Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Customer Release Notes (CRN) v.1.11

search
printsuggest an edit

Customer Release Notes (CRN) v.1.11

copy link to clipboardCustomer Release Notes (CRN) v.1.11

copy link to clipboardProduct Description

Thales Data Protection on Demand is a cloud-based platform that provides on-demand HSM based encryption services through a simple online marketplace. With DPoD, security is simple, cost effective and easy to manage because there is no hardware to buy, deploy and maintain. Just click and deploy the services you need, provision clients, add devices and get usage reports.

HSM on Demand secures customers' sensitive data and critical applications by storing, protecting and managing cryptographic keys in a high-assurance, tamper-resistant hardware device that offers market-leading performance. End-user keys are protected with a strong encryption and authentication scheme outside the HSM, and are only able to be decrypted inside an authorized HSM. Tenants can be assured that their keys are never available to anyone else, including other tenants and the service provider.

copy link to clipboardRelease Description

Release 1.11.

copy link to clipboardFeatures and Enhancements

  • FIPS 140-2 Level 3 validated - The SafeNet Cryptovisor K7 Cryptographic Module used in the Thales Data Protection on Demand HSM on Demand service is now FIPS 140-2 Level 3 validated. NIST Certificate #3519.

  • Upgraded all customer partitions to multi-tenant architecture improving service reliability and back-end architecture.

  • NoIndex added to tenant marketplace domains. This update will restrict appearance of branded tenant marketplaces and domains from appearing in browser search results improving confidentiality of Thales Data Protection on Demand users.

  • Partner Service Tiles - Release 1.11 allows for the inclusion of partner services in the DPoD marketplace. The Partner service tile redirects the user to an affiliated service site where they can register for a DPoD partner's service offering. The Partner service allows you to use a third party service which leverages the DPoD HSM on Demand service offering as the HSM backend.

copy link to clipboardAdvisory Notes

Tip: We recommend downloading a new service client for your HSM on Demand service regularly to gain access to the latest bug fixes, firmware updates, cryptographic utilities, enhanced performance and improved service resilience. For more information, see Upgrading your Luna Cloud HSM Service.

copy link to clipboardFederal Information Processing Standard (FIPS) Mode is more restrictive

New versions of the Luna Cloud HSM service client disallow more mechanisms in FIPS mode than in previous versions, in keeping with NIST's updates to the FIPS standard. As a result, client applications that rely on these mechanisms can no longer operate in FIPS mode.

In general, 3DES, MAC, some key wrapping algorithms, and some key agreement algorithms are no longer allowed in FIPS mode. In addition, please see the Supported Mechanisms chapter in the SDK Guide for further details on FIPS support.

copy link to clipboardConfiguring Luna EKM 1.4 for Luna Cloud HSM

The Luna EKM 1.4 utility cannot be configured for HSMoD services using the RegisterSlot command. You need to configure the LunaEKMConfig.init file to use the HSMoD service slot.

copy link to clipboardTo configure the Luna EKM 1.4 for HSMoD

  1. Execute the RegisterSlot command. This command generates the LunaEKMConfigi.ini file.

  2. Verify the HSMoD service slot number in lunacm. Open lunacm, on connection the Slot ID for the service will be listed under Available HSMs:.

    Alternatively, you can execute slot list inside of lunacm to list this information. You will receive output similar to the following:

    ``` Available HSMs:

    Slot Id -> 3 Label -> Serial Number -> Model -> Cryptovisor7 Firmware Version -> 7.1.3 CV Firmware Version -> 1.1.0 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> User token slot

    Current Slod Id: 3 ```

  3. Open the LunaEKMConfig.init file in a text editor. The LunaEKMConfig.init file is available in the LunaEKM installation directory.

  4. Update the SlotID= value under [Server] to point to the Slot ID output from lunacm. The following is an example [Server] section in the LunaEKMConfig.init file.

    [Server] SlotID=3 [Logger] LogLevel=2 LogFile=.\lunaekm.log

copy link to clipboardEnd of support for Windows Server 2008 and Windows Server 2008 R2

Microsoft will no longer be supporting Windows Server 2008 or Windows Server 2008 R2 operating systems from January 2020. As a result, Thales Data Protection on Demand is ending development and support for this operating system in the final quarter of 2019.

We recommend you upgrade to a supported operating system to maintain full support and continued access to any new Thales Data Protection on Demand features.

To access your Thales Data Protection on Demand service from the new system, simply re-download the HSMoD HSMoD service client on your upgraded system.

copy link to clipboardEnd of support for 32-bit operating systems

Thales Data Protection on Demand will be removing support for 32bit operating systems (OS) this year.

copy link to clipboardms2Luna does not work in FIPS mode

The ms2Luna utility to migrate Microsoft KSP and CSP keys to a SafeNet HSM on Demand service does not work with an HSMoD service operating in FIPS mode.

copy link to clipboardPKCS#11 Deployment Cryptographic Limitations

The following limitations apply to clients in a PKCS#11 deployment:

  • 100 token objects (or 50 RSA-2048 key pairs) per partition.

  • 100 session objects (or 50 RSA-2048 key pairs) per application.

  • 100 simultaneous sessions per application.

Clients which exceed the token object and session object limits can experience slow or failed request responses. The session limit is enforced, and the client receives the errors CKR_MAX_SESSION_COUNT when the application reaches the limit.

copy link to clipboardUpdating the tenant details table

The Tenant Details table does not update automatically in the Thales Data Protection on Demand user interface. Refresh the page to update the table.

copy link to clipboardPassword recommendations

We recommend that you always use strong passwords when configuring Cryptovisor HSMs and partitions, even if the passwords are temporary. A strong password has at least 16 random characters. Please see these guidelines from the National Institute of Standards and Technology (NIST).

copy link to clipboardAvoid using special characters in non-password fields

We recommend users avoid including special characters such as !@#$%^&(), in common fields such as the account name or Subscriber Group name as these characters can cause errors in the platform.

copy link to clipboardLunaProvider.jar and associated applications unavailable for DPoD 1.5 and older FIPS Mode clients

The LunaProvider.jar and its associated applications do not work with 1.5 and older HSMoD service clients operating in FIPS mode. This includes any HSMoD service clients running in FIPS mode created before September 2018. These files are required for Java-based applications. To integrate with Java-based applications, you must either install a new HSMoD service client, or access a service in non-FIPS mode.

copy link to clipboardLimitations on previously existing HSMoD services

You cannot download new HSMoD service clients for a service which existed prior to release 1.5. If you attempt these operations, a message displays indicating that the service version is out of date.

Tip: We recommend downloading a new client following a release to fully benefit from any updates and features. See Upgrading your HSMoD service for more information.

copy link to clipboardKnown Issues

This section lists the issues known to exist in the product at the time of release. The following table defines the severity of the issues listed:

Priority Classification Definition
C Critical No reasonable workaround exists
H High Reasonable workaround exists
M Medium Medium level priority
L Low Lowest level priority problems

copy link to clipboardList of Known Issues

Issue Severity Synopsis
SH-4240 High Problem: If you initialize the Crypto User, and then login and logout this role without changing its password, the LunaCM session can no longer log in or log out any users, and returns the error ``CKR_USER_ALREADY_LOGGED_IN``. Workaround: Restart LunaCM and change the Crypto User's password. User logins then succeed as normal.
SH-3884 Problem: Utilities included in older clients downloaded before October 2019 can have a delay of up to 20 seconds on start up.Workaround: Install the latest client.
Luna-11117 Medium Problem: During integration with Entrust, when you call long running commands such as "ca key update" or "service start", the Entrust session (entsh) sometimes times out with the error "Security Manager Control Command Shell has automatically logged out because it has been inactive for longer than the security timeout allows." Workaround: Log in to ``entsh`` again and retry the command.
SH-4194 Medium Problem: If you perform getpkc with CMU to confirm a public key, the operation can sometimes fail.Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's Display Object (27) function. If the ``CKA_NEVER_EXTRACTABLE`` attribute is present, this confirms that the private key was created in the HSM and never extracted.
SH-3804 Medium Problem: A multi-part command fails with the error ``CKR_OPERATION_NOT_INITIALIZED``. Workaround: Retry the command.
SH-3519 Medium Problem: The LunaProvider.jar does not allow generation of FIPS 186-3-approved RSA keys. Workaround: Add ``RSAKeyGenMechRemap = 1;`` to the Misc section in Chrystoki.conf or crystoki.ini to remap the request to generate non-approved RSA keys to approved key types.
DPS-3171 Medium Problem: Users cannot delete a tenant when the tenant name begins or ends with a space character. Workaround: Rename the Tenant through the Tenant Details page and delete the Tenant.
DPS-3083 Medium Problem: The DPoD API endpoint ``/service_instances`` fails on the bind HSMoD service client operation. Workaround: When binding a HSMoD service client to an HSMoD service using the DPoD API use the ``/services`` endpoint.
DPS-2808 Medium Problem: When the Service Provider deletes a Tenant, if the deletion fails the Tenant Details page is not accessible. Workaround: This issue results from attempting to delete a Tenant with active services. To clear this state you must remove the blocking service from the Tenant's Application Owner users.
SH-2632 Medium Problem: If, during key migration from SafeNet Luna Network HSM 6.x, you log in to the SafeNet Luna Network HSM partitions, leave that connection idle for 15 minutes or more, and then attempt to clone the partition objects to an HSMoD service, the operation fails with ``CKR_GENERAL_ERROR``. Workaround: Log in to the HSMoD service before logging in to the SafeNet Luna Network HSM partition, as indicated in the key migration procedures in the HSM Client Guides.
HOD-854 and HOD-957 Low Problem: There is no user feedback in the lunacm utility on connection timeout. As a result, the client can appear to hang indefinitely. Workaround: Wait for the client to timeout or close and restart lunacm to re-attempt the connection.
KBR-758 Low After Tenant creation, the new Tenant is not visible in the Tenants list. Workaround:Refresh the page.
KBR-620 Low Problem: The Salesforce Key Broker service is not available over the API. Workaround: Use a DPoD Application Owner account to configure a Salesforce Key broker service.
DPS-2494 Low Problem: Non-functional tenants that appear in the "Pending" state in the user interface are included in reports. Workaround: Please disregard the "Pending" Tenant's entry in reports.
DPS-2161 Low Problem: Services with extended ascii characters in their name do not display properly in reports. Workaround: Open the report in a spreadsheet program with UTF-8 encoding.
HOD-457 Low Problem: The cmu export command requires the -handle parameter when exporting certificates. Workaround: Verify the key handle value by executing cmu list, and specify the key handle value when running cmu export. For example: ``cmu export -handle= -outfile=``.

On this page