Glossary
Here's an explanation of key terms and concepts associated with Crypto Command Center:
Administrator
The Administrator is the top level user of the CCC. The Administrator is able to add users and devices, create services, and perform server administration tasks on the CCC.
Application Owner
The Application Owner is an administrative role that can manage the services of an organization within the CCC. The Application Owner is able to deploy services for use by members of their organization.
Certificate
A Certificate is an electronic document used to prove and validate the ownership of a public key. If the key signature is valid, and the software examining the certificate trusts the issuers, then it can use that key to communicate securely with the certificate's subject.
Certificate Authority
A Certificate Authority (CA) is a trusted entity that issues digital certificates. This action certifies the ownership of a public key by the named subject of the certificate and allows for the establishment of a hierarchical trust between parties.
Crypto Officer
The Crypto Officer functions as the Partition Owner, in non-PPSO services. The Crypto Officer is responsible for initializing the Crypto User role, and for creating and modifying cryptographic objects in the HSM partition. The Crypto Officer is capable of key generation and deletion, key wrapping and unwrapping, content encryption and decryption, and key signing and verifying.
Crypto User
The Crypto User is an optional role that provides limited partition operations to a user. The Crypto User can access cryptographic materials on the partition for signing, verifying, encryption, and decryption, but cannot generate or delete keys or use them for wrapping objects.
Device
Any hardware security module or appliance which is stored in the CCC application interface.
Device Pool
Devices can be organized into device pools. A device pool is a group of devices that are organized by purpose, version, owner, etc. Placing a device into a device pool has no effect on which users or organizations can access the device.
External Database
An SQL database that is stored on an external server from the one the user has direct access to.
HA Group
A High-Availability (HA) group consists of partitions organized for load balancing and redundancy across multiple HSMs. Partitions in the HA group are assigned active and standby states to ensure availability if a member HSM fails. The CCC allows users to manage and administer high-availability groups of Thales Luna HSM partitions.
HA Configuration
A High-Availability (HA) configuration is a method of active-active deployment of CCC application servers so that if one CCC application server goes down, another CCC application server can continue serving the requests.
HSM
A hardware security module is a physical computing device that enables cryptographic services for a user. The CCC manages multiple HSMs.
Keepalived
Keepalived is a daemon load balancer used for configuring high-availability CCC servers.
Keystore
A repository of security certificates (authorization certificates or asymmetric key sets) used for SSL encryption with the CCC.
Load Balancer
A device or software that acts as a reverse proxy and distributes network or application traffic accross a number of servers. A load balancer is used to increase the reliability of certain applications and systems. The daemon keepalived is an example of a load balancer.
Local Database
An embedded or SQL database that is stored on the same system as the CCC. It is accessed directly by the user.
Monitoring
The monitoring feature provides access to data displays of managed device information. Monitoring allows users to instantly assess the status of all managed devices, and to access more detailed information for managed devices.
NTLS
A network trust link service (NTLS) uses two-way digital certificate authentication to protect sensitive data as it is transmitted between the HSM partition and client. Configuring NTLS between the CCC and a root-of-trust HSM device allows for secure data transfer over a trusted network.
Organization
Organizations represent groups of Application Owners managed by the CCC. Application Owners are grouped into organizations where they can view and deploy the services created for and available to their organization.
OTP
A one-time password (OTP) is used for the second stage of user verification during the two-factor authentication process. It is accessed through a two-factor authentication application on a personal mobile device.
Partition
HSM partitions are independent logical HSMs that reside within the HSM appliance. Each HSM partition has its own data, access controls, security policies, and separate administration access independent from other HSM partitions. HSM partitions can be exclusive to a single client, or multiple clients can all share access to a single HSM partition.
PED
A PIN entry device (PED) is an electrically programmed key authentication device with a USB interface.
PPSO
Per-partition Security Officer (PPSO) is a security setting that, once enabled, requires each partition to have a unique Security Officer and password to enable crypto services.
Private Key
A private key is a string of code that is paired with a public key set of algorithms for text encryption and decryption. It is a component of public key cryptography used during asymmetric key encryption processes.
PSO
The Partition Ssecurity Officer (PSO) is responsible for initializing the Crypto Officer role on the partition, resetting passwords, backing up partition contents and setting and changing partition-level policies.
Public Key
A public key is a string of code that is paired with a private key set of algorithms for text encryption and decryption. It is a component of public key cryptography used during asymmetric key encryption processes.
Reports
Reports provide detailed information about all managed devices and provisioned services on the CCC. Reports can be viewed, searched, and sorted in the CCC. They can then be printed or exported to a CSV file for external use.There are two primary types of reports generated by the CCC: service reports and device reports. The service report provides detailed information about each service managed by the CCC. The device report provides detailed information about the devices and associated partitions managed by the CCC.
Root of Trust
The root of trust (ROT) is an HSM device that encrypts and decrypts all communications between the CCC and the connected HSMs. Setting up an HSM device as root of trust allows the CCC to log into the device as the HSM security officer using the root-of-trust HSM credentials.
Script
An executable file designed to aid end users in configuring a program for operation on various systems and databases.
Security Officer
The Security Officer (SO) is responsible for the initialization of the HSM, setting and changing HSM policies, and the creation and deletion of application partitions.
Service
A service refers to partitions on one or more HSM devices managed by the CCC. Services are assigned to, and owned by, specific organizations. Only members of the organization that owns the service are able to deploy and use the service for their cryptographic applications.
Service Template
To create a service the user must specify a template. Service templates specify the type, size, and capabilities of services created using the template. Service templates are reusable, allowing you to create templates for specific application types.
SSL
Secure Sockets Layer (SSL) connections allow the user to establish an encrypted link between any two systems. The connection is protected by an HSM device that encrypts and decrypts the data that passes over the connection.
STC
A secure trusted channel (STC) is a token-based secure channel between a Thales Luna HSM partition and its authorized users. It provides privacy of all communicated data, integrity assurance for all communicated data, and bi-directional authentication between HSM and client. This is a more secure method of data transfer than NTLS. An example of STC communication would be a connection between a client application server and an HSM partition.
Two-Factor Authentication
Two-factor authentication increases security by enforcing dual-verification processes on CCC users. With two-factor authentication users are required to log in to the CCC using their administrative credentials and a time-based one-time password generated by an application on any secondary electronic device.