Luna 6/7 Mixed-Version HA Groups

HA groups containing both SafeNet Luna Network HSM 6 and 7 partitions are supported. This mixed-version configuration is useful for migrating keys to a new SafeNet Luna Network HSM 7, or to gradually upgrade your production environment from Luna 6 to Luna 7. Mixed-version HA groups have all the same requirements of standard HA groups (see Planning Your HA Group Deployment). Additional guidelines and considerations are described below:

>Supported Software/Firmware Versions

>Mismatched Partition Policies and FIPS Mode

>Mismatched Cryptographic Mechanisms

>Minimum Key Sizes

>SafeXcel 1746 Co-Processor

>RSA-186 Key Remapping for FIPS Compliance

>Performance Optimization

Supported Software/Firmware Versions

Thales supports HA groups made up of Luna 6 and 7 partitions using combinations of appliance software/firmware as outlined in the table below.

SafeNet Luna HSM Client Software Appliance Software HSM Firmware
7.2 or higher 7.0 or higher 7.0.1 or higher
6.2.1 or higher 6.10.9 or higher

Mismatched Partition Policies and FIPS Mode

Partitions in an HA group, and the HSMs on which they reside, must be configured with the same policy settings (see HSM and Partition Prerequisites). Luna 6 HSMs have certain policies that have been removed from Luna 7, and Luna 7 introduces some new policies.

Ensure that policies common to Luna 6/7 member partitions have the same settings, according to your deployment requirements (partition showpolicies).

lunacm:>partition showpolicies

CAUTION!   In particular, FIPS mode must be consistent across all HA member partitions.

Mismatched Cryptographic Mechanisms

Mixed-version HA groups are limited to functions that are common to all member partitions. Mechanisms are added to/removed from new SafeNet Luna Network HSM software/firmware releases, to provide new functionality and fix vulnerabilities. Operations assigned by load-balancing to a partition without the correct mechanism will fail. Keys created on one partition may fail to replicate to the other partitions in the group.

Ensure that your applications only use mechanisms that are available on all members of the mixed-version HA group. Use LunaCM to see a list of mechanisms available on each partition (partition showmechanism).

lunacm:>partitions showmechanism

Minimum Key Sizes

On both Luna 6 and Luna 7, minimum key sizes are enforced when using certain cryptographic algorithms. These minimum sizes may differ between versions. If a Luna 6 partition creates a key that is smaller than the minimum size required by Luna 7, the key will not be replicated to the Luna 7 partitions in the HA group. To avoid this, always generate keys according to the Luna 7 minimum size requirements.

NOTE   Minimum key sizes for many mechanisms are larger in FIPS mode.

Use LunaCM to check a mechanism's minimum key size (partition showmechanism). Always use the minimum for the newest firmware version in your HA group.

lunacm:>partition showmechanism -m <mechanism_ID>

SafeXcel 1746 Co-Processor

Luna 6 HSMs include the SafeXcel 1746 security co-processor, which is used to offload packet processing and cryptographic computations from the host processor. Applications using this co-processor are not compatible with mixed-version HA groups.

The co-processor is not enabled by default. If you have previously enabled it on your Luna 6 HSMs, you can disable it by editing the Chrystoki.conf/crystoki.ini configuration file as follows:

[Misc]
PE1746Enabled=0

RSA-186 Key Remapping for FIPS Compliance

Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. RSA PKCS and X9.31 key generation is not approved in a FIPS-compliant HSM. While Luna 6.10.9 firmware allows these older mechanisms, later firmware does not (and keys created using these mechanisms cannot be replicated to Luna 7 HSMs).

If you have older applications that use RSA PKCS and X9.31 key generation, you can remap these calls to use the newer, secure mechanisms. Add a line to the Chrystoki.conf/crystoki.ini configuration file as follows:

[Misc]
RSAKeyGenMechRemap=1

NOTE   This setting is intended for older applications that call outdated mechanisms, to redirect calls to FIPS-approved mechanisms. The ideal solution is to update your applications to call the approved mechanisms.

Performance Optimization

SafeNet Luna Network HSM 7 provides significant (10x) performance improvements over Luna 6 HSMs. In a mixed-version HA group, operations assigned to Luna 6 member partitions will take longer than those assigned to Luna 7 members. The HA logic does not compensate for these performance differences, and schedules operations on the partition with the shortest queue. Since Luna 7 partitions complete operations more quickly, they will naturally be assigned more operations, but a mixed-version HA group generally does not perform as well as an HA group made up entirely of Luna 7 partitions.

Thales recommends that you set a Luna 7 partition as the primary HA member (the first member specified when creating the HA group). All key generation takes place on the primary HA member, so this allows you to take advantage of the SafeNet Luna Network HSM's vastly improved performance for:

>key generation

>random number generation

The load-balancing logic is determined by the SafeNet Luna HSM Client software, so the Luna 7 behavior applies to mixed-version HA (see Load Balancing).

NOTE   The primary HA member may not remain the same over time. If the primary member fails, another member takes over all key generation operations. If you notice a significant drop in performance for key generation operations, it could mean that a Luna 6 partition has become the primary member.