FM Deployment Constraints

This section describes important considerations and constraints associated with deploying your Functionality Modules (FMs). Your SafeNet Luna Network HSM must meet all the criteria described in Preparing the SafeNet Luna Network HSM to Use FMs.

Introducing FMs into your SafeNet Luna Network HSM deployment will change the functionality of certain HSM features. Please take the following constraints into consideration before using FMs:

>FMs and High-Availability (HA)

>FMs and Backup/Restore/Cloning

>FMs and Secure Trusted Channel (STC)

>FMs and Appliance Re-imaging

>FMs and HSM Firmware Rollback

>FM Configuration and Remote PED

>FM-Enabled HSM Cannot be Verified With CMU

>Key Attributes

>No EDDSA or EC_MONTGOMERY Private Keys with C_CreateObject

>FM Sample Applications Dependent on General Cryptoki Samples

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy.

If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.

FMs and High-Availability (HA)

FM-specific functions must specify the exact HSM that will handle the operations. Therefore, the SafeNet Luna HSM Client's HA implementation currently cannot accommodate FM functionality. If you want your FM-specific operations to be load-balanced across multiple HSMs, you must program this functionality into your applications yourself.

HA will still work with standard Luna operations.

For HA to function, all HSMs with application partitions in the HA group must have the same algorithms and functionality available. If one member partition does not have a required algorithm available in HSM firmware, cryptographic objects using that algorithm cannot be cloned to that partition, and this will disrupt HA functions.

Therefore, all HSMs containing HA group members must have FMs enabled (as described in Preparing the SafeNet Luna Network HSM to Use FMs), and they must all have the same FM(s) loaded. HA login requires two FM-enabled HSMs.

For more information about HA, see High-Availability Groups.

FMs and Backup/Restore/Cloning

It is currently not possible to back up cryptographic material from an FM-enabled SafeNet Luna Network HSM to a SafeNet Luna Backup HSM, or to clone those objects to a partition on a non-FM-enabled Luna HSM. To back up your important keys, you must clone key material to another FM-ready or FM-enabled Luna HSM partition, either manually using lunacm:> partition clone or by setting up an HA group.

Similarly, material that has been backed-up from non-FM-enabled HSMs cannot be restored onto an FM-enabled HSM partition.

To back up keys stored in the SMFS, your application must provide all the functions to back up and restore these keys.

FMs and Secure Trusted Channel (STC)

FMs are not currently compatible with clients that access application partitions via an STC connection. You must use NTLS connections instead.

FMs and Appliance Re-imaging

The FM-ready configuration required to make FMs work makes it impossible to re-image the appliance to the baseline version. This restriction comes into effect once HSM policy 50: Enable Functionality Modules is set to 1, and it continues to apply even if the policy is set back to 0. Attempting to re-image the appliance software once HSM policy 50 has been enabled will return the following:

lunash:>sysconf reimage start

   The HSM Administrator is logged in. Proceeding...

   The HSM Functionality Module policy (policy 50) has
   previously been enabled.
   Enabling this policy at any time causes the Appliance Re-image feature
   to become unavailable.
   ERROR, Not all required pre-conditions to re-image the appliance was satisfied

Command Result : 65535 (Luna Shell execution)

FMs and HSM Firmware Rollback

Enabling HSM Policy 50 permanently disables the ability to roll back the HSM firmware to a version lower than 7.4.0. Attempting to roll back the firmware once HSM policy 50 has been enabled will return the following error:

ERROR, failed to roll back HSM F/W!!!

Command Result : 65535 (Luna Shell execution)

FM Configuration and Remote PED

Various FM functions require HSM resets (for example, creating a partition or enabling an FM).

If you are configuring FMs while authenticating with Remote PED, the Remote PED connection is broken with each reset. LunaCM continues to show an active Remote PED connection until you restart LunaCM. You must close that apparent connection with lunash:>hsm ped disconnect and then open it again with lunash:>hsm ped connect before you can resume remote configuration.

This might be required several times during SafeNet Luna Network HSM setup for FMs. To prevent this, enable HSM Policy 51: Allow SMFS Auto Activation. If SMFS is not auto-activated, then the SMFS will require further individual PED prompts during the configuration process (SMFS is deactivated upon HSM reset if SMFS auto-activation is off).

NOTE   Gemalto recommends that first time configuration of FM's be done locally, to minimize the issues mentioned above.

FM-Enabled HSM Cannot be Verified With CMU

The FM-enabled SafeNet Luna Network HSM does not currently support confirming the HSM's authenticity using cmu verifyhsm, as described in Confirming the HSM's Authenticity, or retrieving and confirming a Public Key Confirmation from the HSM using cmu getpkc and cmu verifypkc.

Key Attributes

On an HSM with FMs enabled, keys that are derived or generated have the "always-sensitive" and the "never-extractable" attributes set to "false".

No EDDSA or EC_MONTGOMERY Private Keys with C_CreateObject

This release of the SafeNet Luna Network HSM firmware does not allow FMs to use C_CreateObject to create EDDSA or EC_MONTGOMERY private keys. Use C_GenerateKeyPair to create these types of key.

FM Sample Applications Dependent on General Cryptoki Samples

When you install the FM SDK, the installation script ensures that the general Luna (PKCS) SDK and samples are also installed (first). This satisfies source dependencies for the FM samples. If you later delete or remove the Luna SDK, you might break those dependencies, and the FM samples will not build. You can manually correct this by performing a manual rpm -i of the cksample package.

Space for FMs  

Multiple FMs can be loaded into the FM space of the HSM, with a total memory limit of

>8 megabytes for FMs and

>4 megabytes of SMFS.

Unused FMs can be deleted, to free some memory space.


Customer Support Portal

SafeNet Luna Network HSM 10.1 Product Documentation  23 January 2020  Copyright 2001-2020 Thales Group. All rights reserved.