|
Home > |
|---|
Luna HSMs are shipped from the factory in specific configurations with specific sets of capabilities, to suit your requirements. It can happen that your requirements change over time. To future-proof your Luna HSM investment, you have the option to purchase Secure Capability Updates to enhance the performance or extend the capability of Luna systems already in your possession, as described in "Advanced Configuration Upgrades". The Secure Capability Update accomplishes system upgrades while safeguarding the integrity of your sensitive key material and of the system software.
A Secure Capability Upgrade is delivered to you as a downloaded file set. The procedure to perform the update is very similar to the procedure for Appliance software updates or firmware updates.
| Linux/AIX | cd /usr/safenet/lunaclient/bin |
| Solaris/HP-UX | cd /opt/safenet/lunaclient/bin |
| Windows | cd C:\Program Files\SafeNet\LunaClient |
| Linux/UNIX |
./scp /<path>/<spkg_patch_file.spkg> admin@<LunaHostname>: |
| Windows | pscp \<path>\<spkg_patch_file.spkg> admin@<LunaHostname>: |
To ensure a trouble-free installation, you must prepare for the upgrade.
1.Backup application partitions to Luna Backup HSM or Tokens (if you have the backup option).
2.On the host computer, acquire the capability update software files.
a. Follow the FTP instructions that are supplied in e-mail from SafeNet Customer Support (support@safenet-inc.com).
b. Unzip the files (as directed in the ftp instructions).
In some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... In that case, put the files in a known location that can be referenced in a lunacm command.
Once the files are unpacked and available on the host computer, open a command-prompt session.
1.Go to the Luna Client directory and launch lunacm.
2.Log into the HSM:
For HSM with pre-6.22.0 firmware
lunacm:> hsm login
For HSM with version 6.22.0 or newer firmware
lunacm:> role login -name Administrator
3.Apply the new capability:
lunacm:>hsm updatecap -cuf \Users\me\Downloads\621-000099-001.CUF -authcode \Users\me\Downloads\621-000099-001_authcode.TXT
You are about to apply a destructive update.
All contents of the HSM will be destroyed.
All partition roles will be destroyed.
The domain will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Capability update passed.
Command Result : No Error
lunacm:>hsm 4.Check that the new capability is in place:
lunacm:>hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 0
1: Enable PED-based authentication : 1
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 1
8: Enable special cloning certificate : 0
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 1
18: FIPS evaluated : 0
19: Manufacturing Token : 0
20: Enable Remote Authentication : 1
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 1
26: Enable External Storage of MTK Split : 0
27: HSM non-volatile storage space : 2097152
28: Enable HA mode CGX : 0
29: Enable Acceleration : 1
30: Enable unmasking : 1
31: Enable FW5 compatibility mode : 0
33: Maximum number of partitions : 100
34: Enable ECIES support : 0
35: Enable Single Domain : 1
36: Enable Unified PED Key : 1
37: Enable MofN : 1
38: Enable small form factor backup/restore : 0
39: Enable Secure Trusted Channel : 1
40: Enable decommission on tamper : 0
41: Enable Per-Partition SO : 1 <<========
42: Enable partition re-initialize : 1
HSM Policies
0: PIN-based authentication : 0
1: PED-based authentication : 1
6: Allow masking : 0
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 1
15: SO can reset partition PIN : 1
16: Allow network replication : 1
20: Allow Remote Authentication : 1
21: Force user PIN change after set/reset : 0
22: Allow offboard storage : 1
23: Allow partition groups : 0
25: Allow remote PED usage : 1
26: Store MTK Split Externally : 0
29: Allow Acceleration : 1
30: Allow unmasking : 1
31: Allow FW5 compatibility mode : 0
33: Current maximum number of partitions : 100
34: Allow ECIES support : 0
35: Force Single Domain : 0
36: Allow Unified PED Key : 0
37: Allow MofN : 1
38: Allow small form factor backup/restore : 0
39: Allow Secure Trusted Channel : 0
40: Allow decommission on tamper : 0
42: Allow partition re-initialize : 0
Command Result : No Error
lunacm:>