Home > |
---|
Your SafeNet HSM might, from time to time, require updating to newer versions. The newer version might have fixes, security updates, or functional improvements that are useful or important for your application. The components affected :
•Client software
•SafeNet Network HSM appliance software
•SafeNet HSM keycard firmware
Some new features are implemented entirely in the Lunaclient software, and have no dependency on HSM firmware.
Some new features are implemented entirely in the network HSM appliance software, and have no dependency on HSM firmware.
Some new features are implemented entirely in the HSM firmware, and are independent of the associated client software or the network HSM appliance software.
Some new features require that both the HSM firmware and the client software be updated, or both the appliance software and the HSM firmware, or all three, to take full advantage of the feature.
The instructions, that accompany the update, detail the dependencies.
In addition, you might wish to add purchased capability upgrades, which is a separate procedure; see Apply a Capability Upgrade or Update to Network HSM.
In the case of FIPS 140, cryptographic devices are evaluated as a combination of hardware and firmware. Therefore, if either of those elements changes, the device is no longer covered by the current validation certificate. If you require that equipment used in your application be (for example) FIPS 140-2 level 3 validated, you can use the most recent of our relevant HSM products that has been validated - which applies to a specific hardware and firmware combination. If we release a newer version of firmware, your own security or compliance policies would not permit you to install that update until we have submitted the updated HSM for [re-] evaluation, and a new validation certificate has been issued.
As a general rule (exceptions are possible) we submit HSMs with new firmware versions. If the changes are small or do not affect areas that concern the FIPS evaluators, then the re-evaluation is performed on a delta basis and therefore occurs relatively quickly. For a completely new product or major revision, the evaluators require a complete re-submission and the process takes roughly a year from submission to certificate. Therefore, when a FIPS-candidate firmware version exists, our practice is to ship the respective HSM product with the most recent FIPS-validated firmware version installed, and with the candidate version as a standby update file (on the appliance, ready to install, but not yet installed). This ensures that customers who require validated systems continue to get them, and that customers who do not require validated systems are able to easily and quickly apply the update if they choose to do so.
The obvious trade-off is that customers who elect to remain with the as-shipped installed firmware version are maintaining the FIPS compliance at the cost of any upgraded capabilities or any security or functional fixes that are part of the firmware update. Similarly, customers who choose to perform the update benefit from the improved capabilities and any security or functional fixes, but at the cost of moving out of FIPS compliance.
To update the software on a Client, you simply remove the older version and Install the newer, using the same procedure (for your operating system) that you used for the original software installation. That applies to SafeNet Network HSM Client software itself, as well as to the SDK material.
As an example, the Client uninstall, when invoked on Windows, removes libraries, utilities and other material related to the client, but does not remove configuration files and certificates. This allows you to install the newer version and be able to resume operation without need to manually restore configuration settings.
Note: Appliance software upgrade is a one-way operation. There is currently no way to downgrade the appliance software once a new version is applied. This contrasts with the SafeNet HSM client software, which can be replaced with any version by uninstalling the current version and installing a desired version, and the SafeNet HSM firmware, which can be rolled back to the version that was installed before the currently-installed version (applies only to versions since firmware rollback was enabled).
To update system software and firmware, you must move the updates, in the form of update package files, to SafeNet Network HSM and apply them. Updates are accompanied by instructions that provide detailed update instructions for each component. System and firmware updates require an authentication code, which is provided in a text file accompanying the update package.
1.Copy the SafeNet Network HSM appliance package file from the ftp directory to the SafeNet Network HSM, as follows:.
scp \<path>\lunasa_update-6.x.y-z.spkg admin@<LunaSAhostname>:
where x.y-z is the version and build number (in Windows, use the supplied PSCP utility).
2.Stop all client applications connected to the SafeNet Network HSM appliance.
3.At the shell prompt, log in to the SafeNet Network HSM appliance as admin.
4.Log in to the SafeNet Network HSM as HSM Admin or SO.
lunash:>hsm login
For SafeNet Network HSM with PED Authentication, the blue PED Key is required.
For SafeNet Network HSM with Password Authentication, you are prompted for the HSM Admin (SO) password.
5.[Optional Step] Verify that the file that you copied is present on the SafeNet Network HSM
lunash:>package listfile
6. [Optional Step] Verify the package on the SafeNet Network HSM
lunash:>package verify lunasa_update-6.x.y-z.spkg -authcode <authorization_code>
where <authorization_code> is the code found in the file lunasa_update-6x.y-z.auth.
The verification process requires approximately one and a half minutes.
7.Install the software upgrade package on SafeNet Network HSM
lunash:>package update lunasa_update-6.x.y-z.spkg.spkg -authcode <authorization_code>
where <authorozation_code> is the code from the file lunasa_update-6.x.y-z.auth.
The installation/update process requires approximately one and a half minutes. During that time, a series of messages shows the progress of the update.
8.At the end of this process, a message “Software update completed!” appears. The software version is now 6.x.y-z. If the software update also included a firmware update, then the firmware 6.v.w package is now on the appliance, waiting to be installed in the HSM.
Perform a reboot of the SafeNet Network HSM appliance before you update the firmware.
lunash:> sysconf appliance reboot
In general, a new SafeNet Network HSM is delivered with the current FIPS- validated firmware installed on the internal HSM card, and with the most recent firmware version (typically in the process of being FIPS validated) included - waiting, but not yet installed - on the SafeNet Network HSM hard drive as an optional update. Similarly, when you install a software update package that includes a firmware component, the software is changed and the accompanying new firmware goes into the waiting area on the appliance hard disk, replacing any previous optional firmware.
Regardless of whether the optional firmware update is one that was originally loaded (as an option) or one that was supplied later with a software update (as an option), it is always a separate step if you wish to install that waiting (optional) firmware into the HSM.
CAUTION: It is strongly recommended that your HSM host be connected to an uninterruptible power supply (UPS) when you perform a firmware update. There is a small chance that a power failure during the update command could leave your HSM in an unrecoverable condition.
For PED-authenticated Luna HSMs, ensure that the SRK, the use of the purple PED Key, is disabled (that is, bring the external portion of the MTK back into the HSM) before you begin the firmware update operation. This requires that you present the currently valid purple PED Key when you issue the hsm srk disable command. If you run hsm update firmware while SRK is enabled (a portion of the MTK is outside the HSM, on a purple PED Key) you can expect an error like:
Error: 'hsm update firmware' failed. (10A0B : LUNA_RET_OPERATION_RESTRICTED)
If you have had SRK enabled and a valid purple PED Key, you can always perform hsm srk enable again after the firmware update operation, and resume with a new external secure recovery vector (SRV) imprinted onto a new purple PED Key (SRK).
Note: On a multi-partition HSM, when updating from older firmware to version 6.22.0 firmware or later, you might need to re-size partitions. This is due to infrastructure that supports the Per-Partition SO (PPSO) capability, which imposes increased overhead for each partition. For additional information, see Sizes of Partitions.
Following update of appliance software, and the required restart for a PED-authenticated Network HSM, the HSM SO is logged out, and Remote PED service is disconnected.
1.For PED-authenticated HSMs, restart Remote PED with
lunash:> hsm ped disconnect
lunash:> hsm ped connect -ip <ip-address-of-pedserver> -port <1503-or-other>
2.Log in to the HSM with:
lunash:> hsm login
3.Run the firmware update command:
lunash:> hsm firmware upgrade
4.Log in to the HSM with:
lunash:> hsm login
5.Verify that the change has taken place (should show version 6.v.w):
lunash:> hsm show
A capability update or a firmware update is meant to be applied just one time to an HSM. If you attempt to re-apply a capability update to an HSM that already has the capability installed, the system throws an error like " C0000002 : RC_GENERAL_ERROR ". A similar result occurs if you attempt to install a particular firmware update more than once on one HSM. This is expected behavior.
For information and instructions regarding purchased Capability Updates, see "Apply a Capability Upgrade/Update to HSM" on page 1.
On occasion you might need to update HSM firmware on a standalone basis - that is, where the activity is not part of appliance software update. The process is similar, except that the package transferred to the SafeNet Network HSM appliance is just a wrapper around the firmware update, and does not contain other appliance software. This can occur when you are performing evaluations and might be testing several firmware versions, or when, for whatever reason, the firmware version that you wish to install is not currently the standby firmware version on the appliance, in which case SafeNet supplies a standalone firmware update secure package .
Note: If the Secure Recovery Key (SRK) on the HSM is enabled, it must be disabled before you can upgrade the HSM firmware. The SRK is an external split of the HSM's Master Tamper Key (MTK) that is imprinted on the purple PED key. When you disable the SRK, the SRV (Secure Recovery Vector) portion of the MTK is returned to the HSM, so that the SRV is no longer external to the HSM. It is only in this state that you can upgrade the HSM firmware. After you upgrade the firmware, you can re-enable SRK, if desired, to re-imprint a purple PED key with the SRV.
Note: If you intend to re-size partitions, or to perform a firmware update (example, from pre-6.22.0 to version 6.22.0 or newer) that alters the available space in partitions, be sure to backup the contents of your HSM first. It might be required to remove some objects from partitions that are at-or-near capacity. They can be restored after all re-sizing and new-partition creation, has finished.
1.Obtain the firmware update secure package from SafeNet. Use scp/pscp to upload the package to the SafeNet Network HSM appliance.
Linux/UNIX | scp /<path>/<packagename>.spkg admin@<LunaSAhostname>: |
Windows | pscp \<path>\<packagename>.spkg admin@<LunaSAhostname>: |
2.Stop all client applications connected to the SafeNet Network HSM appliance.
3.At the shell prompt, log in to the SafeNet Network HSM appliance as admin.
4.Log in to the SafeNet Network HSM as HSM Admin or SO. Use
lunash:>hsm login
For SafeNet Network HSM with PED Authentication, the blue PED Key is required.
For SafeNet Network HSM with Password Authentication, you are prompted for the HSM Admin (SO) password.
5.[Optional Step] Verify that the file that you copied is present on the SafeNet Network HSM
lunash:>package listfile
6. [Optional Step] Verify the package on the SafeNet Network HSM
lunash:>package verify <packagename>.spkg -authcode <authorization_code>
where <authorization_code> is the code from the file <packagename>.auth.
7.Install the firmware upgrade secure package on SafeNet Network HSM
lunash:>package update <packagename>.spkg -authcode<authorization_code>
where <authorization_code> is the code from the file <packagename>.auth.
The package update process completes in seconds. The firmware package is now on the appliance, waiting to be installed in the HSM.
CAUTION: It is strongly recommended that your SafeNet HSM be powered from an uninterruptible power supply (UPS) when you perform the firmware update.
8.Run the firmware update command:
lunash:> hsm firmware upgrade
9.Log in to the HSM with:
lunash:> hsm login
10.Verify that the change has taken place (should show the desired target version ):
lunash:> hsm show
Previously, updating or applying a patch to SafeNet HSM appliance software required that you log into the HSM as SO, in order to validate the upgrade package for installation. In the Service Provider context, you might be the owner and manager of an HSM appliance, but you have given control of the HSM to your customer, who is renting the HSM as a service and who probably changed the HSM credentials.
Beginning with release 6.2.1, the package update lunash command interface is updated to include the -useevp option. This allows you to specify use of OpenSSL EVP (Digital EnVeloPe library) API to validate the update package, rather than invoking the HSM to do so (which would require HSM SO login).
This change allows you to perform appliance-side management tasks without encroaching on the autonomy and security of your HSM-as-a-service customers. See revised command syntax at package update.