HSM Client 10.3.0
HSM Client 10.3.0 was released in October 2020.
>Download HSM Client 10.3.0 for Windows
>Download HSM Client 10.3.0 for Linux
>Download Minimal HSM Client 10.3.0 for Linux
New Features and Enhancements
HSM Client 10.3.0 includes the following new features and enhancements:
Supported Operating Systems
You can install HSM Client 10.3.0 on the following 64-bit operating systems:
| Operating System | Version | Secure Boot Supported |
|---|---|---|
| Windows | 10 | Yes |
| Windows Server Standard | 2019 | Yes |
| 2016 | Yes | |
| 2012 R2 | No | |
| Windows Server Core | 2019 | Yes |
| 2016 | Yes | |
| Redhat-based Linux (including variants like CentOS) | 8.0, 8.1, 8.2 (†) | No |
| 7 | No | |
| OpenSuse Linux (minimal client only) | 13 | No |
| 12.4 | No | |
| 11.4 | No | |
| Ubuntu * | 18 | No |
| 14.04 | No |
* The Linux installer for HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:
apt-get install build-essential alien
If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.
† RHEL and CentOS 8.0 and 8.1 with their original kernels. For 8.2 and newer, if your current Linux kernel does not include the file dma_remapping.h, acquire it (from RHEL or CentOS 8.1 kernel version 4.18.0-147 or earlier ) and copy it into “/usr/src/kernels/4.18.0.193.28.1.el8_2.x86_64/include/linux/” in your current Client installation target. See also Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal HSM Client.
Supported Cryptographic APIs
Applications can perform cryptographic operations using the following APIs:
>PKCS#11 2.20
>JCA within Oracle Java 7*/8*/9/10/11
*HSM Client 10.1.0 and newer requires the advanced version of Oracle Java 7/8.
>JCA within OpenJDK 7/8/9/10/11
>OpenSSL
>Microsoft CAPI
>Microsoft CNG
Advisory Notes
This section highlights important issues you should be aware of before deploying HSM Client 10.3.0.
Older Clients Can Fail to Complete One-Step NTLS with Newer Appliance Software
Newer Luna Network HSM 7 can have outdated (weaker) ciphers removed from file transfer protocols, as a security measure. If you have HSM Client 7.3.0 or older installed, it might not be possible to negotiate a common cipher for a secure link. You might see an error similar to: FATAL ERROR: Couldn't agree a host key algorithm (available: ecdsa-sha2-nistp256,ssh-ed25519).
To resolve this issue, you can download a new version of PuTTY from PuTTY.org at: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Copy pscp.exe and plink.exe to C:\Program Files\SafeNet\LunaClient and retry One-Step NTLS.
Alternatively, install HSM Client 10.4.0 or newer, which includes plink and pscp 0.76 or newer.
Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal HSM Client
RHEL 8.x introduced system-wide cryptographic modes. The full HSM Client installer is supported only when RHEL 8.x is in DEFAULT mode. If your RHEL 8.x OS is in FIPS mode, use the minimal HSM Client.
Support for Windows Server 2012 R2 is Ended
HSM Client 10.3.0 is the last version that will support Windows Server 2012 R2.
Support for 32-bit OS Platforms is Ended
Starting with HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release or migrate to 64-bit platform.
Three STC configuration commands are removed
With the STC improvements, new cipher suites, AES-GCM and AES-CTR + HMAC, replace those previously used, and these commands are removed as of client version UC 10.3.0, network appliance software version 7.7.0, and HSM firmware version 7.7.0:
>stcconfig ciphershow
>stcconfig cipherdisable
>stcconfig cipherenable
CentOS 8 throws errors if install directory is not default
Installing HSM Client software on CentOS 8 can result in error messages being logged for the PEDclient service, if the chosen install directory is not the default /usr. This can be prevented by setting SELinux to permissive mode, before installing.
Red Hat Enterprise Linux / CentOS 6 Support is Ended
HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.
Older JAVA Versions Require Patch/Update
The .jar files included with HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.
>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to HSM Client 10.x (see APAR IJ25459 for details).
CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations
When using a Luna Cloud HSM service with HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
