled HSM if you do not require FIPS compliance.

If the root-of-trust HSM is PED-authenticated, it must be activated (to allow password login) to work with CCC. You can activate (enable) or deactivate (disable) the root-of-trust HSM as required to control whether or not CCC has access to the HSMs on the managed devices to create and deploy services.

Activation of a PED-authenticated HSM to allow password authentication is not the same as activation of CCC. Activation of CCC enables the root-of-trust HSM, which allows CCC to create and deploy services.

Crypto Command Center Client

The Crypto Command Center client is run on a crypto application server to set up the NTLS or STC links from the application server's Thales Luna Network HSM client to the devices used to host the service. STC links are available for devices with a minimum software version of 6.2.1 and a minimum firmware version of 6.24.2. The Crypto Command Center client is available for download from CCC.

Users

CCC supports two distinct user roles: Administrators, and Application Owners.

Administrators

Administrators are responsible for creating organizations, adding user accounts, adding devices, and creating services on the managed devices. Administrators can also generate reports for the managed devices and services.

Application Owners

Application owners are responsible for deploying the services created in CCC for their organization. Application Owners own the services and are free to deploy them as they see fit. When the services are no longer required, the Application Owner can release the service, making the resources used to provide the service available to the Administrator to create new services.

The following table compares the capabilities of the CCC Admin and CCC Application Owner users:

Feature	CCC Admin	CCC Application Owner
Service Creation	Yes	No
Service Initialization	Yes	Yes
Service Deployment	Yes	Yes
Key Material Visibility	Yes	Yes
Reporting	Yes	No
Service Monitoring	Yes	Yes
Device Monitoring	Yes	No
Alerting and Notifications	Yes	No
Licensing	Yes	No
Support Catalog	Yes	No
Software Center	Yes	Yes
Directory Support	Yes	No
Device Log Export	Yes	No
Account Management	Yes	No
Migrate Service	Yes	No

Managed Devices

You can use CCC to manage Thales Luna Network HSM devices. CCC is able to manage any Thales Luna Network HSM device that is available over the network, including those located in the cloud. In order to manage a device, CCC must be able to log in to the device as the admin user. The admin credentials required to log in to the device are encrypted using an encryption key stored on the root-of-trust HSM, and stored in CCC.

STC is not available with Thales Luna Network HSM 7 (Firmware 7.7.0 and above).

CCC does not provide STC support with Thales Luna Network HSM 5/6 and Thales Luna Network HSM 7 (Firmware 7.4.0 and below).

Device Requirements

CCC can manage PED-authenticated and password-authenticated Thales Luna Network HSM devices. For CCC to manage a Thales Luna Network HSM device, the device must meet the minimum requirements.