Updates and Upgrades

Thales releases periodic updates to the SafeNet Luna Network HSM appliance software and the HSM firmware, as well as updated versions of the SafeNet Luna HSM Client software. If you have recently purchased a new SafeNet Luna Network HSM and your organization requires FIPS certification, you can download and install a FIPS-validated version of the HSM firmware. You can download these updates as they become available from the Thales Customer Support Portal: https://supportportal.gemalto.com.

Depending on the model of SafeNet Luna Network HSM you selected at time of purchase, you may also be able to purchase upgrades to the HSM's capabilities, or increase the number of partitions you can create. These upgrades are provided through the Thales Licensing Portal (GLP).

The following chapter provides tested update paths and procedures for installing update packages, as well as a list of the version dependencies for certain features. It contains the following sections:

>Update Considerations

>Version Dependencies by Feature

>Updating the SafeNet Luna HSM Client

>Updating the SafeNet Luna Network HSM Appliance Software

>Updating the SafeNet Luna HSM Firmware

>Updating the SafeNet Luna Backup HSM Firmware

>Rolling Back the SafeNet Luna HSM Firmware

>Upgrading HSM Capabilities and Partition Licenses

Update Considerations

Before you install any of the updates, consider the following guidelines:

>Back up all important cryptographic material.

>Stop all client applications running cryptographic operations on the HSM.

>If you are using STC on the HSM Admin channel, disable it by running lunash:>hsm stc disable before you update the HSM firmware.

>Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

Valid Update Paths

The following table provides tested paths for updating to the current software/firmware versions.

Component Directly from version To version
SafeNet Luna HSM Client software Any 7.3
SafeNet Luna Network HSM appliance software 7.0, 7.1 7.2
7.2 7.3
SafeNet Luna HSM firmware 7.0.1, 7.0.2 7.0.3, 7.2.0
7.1.0 7.2.0
7.0.3, 7.2.0 7.3.0
SafeNet Backup HSM firmware 6.10.9, 6.26.0 6.27.0
SafeNet Luna PED firmware 2.7.1 N/A
2.8.0 N/A

FIPS-Validated Firmware Versions

The following firmware versions are all FIPS-140-2 Level 3 certified per certificate #3205:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3205

>Luna firmware v. 7.0.3 (recommended)

>Luna firmware v. 7.0.2 (see F5 note, below)

>Luna firmware v. 7.0.1

Recommended Minimum Versions

Generally, Thales recommends that you always keep your HSM firmware, appliance software, and client software up to date, to benefit from the latest features and bug fixes. If regular updates are not possible or convenient, the following table lists the recommended minimum firmware and software versions for use with SafeNet Luna 7 HSMs. If you are running an earlier version, Thales advises upgrading to the version(s) below (or later) to ensure that you have critical bug fixes and security updates.

  Luna HSM Client Appliance Software Luna HSM Firmware
SafeNet Luna Network HSM 7 Minimum Recommended Configuration 7.2 7.2 7.2.0
7.0.3

NOTE   Customers who wish to use Luna 7 HSMs with F5 Network BIG-IP 13.1 appliances should follow F5 guidelines for Supported SafeNet client and HSM versions (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-safenet-hsm-version-interoperability-matrix.html). At the time of this release, F5’s supported versions for Luna 7 are Luna HSM Client 7.1 with appliance software 7.1 and firmware 7.0.2.