Home >

Administration Guide > Software Updates and Maintenance > Advanced Configuration Upgrades

Advanced Configuration Upgrades

This page describes configuration upgrades, how they work and interact, etc.

For instructions to apply a Configuration Upgrade to your HSM, see "Applying SafeNet HSM Capability Upgrades" on page 1.

SafeNet offers advanced configuration upgrades for its HSM products, some examples of which are listed in the following tables.

SafeNet delivers advanced configuration upgrades for SafeNet Network HSM as a secure package update. Follow the steps of "Applying SafeNet HSM Capability Upgrades" on page 1 to apply the update. These are sometimes referred to as CUFs, but those refer to the USB HSM and the PCIe HSM; for the Network HSM, CUFs must be packaged as secure packages in order for the appliance to recognize them and handle them properly.

For SafeNet PCIe HSM and SafeNet USB HSM, you receive a firmware update file ( FUF ) or a capability update file ( CUFCapability Update File - see "Advanced Configuration Upgrades". ).

Note:  This is not necessarily a complete list, please check with your sales representative for the full list.

Note:  Part numbers shown here are for field upgrades. The same upgrades are often available for factory installation when you purchase a new SafeNet HSM product. Those have different part numbers (ask your sales representative). Not all field upgrades have an equivalent factory-applied version, because we ship HSMs with the most recent FIPS-validated firmware version, and some newer upgrades might require more recent firmware, so they cannot be installed at the factory.

Table 1: SafeNet Network HSM configuration upgrades
Configuration upgrade Part number
Maximum memory 908-000086-001
Korean algorithms 908-000139-002
ECIES acceleration 908-000175-001
5 partitions 908-000201-001
10 partitions 908-000202-001
15 partitions 908-000203-001
20 partitions 908-000204-001
35 partitions 908-000379-001
50 partitions 908-000235-001
75 partitions 908-000280-001
100 partitions 908-000232-001
Enable Small Form-factor Backup (SA) 908-000220-001
Enable Per-Partition Security Officer (PPSO) 908-000263-001

Note:  Increasing the number of partitions is not destructive; it does not erase existing partitions and objects. However, simply increasing the number of partition licenses does not increase memory. Depending on the size of the original partitions (did you re-size them to use large amounts of memory, or "all available memory"?), you might need to resize the existing partitions to make room for the additional partitions. If a partition is occupied when it is to be resized, you might need to move some objects before resizing.

Note:  You can apply 100 partitions without also upgrading to Maximum Memory, but this leaves very little memory for each partition. Usefulness depends upon your application, and the sizes of keys and objects that you would store in each partition.

Also, if you are using STC, then that requires 2 KB of partition space for each STC client that is registered to a given partition.

Note:  If you are both
 - upgrading from an earlier firmware version to HSM firmware 6.22.0 (or newer)
AND
 - applying the Per-Partition SO (PPSO) capability update,
be aware that the PPSO capability update is destructive. Therefore, there is no need to re-size partitions.

Instead, to avoid unnecessary duplication of effort, you should
 - safeguard (archive) any existing partition contents,
 - then zeroize the HSM for a clean update,
 - then perform both the firmware AND capability updates,
 - and finally restore to new partitions.

Table 2: SafeNet PCIe HSM capability upgrades
Configuration upgrade Part number
Korean algorithms 908-000138-002
ECIES acceleration 908-000177-001
Enable Small Form-factor Backup (PCIe) 908-000223-001

 

Table 3: SafeNet USB HSM configuration upgrades
Configuration upgrade Part number
Korean algorithms 908-000156-002
ECIES acceleration 908-000179-001

 

Table 4: SafeNet Backup HSM configuration upgrades
Configuration upgrade Part number
5 partitions 908-000083-001
10 partitions 908-000287-001
20 partitions 908-000085-001
35 partitions 908-000281-001
50 partitions 908-000282-001
75 partitions 908-000283-001
100 partitions 908-000284-001
NOTE: SafeNet Remote Backup HSM comes with maximum memory and does not require a separate memory upgrade for larger numbers of partitions.

ECIES Acceleration

SafeNet offers ECIES support via a client-library shim. With the shim, ECIES 386-bit performance is approximately 40 operations per second. The ECIES acceleration configuration upgrade improves performance. This upgrade provides an approximately 5x performance increase compared to using the shim. If you choose to apply and use the configuration upgrade, you must remove the shim from your system configuration for the upgrade to have effect: shim use overrides acceleration.

Applying the ECIES advanced configuration upgrade is a destructive operation: objects already created on the HSM are destroyed. Therefore, you should apply this update when you first configure your HSM, before putting it into production (alternatively, you can back up any important objects and restore them onto the HSM after the upgrade).

Note:  The full ECIES suite of mechanisms is not approved by NIST (that is, not all are FIPS 140-2 algorithms). Applying EITHER the ECIES shim OR this configuration upgrade option means that you can use all the available ECIES mechanisms when the HSM is not in the FIPS 140-2 mode of operation; however if FIPS 140-2 mode is asserted then some ECIES mechanisms are blocked.   

Partition Licenses

Up to about the middle of 2013, SafeNet’s business model was that appliances shipped from the factory supported 20 partitions, licensed for two with the purchase of paper licenses for upgrades. Thereafter, SafeNet made changes to make licensing of partitions software-enforced. New part numbers for software licenses permit factory-installed and field-applied upgrades to replace the part numbers for paper licenses.

To determine whether a SafeNet Network HSM appliance supports software-enforced licenses, log into LunaSH (lunash) and execute the hsm displayLicenses command.

If you see the following highlighted line, your appliance requires paper license upgrades:

   HSM CAPABILITY LICENSES
   License ID          Description 
   ================    ====================================== 
      621000002-000    K6 base configuration                   
      621000021-001    Performance level 15                    
         620127-000    Elliptic curve cryptography             
         620114-001    Key backup via cloning protocol         
         620124-000    Maximum 20 partitions                   
         620109-000    PIN entry device (PED) enabled          
      621010089-001    Enable remote PED capability            
      621010358-001    Enable a split of the master tamper key to be stored externally

 

Ignore the remainder of this section.

The highlighted line in the output indicates software-enforced licenses:

   HSM CAPABILITY LICENSES
   License ID          Description 
   ================    ====================================== 
      621000002-000    K6 base configuration                   
      621000021-001    Performance level 15                    
         620127-000    Elliptic curve cryptography             
         620114-001    Key backup via cloning protocol         
         620121-000    Maximum 2 partitions                    
         620109-000    PIN entry device (PED) enabled          
      621010089-001    Enable remote PED capability            
      621010358-001    Enable a split of the master tamper key to be stored externally

 

You can purchase license upgrades for 5, 10, 15, 20, 50, and 100 partitions. When you make your purchase, receive the secure package update and apply it, you will see the partition license at the bottom of the set displayed, as the following example illustrates:

   HSM CAPABILITY LICENSES
   License ID          Description 
   ================    ====================================== 
      621000002-000    K6 base configuration                   
      621000021-001    Performance level 15                    
         620127-000    Elliptic curve cryptography             
         620114-001    Key backup via cloning protocol         
         620121-000    Maximum 2 partitions                    
         620109-000    PIN entry device (PED) enabled          
      621010089-001    Enable remote PED capability            
      621010358-001    Enable a split of the master tamper key to be stored externally
      908000201-001    Maximum 5 partitions 

 

This last-listed, last-applied license supersedes the two-partition license applied at the factory. Licenses are for absolute numbers of partitions - they are not additive/cumulative; you cannot add a 5 to a 10 to get 15.

CAUTION:   Do not apply a lower partition license upgrade atop a higher one. For example, if you purchase a 5 partition license upgrade but do not apply it, later purchase a 20 partition license upgrade and apply it, then apply the 5 partition license upgrade, the software will enforce a maximum of 5 partitions. You cannot apply the same license upgrades twice. In this scenario, you will need to obtain an RMA to have the appliance returned to the factory for re-manufacture to enable application of the 20 partition license again.

The following example shows the application of increasing license upgrades for some of the tiers available with the last one being in effect (20 partitions).

   HSM CAPABILITY LICENSES
   License ID          Description 
   ================    ====================================== 
      621000002-000    K6 base configuration                   
      621000021-001    Performance level 15                    
         620127-000    Elliptic curve cryptography             
         620114-001    Key backup via cloning protocol         
         620121-000    Maximum 2 partitions                    
         620109-000    PIN entry device (PED) enabled          
      621010089-001    Enable remote PED capability            
      621010358-001    Enable a split of the master tamper key to be stored externally
      908000201-001    Maximum 5 partitions                    
      908000202-001    Maximum 10 partitions                   
      908000203-001    Maximum 15 partitions                   
      908000204-001    Maximum 20 partitions                   

 

Rollback Behavior

When it became possible to roll HSM firmware updatesA newer version of client software, appliance software, or HSM firmware, to fix defects, or to improve security, or to modify/improve existing features, or to add enhancements. Updates are provided as needed, or as the product develops, for a hardware version. back to an earlier version, some additional concerns became evident. The order in which you perform some activities becomes important.

An HSM that receives a firmware update arrives at that condition with any capabilities/features that were part of the HSM before the update was installed. The pre-update record of <firmware version+configuration> is set. If you rollback, you rollbackTo return the HSM to its previous firmware version. This gives up any enhancements or fixes that were gained by the newer firmware version, as well as any upgrades that were installed after the firmware update (that is to be rolled back). to exactly the state that was recorded, prior to the update. All the same capabilities/features would be available, because they were present before the firmware update.

Any capability that you added after a firmware update would be lost, if you then rolled back the firmware, because the pre-update record of <firmware version+configuration> did not include any capability that you added only post-update. In that case:

If the late-installed capability is not dependent on the newer firmware, then you can simply install it again, on the HSM at the rolled-back firmware version, and it will become part of the pre-update record the next time you update firmware.

If the late-installed capability is dependent on the newer firmware, then you must do without that feature/capability until you once more update to a firmware version that can support it. At that time, you will need to re-install that capability upgradeA secure package that can be applied to the HSM to grant new capability or to enhance existing function..  

The following table summarizes the options comparatively.

  Start with
this  
If you do
this...  
Result is
this  
If you next
do this...  
Result is
this  
If you next
do this...  
Result is
this  
If you next
do this...  
Result is
this  
Example 1 (Read
 across ==>)  

f/w X and

Capabilities
A, B, C

Update
to f/w Y

f/w Y and

Capabilities
A, B, C

Roll back
to f/w X

f/w X and

Capabilities
A, B, C

       
   
Example 2 (Read
 across ==>)  
Add
Capability
D (no
dependency)

f/w X and

Capabilities
A, B, C, D

Update
to f/w Y

f/w Y and

Capabilities
A, B, C, D

Roll back
to f/w X

f/w X and

Capabilities
A, B, C, D

   
   
Example 3 (Read
 across ==>)  
Update
to f/w Y

f/w Y and

Capabilities
A, B, C

Add
Capability
D (no
dependency)

f/w Y and

Capabilities
A, B, C, D

Roll back
to f/w X

f/w X and

Capabilities
A, B, C

   
   
Example 4 (Read
 across ==>)  
Capability E
depends on
f/w Y;
Attempt to add
Capability E
fails

f/w X and

Capabilities
A, B, C
(unchanged)

Update
to f/w Y

f/w Y and

Capabilities
A, B, C

Add
Capability
E (depends
on f/w Y)

f/w Y and

Capabilities
A, B, C, E

Roll back
to f/w X

f/w X and

Capabilities
A, B, C

  In Example 1, above, no capabilities change; only the firmware version.  
  In Example 2, above, D is added before firmware update; therefore the pre-update record includes capability D, so D survives firmware update and firmware rollback.  
  In Example 3, above, D is added after firmware update, the pre-update record does not include capability D, so D does not survive firmware rollback.  
  In Example 4, above, the pre-update record does not include capability E, so E does not survive firmware rollback.  

We advise you to retain a copy of any in-field configuration upgrades.