About Updating Luna SA

This page covers updating (not upgrading) of your Luna SA.

Your Luna SA system consists of components that might, from time to time, require updating to newer versions. The newer version might have fixes or functional improvements that are useful or important for your application. The components that might be affected are:

Client software
Luna SA system software (the lunash command-line shell and its underlying software)
Luna SA keycard firmware
Luna Backup HSM firmware

HOW FIRMWARE UPDATES AFFECT AGENCY VALIDATION

In the case of FIPS 140, cryptographic devices are evaluated as a combination of hardware and firmware. Therefore, if either of those elements changes, the device is no longer covered by the current validation certificate.

If you require that equipment used in your application be (for example) FIPS 140-2 level 3 validated, you can use the most recent of our relevant HSM products that has been validated - which applies to a specific hardware and firmware combination.

If we release a newer version of firmware, your own security or compliance policies would not permit you to install that update until we have submitted the updated HSM for [re-] evaluation, and a new validation certificate has been issued.

As a general rule (exceptions are possible) we submit HSMs with new firmware versions. If the changes are small or do not affect areas that concern the FIPS evaluators, then the re-evaluation is performed on a delta basis and therefore occurs relatively quickly.

For a completely new product or major revision, the evaluators require a complete re-submission and the process takes roughly a year from submission to certificate.

Therefore, when a FIPS-candidate firmware version exists, our practice is to ship the respective HSM product with the most recent FIPS-validated firmware version installed, and with the candidate version as a standby update file (on the appliance, ready to install, but not yet installed). This ensures that customers who require validated systems continue to get them, and that customers who do not require validated systems are able to easily and quickly apply the update if they choose to do so.

The obvious trade-off is that customers who elect to remain with the as-shipped installed firmware version are maintaining the FIPS compliance at the cost of any upgraded capabilities or any security or functional fixes that are part of the firmware update.

Similarly, customers who choose to perform the update benefit from the improved capabilities and any security or functional fixes, but at the cost of moving out of FIPS compliance.

To update the software on a Client, you simply remove the older version and Install the newer, using the same procedure (for your operating system) that you used for the original software installation. That applies to Luna SA Client software itself, as well as to the SDK material.

To update system software and firmware, you must move the updates, in the form of update package files, to Luna SA and apply them. Updates are accompanied by an update instruction sheet (printed, if you received your update on CD, or otherwise in PDF format if you received your update as a downloaded compressed file). The update sheet provides detailed update instructions for each component. System and firmware updates require an authentication code, which is provided in a text file accompanying the update package.

The basic steps are:

Copy the Luna SA 5.x.y-z Appliance package file from the ftp directory to the Luna SA, as follows:.
scp \<path>\lunasa_update-5.x.y-z.spkg admin@<LunaSAhostname>:
where x.y-z is the version and build number
(in Windows, use the supplied PSCP utility).
Stop all client applications connected to the Luna SA appliance.
At the shell prompt, log in to the Luna SA appliance as admin.
Log in to the Luna SA HSM as HSM Admin or SO.
Use lunash:>hsm login
For Luna SA with PED Authentication, the blue PED Key is required.
For Luna SA with Password Authentication, you are prompted for the HSM Admin (SO) password.
[Optional Step] Verify that the file that you copied is present on the Luna SA
lunash:>package listfile
[Optional Step] Verify the package on the Luna SA
lunash:>package verify lunasa_update-5.x.y-z.spkg -authcode ################
where "################" is the authorization code from the file lunasa_update-5x.y-z.auth.
The verification process requires approximately one and a half minutes.
Install the software upgrade package on Luna SA
lunash:>package update lunasa_update-5.x.y-z.spkg.spkg -authcode ###############
where "################" is the authorization code from the file lunasa_update-5.x.y-z.auth.
The installation/update process requires approximately one and a half minutes. During that time, a series of messages shows the progress of the update.
At the end of this process, a message “Software update completed!” appears. The software version is now 5.x.y-z. If the software update also included a firmware update, then the firmware 6.v.w package is now on the appliance, waiting to be installed in the HSM.
Perform a reboot of the Luna SA appliance before you update the firmware.
lunash:> sysconf appliance reboot

Follow these steps to update your HSM firmware to 6.v.w.

[Optional Firmware Update] In general, a new Luna SA is delivered with the current FIPS- validated firmware installed on the internal HSM card, and with the most recent firmware version (typically in the process of being FIPS validated) included - waiting, but not yet installed - on the Luna SA hard drive as an optional update.

Similarly, when you install a software update package that includes a firmware component, the software is changed and the accompanying new firmware goes into the waiting area on the appliance hard disk, replacing any previous optional firmware.

Regardless of whether the optional firmware update is one that was originally loaded (as an option) or one that was supplied later with a software update (as an option), it is always a separate step if you wish to install that waiting (optional) firmware into the HSM.

It is strongly recommended that your Luna SA be connected to an Un-interruptible Power Supply (UPS) when you run firmware update. There is a small chance that a power failure during the update command could leave Luna SA in an unrecoverable condition.

For PED-authenticated Luna HSMs, ensure that SRK (the use of the purple PED Key) is disabled (bring the external portion of the MTK back into the HSM) before you begin the firmware update operation. This requires that you present the currently valid purple PED Key when you issue the hsm srk disable command.

If you run hsm update firmware while SRK is enabled (a portion of the MTK is outside the HSM, on a purple PED Key) you can expect an error like:
Error: 'hsm update firmware' failed. (10A0B : LUNA_RET_OPERATION_RESTRICTED)

If you have had SRK enabled and a valid purple PED Key, you can always perform hsm srk enable again after the firmware update operation, and resume with a new external secure recovery vector (SRV) imprinted onto a new purple PED Key (SRK).

Log in to the HSM with:
lunash:> hsm login
Run the firmware update command:
lunash:> hsm update firmware
Log in to the HSM with:
lunash:> hsm login
Verify that the change has taken place (should show version 6.v.w):
lunash:> hsm show

A capability update or a firmware update is meant to be applied just one time to an HSM. If you attempt to re-apply a capability update to an HSM that already has the capability installed, the system throws an error like " C0000002 : RC_GENERAL_ERROR ". A similar result occurs if you attempt to install a particular firmware update more than once on one HSM. This is expected behavior.

For information and instructions regarding purchased Capability Updates, "Luna HSM Capability Updates".