Home >

Administration Guide > Software Updates and Maintenance > Luna HSM Capability Updates

Applying SafeNet HSM Capability Upgrades

SafeNet HSMs are shipped from the factory in specific configurations with specific sets of capabilities, to suit your requirements. It can happen that your requirements change over time. To future-proof your SafeNet HSM investment, you have the option to purchase Secure Capability Updates to enhance the performance or extend the capability of SafeNet systems already in your possession, as described in Advanced Configuration Upgrades. The Secure Capability Update accomplishes system upgrades while safeguarding the integrity of your sensitive key material and of the system software.

A Secure Capability Upgrade is delivered to you as a downloaded file set. The procedure to perform the update is very similar to the procedure for Appliance software updates or firmware updates.

Linux/AIX cd /usr/safenet/lunaclient/bin
Solaris/HP-UX cd /opt/safenet/lunaclient/bin
Windows cd C:\Program Files\SafeNet\LunaClient
Linux/UNIX

./scp /<path>/<spkg_patch_file.spkg>  admin@<LunaHostname>:

Windows pscp \<path>\<spkg_patch_file.spkg>  admin@<LunaHostname>:

Preparing to Upgrade

To ensure a trouble-free installation, you must prepare for the upgrade.

To prepare for the upgrade

1.Backup the application partition by cloning the contents to another SafeNet USB HSM.

2.On the host computer, acquire the capability update software files.

a.  Follow the FTP instructions that are supplied in e-mail from SafeNet Customer Support (support@safenet-inc.com).

b.  Unzip the files (as directed in the ftp instructions).

In some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... In that case, put the files in a known location that can be referenced in a lunacm command.

Installing the Upgrade Package

Once the files are unpacked and available on the host computer, open a command-prompt session.

To install the upgrade package

1.Go to the SafeNet Client directory and launch lunacm.

2.Log into the HSM:

For HSM with pre-6.22.0 firmware

lunacm:> hsm login

For HSM with version 6.22.0 or newer firmware

lunacm:> role login -name Administrator
            

3.Apply the new capability:  

lunacm:>hsm updatecap -cuf \Users\me\Downloads\621-000099-001.CUF -authcode \Users\me\Downloads\621-000099-001_authcode.TXT

        You are about to apply a destructive update.
        All contents of the HSM will be destroyed.
        All partition roles will be destroyed.
        The domain will be destroyed.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now ->proceed

        Capability update passed.

Command Result : No Error

lunacm:>hsm 
  

4.Check that the new capability is in place:

lunacm:>hsm showpolicies
        HSM Capabilities
                 0: Enable PIN-based authentication : 0
                 1: Enable PED-based authentication : 1
                 2: Performance level : 15
                 4: Enable domestic mechanisms & key sizes : 1
                 6: Enable masking : 0
                 7: Enable cloning : 1
                 8: Enable special cloning certificate : 0
                 9: Enable full (non-backup) functionality : 1
                12: Enable non-FIPS algorithms : 1
                15: Enable SO reset of partition PIN : 1
                16: Enable network replication : 1
                17: Enable Korean Algorithms : 1
                18: FIPS evaluated : 0
                19: Manufacturing Token : 0
                20: Enable Remote Authentication : 1
                21: Enable forcing user PIN change : 1
                22: Enable offboard storage : 1
                23: Enable partition groups : 0
                25: Enable remote PED usage : 1
                26: Enable External Storage of MTK Split : 0
                27: HSM non-volatile storage space : 2097152
                28: Enable HA mode CGX : 0
                29: Enable Acceleration : 1
                30: Enable unmasking : 1
                31: Enable FW5 compatibility mode : 0
                33: Maximum number of partitions : 100
                34: Enable ECIES support : 0
                35: Enable Single Domain : 1
                36: Enable Unified PED Key : 1
                37: Enable MofN : 1
                38: Enable small form factor backup/restore : 0
                39: Enable Secure Trusted Channel : 1
                40: Enable decommission on tamper : 0
                41: Enable Per-Partition SO : 1             <<========
                42: Enable partition re-initialize : 1

        HSM Policies
                 0: PIN-based authentication : 0
                 1: PED-based authentication : 1
                 6: Allow masking : 0
                 7: Allow cloning : 1
                12: Allow non-FIPS algorithms : 1
                15: SO can reset partition PIN : 1
                16: Allow network replication : 1
                20: Allow Remote Authentication : 1
                21: Force user PIN change after set/reset : 0
                22: Allow offboard storage : 1
                23: Allow partition groups : 0
                25: Allow remote PED usage : 1
                26: Store MTK Split Externally : 0
                29: Allow Acceleration : 1
                30: Allow unmasking : 1
                31: Allow FW5 compatibility mode : 0
                33: Current maximum number of partitions : 100
                34: Allow ECIES support : 0
                35: Force Single Domain : 0
                36: Allow Unified PED Key : 0
                37: Allow MofN : 1
                38: Allow small form factor backup/restore : 0
                39: Allow Secure Trusted Channel : 0
                40: Allow decommission on tamper : 0
                42: Allow partition re-initialize : 0


Command Result : No Error

lunacm:>