Valid Update Paths

The following table provides tested paths for updating to the current software/firmware versions.

Component	Directly from version	To version
SafeNet Luna HSM Client software	Any	7.2
SafeNet Luna Network HSM appliance software	7.0, 7.1	7.2
SafeNet Luna HSM firmware	7.0.1, 7.0.2, 7.1.0	7.2.0
SafeNet Luna HSM firmware	7.0.1, 7.0.2	7.0.3
SafeNet Backup HSM firmware	6.10.9, 6.26.0	6.27.0
SafeNet Luna PED firmware	2.7.1	N/A
SafeNet Luna PED firmware	2.8.0	N/A

FIPS-Certification Firmware Candidates

Thales has three (3) versions of the SafeNet Luna Network HSM firmware currently undergoing FIPS certification review. The following firmware versions are all pending FIPS certification:

>Luna firmware v. 7.0.3 (recommended)

>Luna firmware v. 7.0.2

>Luna firmware v. 7.0.1

Recommended Minimum Versions

Generally, Thales recommends that you always keep your HSM firmware, appliance software, and client software up to date, to benefit from the latest SafeNet features and bug fixes. If regular updates are not possible or convenient, the following table lists the recommended minimum firmware and software versions for use with SafeNet Luna 7 HSMs. If you are running an earlier version, Thales advises upgrading to the version(s) below to ensure that you have critical bug fixes and security updates.

SafeNet Luna Network HSM 7 Minimum Recommended Configuration	Luna HSM Client	Appliance Software	Luna HSM Firmware
	7.2	7.2	7.2.0
	7.2	7.2	7.0.3

NOTE Customers who wish to use Luna 7 HSMs with F5 Network BIG-IP 13.1 appliances should follow F5 guidelines for Supported SafeNet client and HSM versions (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-safenet-hsm-version-interoperability-matrix.html). At the time of this release, F5’s supported versions for Luna 7 are Luna HSM Client 7.1 with appliance software 7.1 and firmware 7.0.2.

Special Instructions for Installing Firmware 7.0.3 if Your Current Firmware Version is 7.1.0

Firmware 7.0.3 is Thales's latest candidate for FIPS certification. If you are using firmware 7.0.1 or 7.0.2, you can proceed with the standard update procedure. If you previously updated to firmware 7.1.0, and you wish to use firmware 7.0.3, follow this procedure to ensure a successful update.

SafeNet Luna Network HSM does not allow you to update the firmware from a higher-numbered to a lower-numbered version. Therefore, if you are currently running firmware 7.1.0, you must first perform a firmware rollback.

CAUTION! Firmware rollback is destructive; earlier firmware versions might have older mechanisms and security vulnerabilities that a new version does not. Back up any important materials before rolling back the firmware. This procedure zeroizes the HSM and all cryptographic objects are erased.

If you are using STC, or have ever enabled HSM policy 39, you may encounter a known issue (refer to the CRN entry for LKX-3194). If this is the case, do not roll back the HSM firmware.

To install firmware 7.0.3 on an HSM running firmware 7.1.0:

1.Check the previous firmware version that is available on the HSM. The firmware available for rollback must be 7.0.1 or 7.0.2.

lunash:>hsm firmware show

2.Back up any important cryptographic objects currently stored on the HSM (see Backup and Restore HSMs and Partitions).

3.Log in as HSM SO.

lunash:>hsm login

4.Perform a firmware rollback.

lunash:>hsm firmware rollback

5.Initialize the HSM and log in as HSM SO.

6.Install the SafeNet Luna Network HSM 7.2 update that includes firmware 7.0.3, as described in Updating the SafeNet Luna Network HSM Appliance Software.

7.Update the firmware to version 7.0.3, which is now stored on the appliance.

lunash:>hsm firmware upgrade

8.Recreate your application partition(s) and restore the contents from backup (see Backup and Restore HSMs and Partitions).