Redeploying a Service
When you no longer need an HSM service, you can revoke access using the CCC client. After revocation, the service is de-registered, and the NTLS or STC link is taken down, making the slot unavailable to the Thales Luna HSM client. To revoke and prepare for redeployment, follow these steps:
Before running any commands, note the following:
- Run all commands using sudo (Linux) or from an Administrator command prompt (Windows) on the crypto application server that will use the service.
- The -DKEYCLOAK_PORT, -otp, and -port parameters are optional and can be excluded if not needed.
- When using -password, enclose the password in single quotes on Linux or double quotes on Windows.
- For -otp, either include the -otp parameter with the code inline or enter it when prompted.
- If -port is not specified, the client defaults to port 8181.
- For the trusted Java keystore password, use the default changeit unless it has been modified.
- Replace -DKEYCLOAK_PORT in each command with the port Keycloak is using in your setup. By default, the Keycloak port is 8180 for Podman, and 30037 for Kubernetes, Helm, and Azure environments. If you have configured a different Keycloak port, use that updated port value instead.
- To generate an access token, log in to the CCC GUI, navigate to the Access Token section, and select Get Access Token. Copy the token and paste it as the <access_token> value in the command. The access token is time-bound; if it expires, generate a new one.
Go to the directory where ccc_client.jar is installed:
| Operating System | Directory Path |
|---|---|
| Linux | cd /usr/safenet/lunaclient/bin |
| Windows | cd "C:\Program Files\SafeNet\LunaClient\" |
Revoke a user's access to the CCC service by running one of the following commands. This disables the specified user's ability to authenticate to the CCC server.
Option 1: Password Authentication
java -jar ccc_client.jar -DKEYCLOAK_PORT=<keycloak_port> -user <username> -revoke -host <hostname_or_ip> -password <password> -otp <otp_code> -port <CCC_server_port>
Option 2: Access Token Authentication
java -jar ccc_client.jar -DKEYCLOAK_PORT=<keycloak_port> -user <username> -revoke -host <hostname_or_ip> -access_token <access_token> -otp <otp_code> -port <CCC_server_port>
Review and accept the CCC server certificate, if prompted. If the certificate has already been imported on this client, this prompt will not appear.
Connecting ... Server certificate is not trusted. Select one of the following options to proceed: 1: Show the certificate details 2: Trust the certificate this time only 3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts 4: Exit Enter an option(1-4): Enter 1 to display the certificate. Enter 2 to trust the certificate for this deployment only. Enter 3 to permanently trust the certificate. Enter 4 to exit the client without deploying the service.
Enter the trusted keystore password when prompted.
Enter the trusted keystore password:
Select the service to revoke from the list of available services.
Logging in ... Querying current services... Please select the service you want to configure: 1) Service_with_a_smile - No description 2) Now_thats_service - Password 3) Self_service - PED 4) Exit
Choose option 3 to revoke access.
Please select the action you want to execute: 1) Authorize Access 2) Repair Access 3) Revoke Access 4) Exit Option: 3
Confirm the revocation when prompted.
Would you like to revoke access to service 'Service_with_a_smile'? (Y/N): y Access to service 'Service_with_a_smile' was successfully revoked. Done
If the service uses both Secure Trusted Channel (STC) and Per-Partition Security Officer (SO), CCC cannot revoke access directly. In this case, the Partition SO must manually manage STC client revocation through LunaCM. Before revoking access, verify that an alternate trusted connection is available, as losing all active connections makes the partition unrecoverable.
Redeploy the service using one of the following authentication methods after access has been revoked:
Option 1: Password Authentication
java -jar ccc_client.jar -DKEYCLOAK_PORT=<keycloak_port> -user <username> -host <hostname_or_ip> -password <password> -otp <otp_code> -port <CCC_server_port>
Option 2: Access Token Authentication
java -jar ccc_client.jar -DKEYCLOAK_PORT=<keycloak_port> -user <username> -host <hostname_or_ip> -access_token <access_token> -otp <otp_code> -port <CCC_server_port>
Review and accept the CCC server certificate, if prompted. If the certificate has already been imported on this client, this prompt will not appear.
Connecting ... Server certificate is not trusted. Select one of the following options to proceed: 1: Show the certificate details 2: Trust the certificate this time only 3: Trust the certificate and permanently import it to the trusted keystore at: C:\Program Files\Java\jre8\lib\security\cacerts 4: Exit Enter an option(1-4): Enter 1 to display the certificate. Enter 2 to trust the certificate for this deployment only. Enter 3 to permanently trust the certificate. Enter 4 to exit the client without deploying the service.
Enter the trusted keystore password when prompted.
Enter the trusted keystore password:
Select the service to redeploy from the list of available services.
Logging in ... Querying current services... Please select the service you want to configure: 1) Service_with_a_smile - No description 2) Now_thats_service - Password 3) Self_service - PED 4) Exit
Choose option 1 to authorize access.
Please select the action you want to execute: 1) Authorize Access 2) Repair Access 3) Revoke Access 4) Exit Option: 1
Confirm the authorization when prompted.
Would you like to authorize access to service 'Service_with_a_smile'? (Y/N): y Access to service 'Service_with_a_smile' was successfully granted. Done