Show the Table of Contents

You are here: Administration & Maintenance Manual > Appliance Administration > Updating Your System > Luna Capability Updates

Administration & Maintenance

Luna HSM Capability Updates

This page covers upgrading (not updating) your Luna SA.

Luna appliances are shipped from the factory in specific configurations with specific sets of capabilities, to suit your requirements. It can happen that your requirements change over time. To future-proof your Luna appliance investment, you have the option to purchase Secure Capability Updates to enhance the performance or extend the capability of Luna systems already in your possession. The Secure Capability Update accomplishes system upgrades while safeguarding the integrity of your sensitive key material and of the system software.

A Secure Capability Upgrade is delivered to you as a downloaded file set. The procedure to perform the update is very similar to the procedure for Appliance Software Update or Firmware Update:

Preparing to Upgrade

Backup all Luna HSM Partitions to Luna Backup Tokens (if you have the Backup option).

On the Client computer, acquire the capability update software package.

  -- first, follow the FTP instructions that are supplied in e-mail from SafeNet Customer Support (support@safenet-inc.com),

  -- then cd to the temporary “appliance” directory  (that you created for ftp files),

  -- then unzip the files (as directed in the ftp instructions).

Change (cd) to the location of the scp executable:

– on Unix Clients, open a terminal window and cd /usr/safenet/lunaclient/bin  

   (or, cd /opt/safenet/lunaclient/bin for HP-UX)

– on Windows Clients open a DOS/Command prompt window and

   cd c:\Program Files\SafeNet\LunaClient.

Copy the Luna Appliance package file from the ftp directory to the Luna appliance, as follows:

For UNIX:

./scp /<path>/<spkg_patch_file.spkg>  admin@<LunaHostname>:

admin@LunaHostname's password:

For Windows:

pscp \<path>\<spkg_patch_file.spkg>  admin@<LunaHostname>:

admin@LunaHostname's password:

of (Use

( "Pscp" is mentioned above, assuming that you are using the provided "PuTTy" and "pscp" utility. If you prefer, you can use any third-party scp application for Windows.)

Install

Once the package has been transferred to the appliance, it is installed in two stages. First the package is unwrapped into its component files with the "package" command. Then the update is applied to the HSM with the "hsm update command"

Here are instructions to install the upgrade.

  1. Open an SSH session or console session to the Luna SA appliance.
  2. Log in to the appliance as "admin".
  3. Verify that the package has arrived:  
    [myluna] lunash:>package listf
    7874 Dec 19 2011 16:46 caupdateK3908000139_100000.spkg
    7874 Dec 19 2011 16:35 caupdateK3908000086_100000.spkg
    Command Result : 0 (Success)
    [myluna] lunash:>
  4. Open the desired package:
     [myluna] lunash:>package update caupdateK3908000139_100000.spkg -a XS9p7YbsW5WJp5PT
    Command succeeded: decrypt package
    Command succeeded: verify package certificate
    Command succeeded: verify package signature
    Preparing packages for installation...
    908-000139-001_100000-1.0.0-0
    Running update script
    Command Result : 0 (Success)
    [myluna] lunash:>
  5. Check that the desired package is ready to be applied :  
    [myluna] lunash:>hsm update show
    Capability Updates:
        908000139_100000
    Command Result : 0 (Success)
    [myluna] lunash:>
  6. Apply the new capability :  
    [myluna] lunash:>hsm update capability -capability 908000139_100000
    CAUTION: This command updates the HSM Capability.
        This process cannot be reversed.
        Any connected clients will have their
        connections closed.
        All clients should disconnect and the
        NTLS should be stopped before proceeding.
       Type 'proceed' to continue, or 'quit' to quit now.
        > proceed
    FwUpdate3 Application Version 2.2
    SafeNet Firmware/Capability Update Utility for G5 and K6 modules
    Enter slot number (0 for the first slot found) : 0
    This is a NON-destructive capability update
    Update Result : 0 (Success)
    Command Result : 0 (Success)
    [myluna] lunash:>
  7. Check that the new capability is in place :
    [myluna] lunash:>hsm displayLicenses
    HSM CAPABILITY LICENSES
    License ID         Description
    ================   ======================================
    621000002-000     K6 base configuration
    621000021-001      Performance level 15
    620127-000         Elliptic curve cryptography
    620114-001         Key backup via cloning protocol
    620124-000         Maximum 20 partitions
    621000003-001      Enable government configuration
    620109-000         PIN entry device (PED) enabled
    621010089-001      Enable remote PED capability
    621010358-001      Enable a split of the master tamper key to be stored externally
    908000086-001      Enabled for 15.5 megabytes of object storage
    908000139-001      Korean market cryptographic algorithms
    Command Result : 0 (Success)
    [myluna] lunash:>
  8. Reboot the system to enable the new capability :  
    [myluna] lunash:>sysconf appliance reboot -force
    Force option used. Proceed prompt bypassed.
    'hsm supportInfo' successful.
    Use 'scp' from a client machine to get file named:
    supportInfo.txt

    Broadcast message from root (pts/0) (Mon Dec 19 16:49:56 2011):
    The system is going down for reboot NOW!
    Reboot commencing
    Command Result : 0 (Success)
    [myluna] lunash:>
  9. Done  

See Also

 

 

Show the Table of Contents