Updating the SafeNet Luna HSM Firmware
A new SafeNet Luna Network HSM is delivered with the current FIPS- validated firmware installed on the HSM card, and the most recently released firmware version saved on the SafeNet Luna Network HSM hard drive as an optional update. When you install an appliance software update, this optional update is replaced with the latest firmware version.
When you install a software appliance update, the latest firmware version is saved on the appliance as an optional update, replacing any firmware version previously held in reserve. If you wish to use a different HSM firmware version, you can download it from the Thales Support Portal.
To update the firmware on a SafeNet Luna Backup HSM, see Updating the SafeNet Luna Backup HSM Firmware.
CAUTION! Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.
Updating the HSM Firmware After an Appliance Software Update
After an appliance software update, the latest firmware version is saved on the appliance and ready to install.
To update the HSM firmware after a software appliance update
1.Log in to LunaSH on the appliance as admin.
2.At the LunaSH prompt, login as HSM SO (hsm login).
lunash:>hsm login
3.[Optional Step] Check that the desired firmware version is ready to install (hsm firmware show).
lunash:>hsm firmware show
CAUTION! If you are using STC on the HSM Admin channel, disable it by running lunash:>hsm stc disable before you update the HSM firmware.
4.Update the firmware to the version currently stored on the appliance (hsm firmware upgrade).
lunash:>hsm firmware upgrade
Updating the HSM Firmware to a Different Version
If you are not installing the firmware update provided in the appliance software update, download your desired HSM firmware from the Thales Support Portal. You require:
>SafeNet Luna Network HSM firmware update package file (<filename>.spkg)
>the secure package authentication code, provided in a text file accompanying the update package
To update the HSM firmware to a version downloaded from the Support Portal
1.Transfer the secure package update file to the SafeNet Luna Network HSM using scp or pscp (see SCP and PSCP in the Utilities Guide).
Linux/UNIX | scp <path>/<packagename>.spkg admin@<appliance_host_or_IP>: |
Windows | pscp <path>\<packagename>.spkg admin@<appliance_host_or_IP>: |
2.Stop all client applications to the SafeNet Luna Network HSM appliance.
3.Using a serial or SSH connection, log in to the appliance as admin.
4.At the LunaSH prompt, login as HSM SO (hsm login).
lunash:>hsm login
5.[Optional Step] Verify that the secure package file is present on the SafeNet Luna Network HSM (package listfile).
lunash:>package listfile
6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales (package verify).
lunash:>package verify <filename>.spkg -authcode <code_string>
7.Install the firmware update package, specifying the authorization code you received from Thales (package update).
lunash:>package update <filename>.spkg -authcode <code_string>
NOTE If you are using a service provider model, you can use the -useevp option to specify the OpenSSL EVP (Digital EnVeloPe library) API to validate the update package, rather than invoking the HSM. This allows you to install the update package without logging in as HSM SO. See package update in the LunaSH Command Reference Guide.
The package update process takes a few seconds. The firmware package is now stored on the appliance, waiting to be applied to the HSM.
8.[Optional Step] Check that the desired firmware version is ready to apply (hsm firmware show).
lunash:>hsm firmware show
CAUTION! If you are using STC on the HSM Admin channel, disable it by running lunash:>hsm stc disable before you update the HSM firmware.
9.Update the firmware to the version currently stored on the appliance (hsm firmware upgrade).
lunash:>hsm firmware upgrade