|
Home > |
|---|
Luna HSMs are shipped from the factory in specific configurations with specific sets of capabilities, to suit your requirements. It can happen that your requirements change over time. To future-proof your Luna HSM investment, you have the option to purchase Secure Capability Updates to enhance the performance or extend the capability of Luna systems already in your possession, as described in "Advanced Configuration Upgrades". The Secure Capability Update accomplishes system upgrades while safeguarding the integrity of your sensitive key material and of the system software.
A Secure Capability Upgrade is delivered to you as a downloaded file set. The procedure to perform the update is very similar to the procedure for Appliance software updates or firmware updates.
To ensure a trouble-free installation, you must prepare for the upgrade.
1.Backup all Luna HSM Partitions to Luna Backup HSM or Tokens (if you have the backup option).
2.On the client computer, acquire the capability update software package.
a. Follow the FTP instructions that are supplied in e-mail from SafeNet Customer Support (support@safenet-inc.com).
b. Go to the temporary “appliance” directory (that you created for ftp files).
c. Unzip the files (as directed in the ftp instructions).
3.Go to the location of the scp executable:
| Linux/AIX | cd /usr/safenet/lunaclient/bin |
| Solaris/HP-UX | cd /opt/safenet/lunaclient/bin |
| Windows | cd C:\Program Files\SafeNet\LunaClient |
4.Copy the Luna appliance package file from the ftp directory to the Luna appliance, as follows:
| Linux/UNIX |
./scp /<path>/<spkg_patch_file.spkg> admin@<LunaHostname>: |
| Windows | pscp \<path>\<spkg_patch_file.spkg> admin@<LunaHostname>: |
Once the package has been transferred to the appliance, it is installed in two stages. First the package is unwrapped into its component files with the package command. Then the update is applied to the HSM with the hsm update command.
1.Open an SSH session or console session to the Luna SA appliance.
2.Log in to the appliance as "admin".
3.Verify that the package has arrived:
[myluna] lunash:>package listf
7874 Dec 19 2011 16:46 caupdateK3908000139_100000.spkg
7874 Dec 19 2011 16:35 caupdateK3908000086_100000.spkg
Command Result : 0 (Success)
[myluna] lunash:>
4.Open the desired package:
[myluna] lunash:>package update caupdateK3908000139_100000.spkg -a XS9p7YbsW5WJp5PT
Command succeeded: decrypt package
Command succeeded: verify package certificate
Command succeeded: verify package signature
Preparing packages for installation...
908-000139-001_100000-1.0.0-0
Running update script
Command Result : 0 (Success)
[myluna] lunash:>
5.Check that the desired package is ready to be applied :
[myluna] lunash:>hsm update show
Capability Updates:
908000139_100000
Command Result : 0 (Success)
[myluna] lunash:>
6.Apply the new capability:
[myluna] lunash:>hsm update capability -capability 908000139_100000
CAUTION: This command updates the HSM Capability.
This process cannot be reversed.
Any connected clients will have their
connections closed.
All clients should disconnect and the
NTLS should be stopped before proceeding.
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
FwUpdate3 Application Version 2.2
SafeNet Firmware/Capability Update Utility for G5 and K6 modules
Enter slot number (0 for the first slot found) : 0
This is a NON-destructive capability update
Update Result : 0 (Success)
Command Result : 0 (Success)
[myluna] lunash:>
7.Check that the new capability is in place:
[myluna] lunash:>hsm displayLicenses
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620124-000 Maximum 20 partitions
621000003-001 Enable government configuration
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
908000086-001 Enabled for 15.5 megabytes of object storage
908000139-001 Korean market cryptographic algorithms
Command Result : 0 (Success)
[myluna] lunash:>
8.Reboot the system to enable the new capability:
[myluna] lunash:>sysconf appliance reboot -force
Force option used. Proceed prompt bypassed.
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named:
supportInfo.txt
Broadcast message from root (pts/0) (Mon Dec 19 16:49:56 2011):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success)
[myluna] lunash:>
In some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... In that case, put the files in a known location that can be referenced in a lunacm command.