HSM Capability and Partition Upgrades
SafeNet Luna PCIe HSMs are shipped from the factory in specific configurations with capabilities to suit your requirements, based on your selections at time of purchase. It can happen that your requirements change over time. You can purchase capability or partition upgrades to enhance your SafeNet Luna PCIe HSM.
A Secure Capability Upgrade for SafeNet Luna PCIe HSM is delivered to you as a downloaded file set. The procedure to perform the update is similar to the procedure for firmware updates.
Preparing to Upgrade
To ensure a trouble-free installation, you must prepare for the upgrade.
To prepare for the upgrade:
1.Backup application partitions to SafeNet Luna Backup HSM or Tokens (if you have the backup option).
2.On the host computer, acquire the capability update software package.
a.Follow the FTP instructions that are supplied in e-mail from Thales Group Technical Support.
b.Unzip the files (as directed in the ftp instructions).
In some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... In that case, put the files in a known location that can be referenced in a LunaCM command.
Installing the Upgrade Package
Once the files are unpacked and available on the host computer, open a command-prompt session.
To install the upgrade package:
1.Go to the SafeNet Luna HSM Client directory and launch LunaCM.
2.Log into the HSM:
role login -name so
3.Apply the new capability.
hsm updatecap -cuf <update_file> -authcode <authcode_file>
lunacm:>hsm updatecap -cuf \Users\me\Downloads\621-000138-002.CUF -authcode \Users\me\Downloads\621-000138-002_authcode.TXT
You are about to apply a destructive update.
All contents of the HSM will be destroyed.
All partition roles will be destroyed.
The domain will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Capability update passed.
Command Result : No Error
4.Check that the new capability is in place:
hsm showpolicies
lunacm:>hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 1
1: Enable PED-based authentication : 0
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 1
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 1
18: FIPS evaluated : 0
19: Manufacturing Token : 0
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 0
27: HSM non-volatile storage space : 33554432
30: Enable unmasking : 1
33: Maximum number of partitions : 100
35: Enable Single Domain : 0
36: Enable Unified PED Key : 0
37: Enable MofN : 0
38: Enable small form factor backup/restore : 0
39: Enable Secure Trusted Channel : 1
40: Enable decommission on tamper : 1
42: Enable partition re-initialize : 0
43: Enable low level math acceleration : 1
45: Enable Fast-Path : 0
46: Allow Disabling Decommission : 1
47: Enable Tunnel Slot : 0
48: Enable Controlled Tamper Recovery : 1