HSM Client 10.7.2
HSM Client 10.7.2 was released in July 2024. It includes bug fixes and security updates.
>Download HSM Client 10.7.2 for Windows
>Download HSM Client 10.7.2 for Linux
>Download Minimal HSM Client 10.7.2 for Linux
New Features and Enhancements
HSM Client 10.7.2 includes the following new features and enhancements:
Luna client uses the existing config file
Customers can use the client without having to configure the "ChrystokiConfigurationPath" environment variable first.
Grouping startup for P11 commands in the plugin
The client startup time was very slow. To address this issue we now group the P11 commands together and send them as one to reduce the turnaround time.
Changed
- Using 10.7.2 or higher, users are no longer required to run setenv to configure the client to connect to the Luna Cloud HSM Service. However, setenv may still be used to configure the client for hybrid use cases or integrations where setting the ChrystokiConfigurationPath is required.
Please see Unpack the client for more information.
- Users can connect to a Luna Cloud HSM service by running the Luna Client in a docker container.
Please see Create a Docker Container to Access a Luna Cloud HSM Service for more information.
- A number of enhancements has been added to the LCH support tool.
The support tool now creates an output file containing additional logging generated by running lunacm. It will also tell you the file was created, its name and the amount of time taken to run each test.
Please see Client connectivity support tool for more information.
Supported Operating Systems
You can install HSM Client 10.7.2 on the following operating systems:
| Operating System | Version | Secure Boot Supported |
|---|---|---|
| Windows | 10, 11 | Yes |
| Windows Server Standard | 2022 | Yes |
| 2019 | Yes | |
| 2016 | Yes | |
| Windows Server Core | 2022 | Yes |
| 2019 | Yes | |
| 2016 | Yes | |
| Red Hat Enterprise Linux (RHEL) | 9.0, 9.1, 9.2, 9.3, 9.4** | |
| 8.8, 8.9, 8.10** | ||
| Red Hat Universal Base Image (UBI) | 9.0, 9.1, 9.2, 9.3, 9.4 | No |
| 8.8, 8.9, 8.10 | No | |
| Red Hat-based Linux (including variants like CentOS and Oracle Enterprise Linux) |
8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7 ** |
No |
| 7 | No | |
|
Ubuntu * |
22.04, 22.04.4(kernel 6.5) | |
| 20.04 | ||
| Debian | 12 | |
| 11 | ||
| 10 |
* The Linux installer for HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:
apt-get install build-essential alien
If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.
** RHEL and CentOS 8.0-9.0 with their original kernels. See also HSM Client 10.7.2.
Supported Cryptographic APIs
Applications can perform cryptographic operations using the following APIs:
>PKCS#11 2.20
>OpenSSL
>Microsoft CAPI
>Microsoft CNG
>Supported Java versions:
•Open JDK 7 up to Open JDK 21
•Oracle Java 7 up to JDK 21
•IBM Java 7, 8 and 11
Advisory Notes
This section highlights important issues you should be aware of before deploying HSM Client 10.7.2.
Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected
Due to changes in Windows 10 and Server 2022, device drivers are not installed unless the USB or PCIe device is connected to the client workstation. If you plan to use a Luna Backup HSM 7, Luna Backup HSM G5, Luna USB HSM 7, or Luna PCIe HSM 7 with these operating systems, use one of the following workarounds:
>Connect the Luna device to the workstation (or install the Luna PCIe HSM 7 card) before installing the HSM Client software
>After installing the HSM Client software:
a.Connect the Luna device(s) to the workstation (or install the Luna PCIe HSM 7 card)
b.Run LunaHSMClient.exe.
c.Select the devices you want to install drivers for.
d.Click Modify.
CentOS 8.4 Missing Dependency
Due to a missing dependency on CentOS 8.4 [specifically the symlink (libnsl.so.1) to libnsl was removed], when installing HSM Client 10.5.0 or newer, you must install an additional rpm package first:
Run yum install libnsl before invoking the install.sh script.
CSP/KSP Registrations Can Fail if Windows Update Missing
CSP or KSP registration includes a step that verifies the DLLs are signed by our certificate that chains back to the DigiCert root of trust G4 (in compliance with industry security standards).
This step can fail if your Windows operating system does not have the required certificate. If you have been keeping your Windows OS updated, you should already have that certificate.
If your HSM Client host is connected to the internet, use the following commands to update the certificate manually:
certutil -urlcache -f http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
certutil -addstore -f root DigiCertTrustedRootG4.crt
To manually update a non-connected host
1. Download the DigiCert Trusted Root G4 (http://cacerts.digicert.com/DigiCertTrustedRootG4.crt) to a separate internet-connected computer.
2.Transport the certificate, using your approved means, to the HSM Client host into a <downloaded cert path> location of your choice
3.Add the certificate to the certificate store using the command:
certutil -addstore -f root <downloaded cert path>
Support for Windows Server 2012 R2 is Ended
HSM Client 10.3.0 is the last version that will support Windows Server 2012 R2.
Red Hat Enterprise Linux / CentOS 6 Support is Ended
HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.
Support for 32-bit OS Platforms is Ended
Starting with HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release or migrate to 64-bit platform.
Older JAVA Versions Require Patch/Update
The .jar files included with HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.
>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to HSM Client 10.x (see APAR IJ25459 for details).
CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations
When using a Luna Cloud HSM service with HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
