The ability to employ cloning protocol version 4 (CPv4) becomes available when using HSM Client 10.5.0 and newer, with HSMs at Luna HSM Firmware 7.8.0 or newer.
In order to enable the use of CPv4, the HSM Security Officer must set the clock either before or immediately after the firmware has been updated.
No additional configuration steps are required; the Luna Cloud HSM service at firmware version 2.0 and newer is compatible.
NOTE There is no plan to update the Luna Backup HSM G5 (nor any version of firmware 6) to support CPv4.
CPv4 is handled like the prior CPv1 cloning protocol.
>The default cloning configuration displays both CPv1 and CPv4. (However, HSM Client 10.4.1 and older can clone using only CPv1).
>Any scenario where CPv1 can be used, CPv4 can be used.
>Any scenario where CPv1 cannot be used, CPv4 cannot be used.
>CPv4 can be used to clone objects in V0 partitions, and clone the SMK in V1 partitions.
>The same set of roles that can use CPv1 can use CPv4. This includes the allowance for the Crypto-User to clone public objects.
>In Cloud HSM service, CPv4 is the default protocol; however if only one side has CPv4 available, it reverts to CPv1.
>Partition Policy 8 in Luna Cloud HSM fdisplays both CPv1 and CPv4, however when paired with HSM Client 10.4.1 and earlier clients, only CPv1 is permitted.
NOTE The Partition Policy difference between Luna Cloud HSM and Luna Cloud HSM is as follows:
>Luna HSM slot “42: Allow CPv1 : 1” means to force CPv1 and disable all other cloning protocols
>Luna Cloud HSM slot “8: Allow CPv1 (Cryptovisor Only) : 1” means to allow CPv1 but you can also clone using CPv4
