Installing CCC using Helm
The steps involved in installing CCC using Helm are as follows:
Log on to both the Linux machines that you intend to use for CCC installation.
There should be full network connectivity between these machines. During installation, you will be using one of the machines as the Master node and the other one as the Worker node. Depending on your requirements, you can have more than one Master node and Worker node.
Set up Kubernetes Cluster on the Master node as well as the Worker node, using the steps explained here. Kubernetes enables you to install CCC and all its dependencies in a cluster of containers that run on virtualized host OS.
Install Helm on Master node.
Set up and initialize a Luna HSM partition. This partition will be used to create a CCC root of trust (ROT). You'll be required to provide the partition-related details while modifying the configuration settings in a later step.
In case you want to use an HA ROT, you need to set up and initialize two partitions that have the same domain. You'll be required to provide the details related to these partitions while modifying the configuration settings in a later step.
Download and extract the CCC package on the Master node as well as the Worker node.
Extract the Crypto Command Center package inside your home directory.
Create a directory named ccc-certs on all the Worker nodes:
mkdir -p /home/ccc/ccc-certs
Place the CCC license file inside the ccc-certs directory on the host to enable automatic detection during container startup.
You can also upload the CCC license file after logging in to the application. Navigate to Administration on the top menu, select Licenses from the left navigation pane, and click Upload.
To secure the CCC web interface and backend server with a CA-signed certificate (instead of using the default self-signed certificate), copy the CA-signed PKCS#12 or JKS certificate into the same ccc-certs directory and define the following variables in the ccc_config.env file: CA_CERTIFICATE, CA_CERTIFICATE_FILE_NAME, CA_CERTIFICATE_PASSWORD, and CA_CERTIFICATE_ALIAS. This procedure applies only to configuring the CA-signed certificate used to secure the CCC web interface and backend server. It is not related to the NTLS CA certificate used for communication with the Luna Network HSM, which is covered in Step 8.
Optional Step: To configure CCC to use a CA-signed certificate for NTLS communication with the Luna Network HSM (specifically for ROT), first ensure that the CA certificate has been obtained and installed on the HSM, as outlined in the Luna HSM documentation. Once complete, copy the CA certificate into the ccc-certs folder on the CCC host. Then, open the ccc_config.env file and enable the use of the CA certificate by setting HSM_IP1_CA_CERT_ENABLE=Y and specifying the certificate file name using HSM_IP1_CA_CERT_NAME=<certificate_name>, ensuring the name matches the file in the ccc-certs folder (e.g., rootca_12.pem). In High Availability environments, repeat the same for the second HSM using HSM_IP2_CA_CERT_ENABLE=Y and HSM_IP2_CA_CERT_NAME=<certificate_name>.
This procedure applies only to configuring the NTLS CA certificate used for communication with the Luna Network HSM in the context of ROT. It is not related to the CA-signed certificate used to secure the CCC interface and backend server, which is covered in Step 7.
Optional Step: If you prefer to use a signed and verified image of CCC for enhanced security and reliability, follow the procedure described on the page Using a Signed and Verified CCC Container Image. Once you have completed the procedure, return to this page to continue with the CCC installation, following steps 12 through 21.
This step is optional and provides an additional layer of security for your CCC installation. If you choose not to follow this procedure, you can continue with the CCC installation as outlined in steps 10 through 21.
Check your container runtime environment on the Worker node by executing the following command:
crictl config --get image-endpoint
Navigate to the Crypto Command Center package on your Worker node and select one of the following methods to import the CCC image, based on the output of the previous step:
Method 1 (for containered): If the output you received was unix:///run/containerd/containerd.sock, it indicates that your Worker node is using containerd as the container runtime. In this case, you can import the images by using the following command:
ctr -n=k8s.io images import ccc-4.4.0.tar
Method 2 (for CRI-O): If the output you received was unix:///var/run/crio/crio.sock, it indicates that your Worker node is using CRI-O as the container runtime. To import the images in this case, you'll first need to install Podman on your Worker node and then execute the following command:
podman load -i ccc-4.4.0.tar
After successfully importing the images using Method 2, open the CCC package on your Master node and access the helm directory. Within the helm directory, open the deployment.yaml file located in the templates subdirectory. In the deployment.yaml file, navigate to the section that defines containers and update the image value from ccc:4.4.0 to localhost/ccc:4.4.0. This action ensures that your Helm deployment uses the desired image.
Run the following command on the Worker node to list all the images:
crictl images
Go the the ccc directory in the Master node and open the helm directory.
Create secrets by running the following command:
kubectl create secret generic ccc-password \
--from-literal=CCC_TRUSTSTORE_PASSWORD='password' \
--from-literal=CCC_KEYSTORE_PASSWORD='password' \
--from-literal=CCC_CREDENTIALSTORE_PASSWORD='password' \
--from-literal=HSM_PASSWORD1='password' \
--from-literal=CRYPTO_OFFICER_PASSWORD='password' \
--from-literal=HSM_PASSWORD2='password' \
--from-literal=CCC_ADMIN_PASSWORD='password' \
--from-literal=CA_CERTIFICATE_PASSWORD='password' \
--from-literal=CCC_DB_PASSWORD='password'
Ensure that all passwords comply with the specified password policy rules.
Update the CCC image name in the deployment.yaml file within the helm/templates directory by replacing the current image name with docker.io/thalesdiscpl/ccc:4.4.0 using the vi editor.
Modify the configuration settings on the Master node as per your requirements:
vi values.yaml  
When updating a key's value, remember to separate the key and value with a colon (:) and include a space. For example, use key: value instead of key:value.
If you want to use an external database, you need to provide the required details while modifying the configuration settings.
If you want to use an HA ROT, you need to follow the cloning protocol and ensure that: 
 (i) ROT_HA_ENABLE is set to Y 
 (ii) IP address for the second device is specified under HSM_IP2 
 (iii) Password for the second device is specified under HSM_PASSWORD2 
 (iv) Both the partitions have the same PARTITION_LABEL 
 (v) Both the partitions have the same CRYPTO_OFFICER_PASSWORD 
 (vi) Both the partitions have the same domain 
 (vi) Partition on the second device is specified under PARTITION_NAME2 
 (vii) REMEMBER_CREDENTIAL is set to Y 
Ensure that you've specified the name of the CCC license file under CCC_LICENSE_FILE_NAME.
If you have mapped HSM_IP1 or HSM_IP2 with the hostname/DNS, then in the values.yml file, please update the hostAliases section with the corresponding hostname/DNS, making sure to use lowercase letters for the hostname:
hostAliases: 
- ip: "IP address of HSM1" 
hostnames: 
- "hostname/DNS of HSM1" 
- ip: "IP address of HSM2" 
hostnames: 
- "hostname/DNS of HSM2"
Launch CCC:
sh start-ccc-server.sh
Check whether CCC installation is successful by verifying the output of the following command:
sudo kubectl get all -o wide
Launch CCC on the master node using one of the following URLs, based on whether the machine is identified by its IP address or hostname:
Log on to CCC as an admin user. If you are logging in for the first time, use the following credentials:
- 
Username: admin 
- 
Password: PASSWORD 
Change the password. You can now start exploring various functions and features of CCC.
If the Administrator requires that you use two-factor authentication, you are prompted to configure a one-time password (OTP). Using a two-factor authentication application on a mobile device, scan the displayed QR code or manually type in the displayed secret key, excluding spaces. Add your account. A 6-digit OTP code is generated. Enter this code in the login page, excluding spaces. You are prompted to change the password in case you are a local user.
If the CCC Administrator edits the credentials of a user that has two-factor authentication enabled, the user needs to re-enroll in the two-factor authentication process.
The clock for your two-factor authentication application must be synchronized within 2 seconds of the clock for CCC. Otherwise the OTP code will be rejected due to a validation error.
If you want to use HA configuration, you need to use an external database.
If you want to use HA configuration, run the following command to specify the number of replicas: 
 
kubectl scale --replicas=2 deployment ccc-deployment
If you are using LDAPS with Crypto Command Center, see the Setting up LDAPS page for detailed configuration steps.