CCC Quick Start Guide
Welcome aboard! This guide is for anyone who has installed CCC using Podman, Kubernetes, Helm, or Azure and is now ready to begin using it. We’ve brought everything together into a single, streamlined path that highlights the essentials every user needs. In 12 clear steps, you’ll see how to log in, activate CCC, connect and organize devices, create and initialize crypto services, bring your team on board, deploy applications, and monitor performance with confidence. The aim is to give you practical guidance that respects your time and helps you start working productively with CCC right away.
Step 1: Log In and Unlock CCC
Start here by logging in to CCC for the first time, securing your admin account, and unlocking features with the right license.
Open your browser and go to https://<hostname_or_ip>:8181.
If the page doesn’t load, check firewall rules or confirm the CCC service is running.
Sign in with the default credentials: admin/PASSWORD. Immediately change the password to something strong.
Save your new password in a secure password manager.
Upload and activate your license. Choose Freemium (no-cost, up to 20 partitions with device monitoring, for testing only) or Premium (subscription or perpetual, for production, with partition limits and monitoring defined by your license entitlements).
A single license can cover multiple CCC instances in an HA setup. When a license expires, CCC provides a grace period; after it ends, admins can’t create/activate services or import partitions, and app owners can’t deploy services.
To know more, see Server Administration for login options, license activation, and root-of-trust setup details.
Step 2: Activate the Root of Trust
The Root of Trust is like the ignition key for your crypto ship. Without it, CCC stays in view-only mode.
Go to Administration — Activation.
Enter your partition label and password.
Keep your partition label and password in a secure location.
For Luna 7.7+ devices, check the compatibility box.
Click Activate.
If activation fails, verify your HSM credentials and network connectivity.
To know more, see Root of Trust Activation for details on activating and managing CCC’s root of trust.
Step 3: Add Your First Device
Now let’s connect CCC to your first device so it can start managing and monitoring it securely.
Navigate to Devices — Devices — Add Device.
Type in the device’s IP or hostname, leave the port at 8443 unless told otherwise, and provide the Admin credentials.
Double-check the IP/hostname to avoid connection errors.
Verify and trust the device’s certificate.
Authorize with HSM Security Officer (SO) credentials.
If the device doesn’t appear, ensure it’s online and the port is open.
To know more, see Device Management for details on adding, authorizing, and managing devices.
Step 4: Organize Devices into Pools
Group your devices into pools to keep things tidy and manageable, especially when working with multiple devices.
Go to Devices — Device Pools — Add Device Pool.
Give your pool a clear name (e.g., “Production Cluster,” “Test Cluster,” or “EU Region”).
Add devices from the available list into your new pool.
Use descriptive pool names so their purpose is obvious at a glance.
If a device doesn’t join the pool, confirm it’s properly connected as outlined in Step 3.
To know more, see Device Pools for details on grouping devices to simplify management.
Step 5: Create a Crypto Service
Turn your device partitions into usable crypto services that your organization can actually consume.
Go to Crypto Services — Create Service.
Select the device or device pool you want to use.
Set the partition size to match your needs.
Choose whether to enable PPSO (Partition Security Officer).
Assign the service to an Organization so the right team can use it.
Use smaller partitions for testing and larger ones for production.
If the service doesn’t appear, check device connectivity and confirm you haven’t hit license limits.
Confirm that the service has been created; it will appear with the status Uninitialized. You will initialize it in the next step.
To know more, see Crypto Services for guidance on creating and managing services.
Step 6: Initialize Your Service
Initialization establishes the core security credentials and cryptographic parameters required to make your service operational.
For password-authenticated services, set the partition label and create role passwords (Crypto Officer, PPSO, and optionally Crypto User).
For PED-authenticated services, connect your Remote PED, follow the prompts, and record the challenge password.
Always store passwords and challenge codes securely in a trusted manager.
Confirm that the service is now marked as Initialized and ready for deployment.
If initialization fails, make sure your PED is connected properly or check that the credentials are correct.
To know more, see Create, modify, and remove services for details on initializing both password- and PED-authenticated services.
Step 7: Invite Your Team
Bring your teammates on board with secure access to CCC.
Go to Accounts — Users — Add User.
Assign the right role: Administrator (full control) or Application Owner (focused on deploying services).
Link each user to the correct Organization so they see only what’s relevant.
Enable Require 2FA for stronger security.
Enable Single Sign-On (SSO) for enterprise setups: Go to Administration — Single Sign-On, then configure your Identity Provider (e.g., Okta, STA, or another OpenID Connect provider).
Use 2FA for all users to minimize security risks.
If SSO doesn’t work, double-check your Identity Provider settings and network connectivity.
To know more, see Account Management and Single Sign-On for details on roles, 2FA, user administration, and SSO setup.
Step 8: Deploy a Service with the CCC Client
Now it’s time to connect your applications to an HSM partition using the CCC client.
Download ccc_client.jar from the CCC portal.
Make sure Java 21 is installed on the application server.
Run the CCC client, accept the server certificate, and let it generate a client certificate.
Select your service from the list and confirm authorization when prompted.
Test the client on a small scale before rolling out to production.
If the client fails to connect, verify Java version compatibility and check for certificate trust issues.
To know more, see Deploying a Service for NTLS and STC deployment steps with the CCC client.
Step 9: Monitor Your Services
Service Monitoring gives you real-time visibility into how your crypto services are performing, so you can spot issues early and keep operations running smoothly.
Go to Monitoring & Reports — Service Monitoring.
Review key metrics such as operations per second, 90-day performance graphs, client connection status, and partition details.
Set up custom notifications to receive alerts on activity spikes, fluctuations, or downtime.
Focus notifications on high-priority events like service interruptions.
If monitoring data does not appear, confirm that your services are initialized and active.
Confirm that you now have a clear, real-time view of service health and performance.
To know more, see Service Monitoring for details on graphs, metrics, and custom alerts.
Step 10: Monitor Your Devices
Device Monitoring helps you keep track of the health and performance of your HSMs, ensuring they stay reliable and secure over time.
Go to Monitoring & Reports — Device Monitoring.
Check the device status indicators: Healthy, Requires Attention, or Critical Issue.
Review hardware metrics such as CPU usage, temperature, fan speeds, voltages, and utilization trends.
Investigate error or event logs regularly to detect issues early.
If a device shows as offline, verify its network connectivity, REST API status, and power supply.
Confirm that you now have full visibility into device health and performance.
To know more, see Device Monitoring for insights into hardware metrics, error logs, and troubleshooting.
Step 11: Generate Reports
Reports give you a clear snapshot of your services and devices, making it easy to share insights with stakeholders or dive deeper into analysis.
Go to Monitoring & Reports — Services Report or Devices Report.
Choose your format: PDF for quick sharing, or CSV for in-depth analysis and integration with other tools.
Use the hamburger menu to customize which fields appear in the report, so you only see what matters most.
Print directly from the interface or save the export for later use.
Automate consistency by scheduling recurring reports.
If reports seem incomplete, confirm that devices are online, authorized, and services are properly initialized.
To know more, see Reports for insights into creating reports, customizing fields, and exporting data.
Step 12: Maintain Your CCC Environment
Maintaining CCC is about building long-term reliability, where regular checks, backups, and updates keep your environment secure, stable, and audit-ready.
Monitor license expiry dates and renew promptly to avoid service interruptions.
Back up both your database and your Root of Trust HSM regularly.
Check logs using podman logs or kubectl logs to stay on top of system health.
Update device firmware as recommended to maintain compatibility and performance.
Sync LDAP/AD directories if your setup relies on external identity providers.
Set reminders for renewals, backups, and periodic system checks—it reduces surprises.
If logs show repeated errors, review the CCC documentation or contact Thales support for resolution.
To know more, see Server Administration for maintenance best practices, logs, backups, firmware updates, and LDAP/AD sync.
Your CCC, Fully Activated
With these 12 steps, CCC is now established as the central hub for your cryptographic operations—secure, scalable, and audit-ready. You’ve set the foundation by logging in, activating the root of trust, organizing devices, creating services, onboarding users, and enabling monitoring and reporting. From here, CCC stands as your trusted control center, built to grow with your organization and safeguard its most critical assets.
