Administration
SafeNet offers advanced configuration upgrades for its HSM products. Some examples – but not a complete list, please check with your sales representative for the full list – include the following:
• Maximum memory, part #908-000086-001
• Korean algorithms, part #908-000139-002
• ECIES acceleration, part #908-000175-001
• 5 partitions, part #908-000201-001
• 10 partitions, part #908-000202-001
• 15 partitions, part #908-000203-001
• 20 partitions, part #908-000204-001
• Korean algorithms, part #908-000138-002
• ECIES acceleration, part #908-000177-001
• Korean algorithms, part #908-000156-002
• ECIES acceleration, part #908-000179-001
SafeNet delivers advanced configuration upgrades for Luna SA as a secure package update. Follow the steps of "Luna HSM Capability Updates" to apply the update. For Luna PCI-E and Luna G5, you receive a firmware update file (FUF). Follow the steps of "lunacm hsm updateCap Command" to apply the update.
SafeNet offers ECIES support via a client-library shim. With the shim, ECIES 386-bit performance is approximately 40 operations per second. The ECIES acceleration configuration upgrade improves performance. This upgrade provides an approximately 5x performance increase. If you choose to apply and use the configuration upgrade, you must remove the shim from your system configuration for the upgrade to have effect: shim use overrides acceleration.
Applying the ECIES advanced configuration upgrade is a destructive operation: objects already created on the HSM are destroyed. Therefore, you should apply this update when you first configure your HSM, before putting it into production (alternatively, you can back up any important objects and restore them onto the HSM after the upgrade).
The full ECIES suite of mechanisms is not approved by NIST (that is, not all are FIPS 140-2 algorithms). Applying EITHER the ECIES shim OR this configuration upgrade option means that you can use all the available ECIES mechanisms when the HSM is not in the FIPS 140-2 mode of operation, however if FIPS 140-2 mode is asserted then some ECIES mechanisms are blocked.
Up to about the middle of 2013, SafeNet’s business model was that appliances shipped from the factory supported 20 partitions, licensed for two with the purchase of paper licenses for upgrades. Thereafter, SafeNet made changes to make licensing of partitions software-enforced. New part numbers for software licenses permit factory-installed and field-applied upgrades to replace the part numbers for paper licenses.
To determine whether a Luna SA appliance supports software-enforced licenses, log into Lunash and execute the hsm displayLicenses command.
If you see the following highlighted line, your appliance requires paper license upgrades:
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620124-000 Maximum 20 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
Ignore the remainder of this section.
The highlighted line in the output indicates software-enforced licenses:
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620121-000 Maximum 2 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
You can purchase license upgrades for 5, 10, 15 and 20 partitions. When you make your purchase, receive the secure package update and apply it, you will see the partition license at the bottom of the set displayed, as the following example illustrates:
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620121-000 Maximum 2 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
908000201-001 Maximum 5 partitions
This last license supersedes the two-partition license applied at the factory. Licenses are for absolute numbers of partitions - they are not additive/cumulative; you cannot add a 5 to a 10 to get 15.
IMPORTANT: Do NOT apply a lower partition license upgrade atop a higher one. For example, if you purchase a 5 partition license upgrade but do not apply it, later purchase a 20 partition license upgrade and apply it, then apply the 5 partition license upgrade, the software will enforce a maximum of 5 partitions. You cannot apply the same license upgrades twice. In this scenario, you will need to obtain an RMA to have the appliance returned to the factory for re-manufacture to enable application of the 20 partition license again.
The following example shows the application of increasing license upgrades for each of the four tiers available with the last one being in effect (20 partitions).
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620121-000 Maximum 2 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
908000201-001 Maximum 5 partitions
908000202-001 Maximum 10 partitions
908000203-001 Maximum 15 partitions
908000204-001 Maximum 20 partitions
When it became possible to roll HSM firmware updatesA secure package that installs a newer version of HSM firmware, to fix defects, or to modify/improve existing features, or to add enhancements. back to earlier versions, some additional concerns became evident.
Consider an HSM that was formerly at version W, is currently at version X, and might someday be updated to version Y.
If an HSM is at version X and a configuration upgradeA secure package that can be applied to the HSM to grant new capability or to enhance existing function. (for example, KOREAN algorithms) is applied, and then a firmware rollback is performed at some later time, the configuration upgrade is lost and is no longer part of the pre-X rollback condition.
When an update is performed, the system preserves a record of its version and feature state just before the update takes place. This makes roll-back possible.The pre-update record of <firmware version+configuration> is fixed. When you rollback, you rollbackTo return the HSM to its previous firmware version. This gives up any enhancements or fixes that were gained by the newer firmware version, as well as any upgrades that were installed after the firmware update (that is to be rolled back). to exactly the state that was recorded, pre-update.
Thus, if a configuration upgrade is applied to version X, and then a firmware update is performed to version Y, and then a firmware rollback is performed, the configuration upgrade remains present because it was present in version X when the most recent pre-update state was preserved.
We advise you to retain a copy of any in-field configuration upgrades.