Updating the SafeNet Luna PCIe HSM or SafeNet Luna Backup HSM Firmware

To update the firmware on a SafeNet Luna PCIe HSM or SafeNet Luna Backup HSM, download the desired firmware version from the Thales Support Portal. Use LunaCM on the host workstation to apply the update. You require:

>SafeNet Luna HSM firmware update file (<filename>.fuf) and/or

>SafeNet Luna Backup HSM firmware update file (<filename>.fuf)

>the firmware update authentication code file(s) (<filename>.txt)

CAUTION!   Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

To update the SafeNet Luna PCIe HSM or SafeNet Luna Backup HSM firmware:

1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the SafeNet Luna HSM Client root directory.

Windows: C:\Program Files\SafeNet\LunaClient

Linux: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

NOTE   On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.

2.Launch LunaCM.

3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.

lunacm:>slot set -slot <slot_number>

4.Log in as HSM SO.

lunacm:>role login -name so

5.Apply the new firmware update by specifying the update file and the file containing the authorization code. If the files are not located in the SafeNet Luna Network HSM Client directory, specify the filepaths.

lunacm:>hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt

Changing the Firmware Upgrade Permissions (Linux only)

By default, the root user and any user who is part of the hsmusers group can perform a firmware update. You can use this procedure to restrict firmware update operations to root only (that is, disable firmware update for members of the hsmusers group).

To restrict firmware update operations to the root user only:

1.Open the the /etc/modprobe.d/k7.conf file for editing:

sudoedit /etc/modprobe.d/k7.conf

2.Change the k7_rootonly_reset option from 0 to 1. Save the file and exit the editor.

3.Stop any processes that are using the K7 driver. Typically this means stopping the pedclient service, and the luna-snmp service, if you are using SNMP.

sudo systemctl stop pedclient_service

sudo systemctl stop luna-snmp

4.Reload the driver:

sudo systemctl reload k7