Home > |
---|
Your SafeNet HSM system consists of components that might, from time to time, require updating to newer versions. The newer version might have fixes or functional improvements that are useful or important for your application. The components that might be affected are:
•Client software
•SafeNet HSM firmware
•SafeNet Backup HSM firmware
Some new features are implemented entirely in the Lunaclient software, and have no dependency on HSM firmware. Some new features are implemented entirely in the HSM firmware, and are independent of the associated client software.
Some new features require that both the HSM firmware and the client software be updated, to take full advantage of the feature.
The instructions that accompany the update detail the dependencies.
In addition, you might wish to add purchased capability upgrades, which is a separate procedure; see Apply a Capability Upgrade/Update to HSM.
In the case of FIPS 140, cryptographic devices are evaluated as a combination of hardware and firmware. Therefore, if either of those elements changes, the device is no longer covered by the current validation certificate. If you require that equipment used in your application be FIPS 140-2 level 3 validated (for example), you can use the most recent of our relevant HSM products that has been validated - which applies to a specific hardware and firmware combination. If we release a newer version of firmware, your own security or compliance policies would not permit you to install that update until we have submitted the updated HSM for [re-] evaluation, and a new validation certificate has been issued.
As a general rule (exceptions are possible) we submit HSMs with new firmware versions. If the changes are small or do not affect areas that concern the FIPS evaluators, then the re-evaluation is performed on a delta basis and therefore occurs relatively quickly. For a completely new product or major revision, the evaluators require a complete re-submission and the process takes roughly a year from submission to certificate. Therefore, when a FIPS-candidate firmware version exists, our practice is to ship the respective HSM product with the most recent FIPS-validated firmware version installed, and with the candidate version as a standby update file ( ready to install, but not yet installed). This ensures that customers who require validated systems continue to get them, and that customers who do not require validated systems are able to easily and quickly apply the update if they choose to do so.
The obvious trade-off is that customers who elect to remain with the as-shipped installed firmware version are maintaining the FIPS compliance at the cost of any upgraded capabilities or any security or functional fixes that are part of the firmware update. Similarly, customers who choose to perform the update benefit from the improved capabilities and any security or functional fixes, but at the cost of moving out of FIPS compliance.
To update the software on a Client, you simply remove the older version and Install the newer, using the same procedure (for your operating system) that you used for the original software installation. That applies to SafeNet Network HSM Client software itself, as well as to the SDK material.
SafeNet HSM Lunaclient installers attempt to preserve existing configuration files, but also edit a version if updated settings are required by the options that you choose to install.
To upgrade the firmware on a SafeNet PCIe HSM or SafeNet USB HSM/SafeNet Backup HSM, run a LunaCM command on a SafeNet HSM client computer
•that contains a copy of the firmware upgrade (.fuf) file with its associated firmware authentication code (.txt) file, and
•contains the SafeNet PCIe HSM, or
•is connected to the SafeNet USB HSM/SafeNet Backup HSM that you want to upgrade.
1.Copy the firmware file (<fw_filename>.fuf) from the firmware folder on the media (usually a downloaded archive) to the client root directory:
–Windows: C:\Program Files\SafeNet\LunaClient
–Linux/AIX: /usr/safenet/lunaclient/bin
–Solaris/HP-UX: /opt/safenet/lunaclient/bin
2.Obtain the firmware authorization code:
a.Contact Gemalto Customer Support (support@safenet-inc.com). The firmware authorization code is provided as a .txt file.
b.Copy the <fw_auth_code>.txt file to the SafeNet HSM client root directory:
–Windows: C:\Program Files\SafeNet\LunaClient
–Linux/AIX: /usr/safenet/lunaclient/bin
–Solaris/HP-UX: /opt/safenet/lunaclient/bin
3.Launch the LunaCM utility:
Windows
a.Open a Command Prompt window
(Start > Programs > Accessories > Command Prompt).
b.Change to the SafeNet HSM client root directory:
cd C:\Program Files\SafeNet\LunaClient
c.Enter the following command
Lunacm
Linux/AIX
a.Open a terminal window and change to the SafeNet HSM client root directory:
/usr/safenet/lunaclient/bin
b.Enter the following command:
./lunacm
HP-UX/Solaris
a.Open a terminal window and change to the SafeNet HSM client root directory:
/opt/safenet/lunaclient/bin
b.Enter the following command:
./lunacm
4.If morer than one HSM is installed, note which slot is assigned to that HSM and select it.
slot set -slot <number>
5.Enter the following command, to log in to the HSM. (For a PED-authenticated HSM, omit the password; you are prompted to respond to the Luna PED):
For legacy systems
hsm login [-password <password>]
For current systems (firmware 6.22.0 or newer)
role login -name <name of role> -password <password>
6.Enter the following command to upgrade the firmware on the HSM:
hsm –updateFirmware –fuf <fw_filename>.fuf –authcode <fw_authcode_filename>.txt