Show the Table of Contents
Administration & Maintenance
Luna HSM Capability Updates
This page covers upgrading (not updating) your Luna SA.
Luna appliances are shipped from the factory in specific configurations with specific sets
of capabilities, to suit your requirements. It can happen that your requirements
change over time. To future-proof your Luna appliance investment, you
have the option to purchase Secure Capability Updates to enhance the performance
or extend the capability of Luna systems already in your possession. The
Secure Capability Update accomplishes system upgrades while safeguarding
the integrity of your sensitive key material and of the system software.
A Secure Capability Upgrade is delivered to you as a downloaded
file set. The procedure to perform the update is very similar to the procedure
for Appliance Software Update or Firmware Update:
Backup all Luna HSM Partitions to Luna Backup
Tokens (if you have the Backup option).
On the Client computer, acquire the capability update software package.
--
first, follow the FTP instructions that are supplied in e-mail from SafeNet
Customer Support (support@safenet-inc.com),
--
then cd to the temporary “appliance” directory (that
you created for ftp files),
--
then unzip the files (as directed in the ftp instructions).
Change (cd) to the location of the scp executable:
– on Unix Clients, open a terminal window and cd /usr/safenet/lunaclient/bin
(or,
cd /opt/safenet/lunaclient/bin
for HP-UX)
– on Windows Clients open a DOS/Command prompt window and
cd
c:\Program Files\SafeNet\LunaClient.
Copy the Luna Appliance package file from the ftp directory
to the Luna appliance, as follows:
./scp /<path>/<spkg_patch_file.spkg> admin@<LunaHostname>:
admin@LunaHostname's password:
pscp \<path>\<spkg_patch_file.spkg> admin@<LunaHostname>:
admin@LunaHostname's password:
of (Use
( "Pscp" is mentioned above, assuming that you are using the provided "PuTTy" and "pscp" utility. If you prefer, you can use any third-party scp application for Windows.)
Once the package has been transferred to the appliance, it is installed in two stages. First the package is unwrapped into its component files with the "package" command. Then the update is applied to the HSM with the "hsm update command"
Here are instructions to install the upgrade.
- Open an SSH session or console session to the Luna SA appliance.
- Log in to the appliance as "admin".
- Verify that the package has arrived:
[myluna] lunash:>package listf
7874 Dec 19 2011 16:46 caupdateK3908000139_100000.spkg
7874 Dec 19 2011 16:35 caupdateK3908000086_100000.spkg
Command Result : 0 (Success)
[myluna] lunash:>
- Open the desired package:
[myluna] lunash:>package update caupdateK3908000139_100000.spkg -a XS9p7YbsW5WJp5PT
Command succeeded: decrypt package
Command succeeded: verify package certificate
Command succeeded: verify package signature
Preparing packages for installation...
908-000139-001_100000-1.0.0-0
Running update script
Command Result : 0 (Success)
[myluna] lunash:>
- Check that the desired package is ready to be applied :
[myluna] lunash:>hsm update show
Capability Updates:
908000139_100000
Command Result : 0 (Success)
[myluna] lunash:>
- Apply the new capability :
[myluna] lunash:>hsm update capability -capability 908000139_100000
CAUTION: This command updates the HSM Capability.
This process cannot be reversed.
Any connected clients will have their
connections closed.
All clients should disconnect and the
NTLS should be stopped before proceeding.
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
FwUpdate3 Application Version 2.2
SafeNet Firmware/Capability Update Utility for G5 and K6 modules
Enter slot number (0 for the first slot found) : 0
This is a NON-destructive capability update
Update Result : 0 (Success)
Command Result : 0 (Success)
[myluna] lunash:>
- Check that the new capability is in place :
[myluna] lunash:>hsm displayLicenses
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620124-000 Maximum 20 partitions
621000003-001 Enable government configuration
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
908000086-001 Enabled for 15.5 megabytes of object storage
908000139-001 Korean market cryptographic algorithms
Command Result : 0 (Success)
[myluna] lunash:>
- Reboot the system to enable the new capability :
[myluna] lunash:>sysconf appliance reboot -force
Force option used. Proceed prompt bypassed.
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named:
supportInfo.txt
Broadcast message from root (pts/0) (Mon Dec 19 16:49:56 2011):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success)
[myluna] lunash:>
- Done
See Also
Show the Table of Contents