Home > |
---|
This page describes configuration upgrades, how they work and interact, etc.
For instructions to apply a Configuration Upgrade to your HSM, see "Applying SafeNet HSM Capability Upgrades" on page 1.
SafeNet offers advanced configuration upgrades for its HSM products, some examples of which are listed in the following tables.
SafeNet delivers advanced configuration upgrades for SafeNet Network HSM as a secure package update. Follow the steps of "Applying SafeNet HSM Capability Upgrades" on page 1 to apply the update. These are sometimes referred to as CUFs, but those refer to the USB HSM and the PCIe HSM; for the Network HSM, CUFs must be packaged as secure packages in order for the appliance to recognize them and handle them properly.
For SafeNet PCIe HSM and SafeNet USB HSM, you receive a firmware update file ( FUF ) or a capability update file ( CUFCapability Update File - see "Advanced Configuration Upgrades". ).
Note: This is not necessarily a complete list, please check with your sales representative for the full list.
Note: Part numbers shown here are for field upgrades. The same upgrades are often available for factory installation when you purchase a new SafeNet HSM product. Those have different part numbers (ask your sales representative). Not all field upgrades have an equivalent factory-applied version, because we ship HSMs with the most recent FIPS-validated firmware version, and some newer upgrades might require more recent firmware, so they cannot be installed at the factory.
Configuration upgrade | Part number |
---|---|
Maximum memory | 908-000086-001 |
Korean algorithms | 908-000139-002 |
ECIES acceleration | 908-000175-001 |
5 partitions | 908-000201-001 |
10 partitions | 908-000202-001 |
15 partitions | 908-000203-001 |
20 partitions | 908-000204-001 |
35 partitions | 908-000379-001 |
50 partitions | 908-000235-001 |
75 partitions | 908-000280-001 |
100 partitions | 908-000232-001 |
Enable Small Form-factor Backup (SA) | 908-000220-001 |
Enable Per-Partition Security Officer (PPSO) | 908-000263-001 |
Note: Increasing the number of partitions is not destructive; it does not erase existing partitions and objects. However, simply increasing the number of partition licenses does not increase memory. Depending on the size of the original partitions (did you re-size them to use large amounts of memory, or "all available memory"?), you might need to resize the existing partitions to make room for the additional partitions. If a partition is occupied when it is to be resized, you might need to move some objects before resizing.
Note: You can apply 100 partitions without also upgrading to Maximum Memory, but this leaves very little memory for each partition. Usefulness depends upon your application, and the sizes of keys and objects that you would store in each partition.
Also, if you are using STC, then that requires 2 KB of partition space for each STC client that is registered to a given partition.
Note: If you are both
- upgrading from an earlier firmware version to HSM firmware 6.22.0 (or newer)
AND
- applying the Per-Partition SO (PPSO) capability update,
be aware that the PPSO capability update is destructive. Therefore, there is no need to re-size partitions.
Instead, to avoid unnecessary duplication of effort, you should
- safeguard (archive) any existing partition contents,
- then zeroize the HSM for a clean update,
- then perform both the firmware AND capability updates,
- and finally restore to new partitions.
Configuration upgrade | Part number |
---|---|
Korean algorithms | 908-000138-002 |
ECIES acceleration | 908-000177-001 |
Enable Small Form-factor Backup (PCIe) | 908-000223-001 |
Configuration upgrade | Part number |
---|---|
Korean algorithms | 908-000156-002 |
ECIES acceleration | 908-000179-001 |
Configuration upgrade | Part number |
---|---|
5 partitions | 908-000083-001 |
10 partitions | 908-000287-001 |
20 partitions | 908-000085-001 |
35 partitions | 908-000281-001 |
50 partitions | 908-000282-001 |
75 partitions | 908-000283-001 |
100 partitions | 908-000284-001 |
NOTE: SafeNet Remote Backup HSM comes with maximum memory and does not require a separate memory upgrade for larger numbers of partitions. |
SafeNet offers ECIES support via a client-library shim. With the shim, ECIES 386-bit performance is approximately 40 operations per second. The ECIES acceleration configuration upgrade improves performance. This upgrade provides an approximately 5x performance increase compared to using the shim. If you choose to apply and use the configuration upgrade, you must remove the shim from your system configuration for the upgrade to have effect: shim use overrides acceleration.
Applying the ECIES advanced configuration upgrade is a destructive operation: objects already created on the HSM are destroyed. Therefore, you should apply this update when you first configure your HSM, before putting it into production (alternatively, you can back up any important objects and restore them onto the HSM after the upgrade).
Note: The full ECIES suite of mechanisms is not approved by NIST (that is, not all are FIPS 140-2 algorithms). Applying EITHER the ECIES shim OR this configuration upgrade option means that you can use all the available ECIES mechanisms when the HSM is not in the FIPS 140-2 mode of operation; however if FIPS 140-2 mode is asserted then some ECIES mechanisms are blocked.
Up to about the middle of 2013, SafeNet’s business model was that appliances shipped from the factory supported 20 partitions, licensed for two with the purchase of paper licenses for upgrades. Thereafter, SafeNet made changes to make licensing of partitions software-enforced. New part numbers for software licenses permit factory-installed and field-applied upgrades to replace the part numbers for paper licenses.
To determine whether a SafeNet Network HSM appliance supports software-enforced licenses, log into LunaSH (lunash) and execute the hsm displayLicenses
command.
If you see the following highlighted line, your appliance requires paper license upgrades:
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620124-000 Maximum 20 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
Ignore the remainder of this section.
The highlighted line in the output indicates software-enforced licenses:
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620121-000 Maximum 2 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
You can purchase license upgrades for 5, 10, 15, 20, 50, and 100 partitions. When you make your purchase, receive the secure package update and apply it, you will see the partition license at the bottom of the set displayed, as the following example illustrates:
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000002-000 K6 base configuration
621000021-001 Performance level 15
620127-000 Elliptic curve cryptography
620114-001 Key backup via cloning protocol
620121-000 Maximum 2 partitions
620109-000 PIN entry device (PED) enabled
621010089-001 Enable remote PED capability
621010358-001 Enable a split of the master tamper key to be stored externally
908000201-001 Maximum 5 partitions
This last-listed, last-applied license supersedes the two-partition license applied at the factory. Licenses are for absolute numbers of partitions - they are not additive/cumulative; you cannot add a 5 to a 10 to get 15.
CAUTION: Do not apply a lower partition license upgrade atop a higher one. For example, if you purchase a 5 partition license upgrade but do not apply it, later purchase a 20 partition license upgrade and apply it, then apply the 5 partition license upgrade, the software will enforce a maximum of 5 partitions. You cannot apply the same license upgrades twice. In this scenario, you will need to obtain an RMA to have the appliance returned to the factory for re-manufacture to enable application of the 20 partition license again.
The following example shows the application of increasing license upgrades for some of the tiers available with the last one being in effect (20 partitions).
HSM CAPABILITY LICENSES License ID Description ================ ====================================== 621000002-000 K6 base configuration 621000021-001 Performance level 15 620127-000 Elliptic curve cryptography 620114-001 Key backup via cloning protocol 620121-000 Maximum 2 partitions 620109-000 PIN entry device (PED) enabled 621010089-001 Enable remote PED capability 621010358-001 Enable a split of the master tamper key to be stored externally 908000201-001 Maximum 5 partitions 908000202-001 Maximum 10 partitions 908000203-001 Maximum 15 partitions 908000204-001 Maximum 20 partitions
When it became possible to roll HSM firmware updatesA newer version of client software, appliance software, or HSM firmware, to fix defects, or to improve security, or to modify/improve existing features, or to add enhancements. Updates are provided as needed, or as the product develops, for a hardware version. back to an earlier version, some additional concerns became evident. The order in which you perform some activities becomes important.
An HSM that receives a firmware update arrives at that condition with any capabilities/features that were part of the HSM before the update was installed. The pre-update record of <firmware version+configuration> is set. If you rollback, you rollbackTo return the HSM to its previous firmware version. This gives up any enhancements or fixes that were gained by the newer firmware version, as well as any upgrades that were installed after the firmware update (that is to be rolled back). to exactly the state that was recorded, prior to the update. All the same capabilities/features would be available, because they were present before the firmware update.
Any capability that you added after a firmware update would be lost, if you then rolled back the firmware, because the pre-update record of <firmware version+configuration> did not include any capability that you added only post-update. In that case:
•If the late-installed capability is not dependent on the newer firmware, then you can simply install it again, on the HSM at the rolled-back firmware version, and it will become part of the pre-update record the next time you update firmware.
•If the late-installed capability is dependent on the newer firmware, then you must do without that feature/capability until you once more update to a firmware version that can support it. At that time, you will need to re-install that capability upgradeA secure package that can be applied to the HSM to grant new capability or to enhance existing function..
The following table summarizes the options comparatively.
Start with this |
If you do this... |
Result is this |
If you next do this... |
Result is this |
If you next do this... |
Result is this |
If you next do this... |
Result is this |
|
---|---|---|---|---|---|---|---|---|---|
Example 1 (Read across ==>) |
f/w X and Capabilities |
Update to f/w Y |
f/w Y and Capabilities |
Roll back to f/w X |
f/w X and Capabilities |
||||
Example 2 (Read across ==>) |
Add Capability D (no dependency) |
f/w X and Capabilities |
Update to f/w Y |
f/w Y and Capabilities |
Roll back to f/w X |
f/w X and Capabilities |
|||
Example 3 (Read across ==>) |
Update to f/w Y |
f/w Y and Capabilities |
Add Capability D (no dependency) |
f/w Y and Capabilities |
Roll back to f/w X |
f/w X and Capabilities |
|||
Example 4 (Read across ==>) |
Capability E depends on f/w Y; Attempt to add Capability E fails |
f/w X and Capabilities |
Update to f/w Y |
f/w Y and Capabilities |
Add Capability E (depends on f/w Y) |
f/w Y and Capabilities |
Roll back to f/w X |
f/w X and Capabilities |
|
In Example 1, above, no capabilities change; only the firmware version. | |||||||||
In Example 2, above, D is added before firmware update; therefore the pre-update record includes capability D, so D survives firmware update and firmware rollback. | |||||||||
In Example 3, above, D is added after firmware update, the pre-update record does not include capability D, so D does not survive firmware rollback. | |||||||||
In Example 4, above, the pre-update record does not include capability E, so E does not survive firmware rollback. |
We advise you to retain a copy of any in-field configuration upgrades.