Home > |
---|
SafeNet HSMs are shipped from the factory in specific configurations with specific sets of capabilities, to suit your requirements. It can happen that your requirements change over time. To future-proof your SafeNet HSM investment, you have the option to purchase Secure Capability Updates to enhance the performance or extend the capability of SafeNet systems already in your possession, as described in Advanced Configuration Upgrades. The Secure Capability Update accomplishes system upgrades while safeguarding the integrity of your sensitive key material and of the system software.
A Secure Capability Upgrade is delivered to you as a downloaded file set. The procedure to perform the update is very similar to the procedure for Appliance software updates or firmware updates.
Linux/AIX | cd /usr/safenet/lunaclient/bin |
Solaris/HP-UX | cd /opt/safenet/lunaclient/bin |
Windows | cd C:\Program Files\SafeNet\LunaClient |
Linux/UNIX |
./scp /<path>/<spkg_patch_file.spkg> admin@<LunaHostname>: |
Windows | pscp \<path>\<spkg_patch_file.spkg> admin@<LunaHostname>: |
To ensure a trouble-free installation, you must prepare for the upgrade.
1.Backup the application partition by cloning the contents to another SafeNet USB HSM.
2.On the host computer, acquire the capability update software files.
a. Follow the FTP instructions that are supplied in e-mail from SafeNet Customer Support (support@safenet-inc.com).
b. Unzip the files (as directed in the ftp instructions).
In some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... In that case, put the files in a known location that can be referenced in a lunacm command.
Once the files are unpacked and available on the host computer, open a command-prompt session.
1.Go to the SafeNet Client directory and launch lunacm.
2.Log into the HSM:
For HSM with pre-6.22.0 firmware
lunacm:> hsm login
For HSM with version 6.22.0 or newer firmware
lunacm:> role login -name Administrator
3.Apply the new capability:
lunacm:>hsm updatecap -cuf \Users\me\Downloads\621-000099-001.CUF -authcode \Users\me\Downloads\621-000099-001_authcode.TXT You are about to apply a destructive update. All contents of the HSM will be destroyed. All partition roles will be destroyed. The domain will be destroyed. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Capability update passed. Command Result : No Error lunacm:>hsm
4.Check that the new capability is in place:
lunacm:>hsm showpolicies HSM Capabilities 0: Enable PIN-based authentication : 0 1: Enable PED-based authentication : 1 2: Performance level : 15 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 0 7: Enable cloning : 1 8: Enable special cloning certificate : 0 9: Enable full (non-backup) functionality : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 1 18: FIPS evaluated : 0 19: Manufacturing Token : 0 20: Enable Remote Authentication : 1 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 1 26: Enable External Storage of MTK Split : 0 27: HSM non-volatile storage space : 2097152 28: Enable HA mode CGX : 0 29: Enable Acceleration : 1 30: Enable unmasking : 1 31: Enable FW5 compatibility mode : 0 33: Maximum number of partitions : 100 34: Enable ECIES support : 0 35: Enable Single Domain : 1 36: Enable Unified PED Key : 1 37: Enable MofN : 1 38: Enable small form factor backup/restore : 0 39: Enable Secure Trusted Channel : 1 40: Enable decommission on tamper : 0 41: Enable Per-Partition SO : 1 <<======== 42: Enable partition re-initialize : 1 HSM Policies 0: PIN-based authentication : 0 1: PED-based authentication : 1 6: Allow masking : 0 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 1 15: SO can reset partition PIN : 1 16: Allow network replication : 1 20: Allow Remote Authentication : 1 21: Force user PIN change after set/reset : 0 22: Allow offboard storage : 1 23: Allow partition groups : 0 25: Allow remote PED usage : 1 26: Store MTK Split Externally : 0 29: Allow Acceleration : 1 30: Allow unmasking : 1 31: Allow FW5 compatibility mode : 0 33: Current maximum number of partitions : 100 34: Allow ECIES support : 0 35: Force Single Domain : 0 36: Allow Unified PED Key : 0 37: Allow MofN : 1 38: Allow small form factor backup/restore : 0 39: Allow Secure Trusted Channel : 0 40: Allow decommission on tamper : 0 42: Allow partition re-initialize : 0 Command Result : No Error lunacm:>