New Features and Enhancements
SafeNet Luna Network HSM 7.2 introduces the following new features and enhancements:
SafeNet Luna Network HSM 7.2 Optical Ethernet Release
Thales is pleased to announce the availability of the 10 Gbps optical NIC SafeNet Luna Network HSM. This product variant provides two 10G optical network interfaces and two 1G copper network interfaces, as opposed to the standard 1G model which provides four 1G copper network interfaces.
The 10G SafeNet Luna Network HSM provides two 10G SFP optical Ethernet network interfaces (labeled 2-3), and two 1G copper RJ45 network interfaces (labeled 0-1), as illustrated below. You can optionally bond eth0 and eth1 to bond1, or eth2 and eth3 to bond0, to provide a redundant active/standby virtual interface.
The 10G model is functionally equivalent to the standard 1G model, except on the following five points:
>Two of the Ethernet ports (see the middle, upper portion of the diagram, just above the ventilation grid) have 10Gbps Optical Ethernet SFP+ connectors, while the two Ethernet ports (stacked vertically beside the HSM slot) retain 1Gbps copper RJ-45 sockets.
>The small form-factor pluggable (SFP) transceiver modules are packed in their own independent packaging to avoid possible damage and dust during shipping and handling, and those must be inserted into the SFP+ connectors on the appliance during appliance installation. (See the Installation Guide in the main product documentation)
>The logical Ethernet port assignments are different from the standard appliance, such that the 10Gbps optical ports are designated Eth0 and Eth1, while the 1Gbps copper ports are designated Eth2 and Eth3.
>The output of the Luna Shell (lunash:>) command network show -verbose displays "FIBRE" and the 10000baseT/Full option, when the appliance has optical Ethernet ports.
>Port bonding is allowed only between Ethernet ports of the same type and speed.
Appliance Software Updates
The 10G SafeNet Luna Network HSM model ships with Luna 7.2 appliance software and Luna 7.0.3 HSM firmware installed. You can use the 10G optical ethernet ports with the installed software, or update to Luna 7.4 or higher.
CAUTION! Do not update the 10G appliance to Luna 7.3.x.
The port mapping will revert to the 1G configuration and you will lose 10G support. The appliance might require RMA to fix the port mapping.
See Installing the SafeNet Luna Network HSM Hardware for more information.
Improved Luna HSM Client
Release 7.2 adds improvements to the Luna HSM Client software:
>Enhanced Version Compatibility for Luna HSM Client — Version 7.2 and newer Luna HSM Client can be used with HSMs running Luna 6.2.1 or higher, or any Luna 7 version, without conflict. Luna HSM Client 7.2 and newer versions can coexist in large deployments. You can schedule client roll-outs at your convenience, without need to match versions across your organization. Future HSM features that do not have client-version dependencies will function without issue.
>Mixed-Version HA Groups — HA groups containing both SafeNet Luna Network HSM 6 and 7 partitions are now supported using SafeNet Luna HSM Client 7.2 or newer. This mixed-version configuration is useful for migrating keys to a new SafeNet Luna Network HSM 7, or to gradually upgrade your production environment from Luna 6 to Luna 7.
See Luna 6/7 Mixed-Version HA Groups in the Administration Guide.
>Improved Client Installer with User-Defined Install Paths (Windows) — Luna HSM Client can be installed at user-selected locations (file paths with sufficient space), and installed Client software can be modified without uninstalling and reinstalling.
See Windows SafeNet Luna HSM Client Installation in the Installation Guide.
>User-Defined Client Install Paths (Linux) — Linux root-level users can install the Luna HSM Client software to an installation directory of their choice.
See Linux SafeNet Luna HSM Client Software Installation in the Installation Guide.
>Minimal Client (Linux) — The SafeNet Luna Minimal Client for Linux provides only the files needed to use an application with a partition on a SafeNet Luna Network HSM for deployment in Docker containers and similar microservice environments. The Luna Minimal Client can be installed on a workstation without root access.
See Linux Minimal Luna Client Install - Overview in the Installation Guide.
Configurable Cipher Suites
You can now configure the TLS cipher suites used by NTLS, STC, and PEDserver on the SafeNet Luna Network HSM. This new capability allows administrators to select and configure cipher strength to meet their internal security objectives and compliance requirements.
The cipher suites are configured using the new sysconf tls cipher LunaSH commands. The available set of ciphers is displayed in default order. Users can choose which ciphers from the set to use, as well as the order of preference for TLS cipher-suite negotiation. The modified cipher list and order can also be exported as a template; the template can then be used to configure TLS cipher suites on multiple HSMs.
See sysconf tls ciphers in the LunaSH Command Reference Guide.
Customizable System Logging
You can now customize local and remote system logging according to message severity. There is no limit on the number of remote logging servers you can add, and you can configure the severity level for each server and log type independently. For example, you could send all log entries produced by the appliance to one remote server, and only entries marked critical or higher to another. Storing only the most severe (infrequent) entries locally on the appliance can prevent the syslog directory from filling up over time.
See Customizing Severity Levels or Customizing Remote Logging Severity Levels in the Appliance Administration Guide.
Rename/ Relabel Partitions
The HSM SO can now change the name assigned to a partition on creation. This does not affect the label set by the Partition SO during initialization and is only visible in LunaSH. This allows partitions to be created ahead of time and renamed to something more suitable later, when they are allocated for a particular purpose (Requires firmware 7.2.0).
See partition rename in the LunaSH Command Reference Guide.
The Partition SO can now change the label of an initialized partition
See partition changelabel in the LunaCM Command Reference Guide.
Initialize the Orange RPV Key Remotely
You can now initialize the Remote PED Vector (orange key) using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO only has remote SSH access to the appliance. The HSM must be in a zeroized state (uninitialized) and your firewall settings must allow an HSM-initiated Remote PED connection (Requires firmware 7.2.0).
See Remote RPV Initialization in the Administration Guide.
Crypto User Can Clone Public Objects
The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication (Requires firmware 7.2.0).
Auto-Enabled HA Logging
Luna HSM Client now automatically enables HA logging, either when you create the first HA group, or when you update the Luna HSM Client to 7.2 and it detects a previously-configured HA group. If you manually turn HA logging off, logging is not auto-enabled for new HA groups.
See HA Logging in the Administration Guide.
SCP03 Encoding
The SCP03 encoding scheme, as defined in NIST SP 800-108, is now supported for Global Platform.
REST API 6.0
REST API 6.0 is included with the SafeNet Luna Network HSM 7.2 release. Customers who update their appliance software to version 7.2 will automatically receive the REST API 6.0 update. REST API 6.0 contains the following new features:
>Appliance Upgrade Management — Manage Thales Licensing Portal partition upgrade packs using REST API.
>Package and Firmware Update Management — Update, verify, list, and delete secure packages with REST API, including firmware updates.
>Multi-Part Upload Requests — Upgrade your HSMs via a single REST API call, improving performance and efficiency.
>Configurable REST API Users and Roles — Manage REST API users and roles (add, remove, modify, show, list) using REST API.
>Configurable REST API Access Control List -- Modify role access using REST API, by importing and exporting lists of available resources.
See About the REST API User Guide and the REST API Reference Guide.