Advisory Notes

This section highlights important issues you should be aware of before deploying various releases.

7.7

CentOS 8 throws errors if install directory is not default

Installing Luna Client software on CentOS 8 can result in error messages being logged for the pedclient service, if the chosen install directory is not the default /usr. This can be prevented by setting SELinux to permissive mode, before installing.

Lunash sysconf snmp trap set command now defaults to "inform"

Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with release 7.7; which adds the option "inform", which is the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.  

Change in network routing default needs precautions when updating

A change to network routing when updating to Network HSM appliance version 7.7.0 or newer, from any prior 7.x version, can cause your appliance to become unreachable via network connection. Older appliance versions permitted the existence of multiple default routes. Beginning with appliance version 7.7.0, only one instance of the default route can exist.

Options for a successful update with minimal disruption are:

•Remove all but one instance of the ‘default route’, using the network route delete command, before upgrading from any pre-7.7.0 appliance software version.
OR

•Connect locally via serial cable to perform the update, so your access to the network appliance is not lost when network connection becomes temporarily unavailable (pending proper network configuration).

Note also that if you reimage, going back to a pre-7.7.0 version, the routing table goes back to the old format and you must apply one of the above precautions again, to update.

Luna HSM Firmware 7.4.1 is No Longer Available

Luna HSM firmware 7.4.1 is no longer available for download from the Thales Customer Portal. Thales recommends that all customers using HSM firmware version 7.4.1 update to 7.4.2 or higher.

Luna HSM Client 7.5 is No Longer Available

Luna HSM Client 7.5 is no longer available for download from the Thales Customer Portal. Thales strongly recommends that all customers using version 7.5 update their client software to 10.1 or higher.

Older JAVA Versions No Longer Supported

The .jar files included with Luna HSM Client 10.1 and newer have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version. Also note that IBM JDK/JCE does not recognize/validate 3rd-party JCE root certificates, and IBM has confirmed that their JDK 6/7/8 will not load 3rd-party JCE provider .jar files.

>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

>If your application relies on IBM Java 7 or 8, do not update to Luna HSM Client 10.1. If you want to update your client software, consider adopting OpenJDK or another supported Java version (see Advisory Notes).

"CKR_MECHANISM_INVALID" Messages in Mixed DPoD Implementations

When using DPoD with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna Network HSM partition and a DPoD service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.

<CKR_CONTAINER_OBJECT_STORAGE_FULL> Error When Backing Up Release 5.x or 6.x Partitions to a G7-based Backup HSM

When using the G7-based Backup HSM to backup objects from partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up:

<CKR_CONTAINER_OBJECT_STORAGE_FULL>

If you receive this message when backing up a user partition, you can use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.

Install Luna Network HSM BIOS/BMC Patch Before Updating to Luna 7.3.3

Thales recommends installing the Luna Network HSM BIOS/BMC Patch (KB0019562) before upgrading to Luna Network HSM appliance software 7.3.3.

Luna 7.3.x Appliance Software Does Not Support 10G Optical Ethernet

The Luna Network HSM with 10G optical ethernet capability is not supported by the Luna 7.3.x appliance software. If you have a 10G-ready appliance, update appliance software to version 7.4 or higher only.

Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM

Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This is resolved in Luna 7.3 release.

As of release 7.3:

>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).

>JNI accepts and preserves values set by applications via the following Java calls:

LunaSlotManager.getInstance().setSecretKeysDerivable( true ); 
LunaSlotManager.getInstance().setPrivateKeysDerivable( true ); 
LunaSlotManager.getInstance().setSecretKeysExtractable( true ); 
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );

NOTE   If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.

In cases where a derived key must be extractable, add the following line to the java.security file:

com.safenetinc.luna.provider.createExtractablePrivateKeys=true

NTP Server May Take Slightly Longer to Connect/Disconnect After Updating to Luna 7.3.x or later

If you are using NTP, then after you update to Luna 7.3.x you might find that the Luna Network HSM appliance takes longer to synchronize with the NTP server.

To reduce the synchronization time, specify the -iburst option when adding an NTP server:

lunash:> sysconf ntp addserver <hostname/IP> -iburst

This causes the server to more rapidly synchronize when first connecting/reconnecting.

Resolved Issue LKX-3338

Thales Group has identified an issue with asymmetric digest-and-sign, or digest-and-verify mechanisms when the data length exceeds 64KB, for all SHAxxx_RSA_xxx, SHAxxx_DSA and SHAxxx_ECDSA mechanisms.

Please note:

>Simple (i.e. not combined with digest) RSA/ECDSA/DSA sign/verify operations are NOT affected, and work as expected for all HSM models.

>This issue only affects HSMs with standard- and enterprise-level performance (*700 and *750 models). Maximum-performance (*790) models are not affected.

This issue is resolved in both firmware 7.2.0 and 7.0.3.

Thales strongly recommends that you update to firmware 7.2.0 or later, or firmware 7.0.3, to avoid this issue in the future.

CKA_EXTRACTABLE=FALSE on New Private Keys

Using Luna HSM firmware 7.1.0 or newer, private keys now have their CKA_EXTRACTABLE attribute set to FALSE by default when they are created. Your applications must specify a value of 1 (TRUE) for this attribute on private keys you wish to wrap and export in Key Export mode.

A patch for the Luna Java Provider (LunaProvider) on 32-bit and 64-bit Linux client systems is available from the Thales Customer Support Portal (DOW0002629).

Resolved Issues LKX-2832/LUNA-956: CKA_EXTRACTABLE Default Setting

Formerly, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys was incorrectly set to TRUE by default. This was resolved in Luna HSM firmware 7.0.2 and higher. In firmware 7.0.2 and higher, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys is set to FALSE by default.

NOTE   If you have existing code or applications that expect keys to be extractable by default, you must modify them to explicitly set the CKA_EXTRACTABLE attribute value to TRUE.

STC over IPv6 is Unavailable

STC client-partition links are not available over an IPv6 network.

PED Firmware Upgrade Needed for Luna 6 PEDs

If you have older PEDs that you intend to use with Luna HSM 7.0 or later, you must upgrade to firmware 2.7.1 (or newer). The upgrade and accompanying documentation (007-012337-003_PED_upgrade_2-7-1-5.pdf) are available from the Thales Support Portal.

New USB-powered PED

Thales is pleased to announce the availability of Luna HSM PIN Entry Device (PED) v2.8. The v2.8 PED contains new hardware that enables the PED to be USB-powered; there is no longer a requirement for an external DC power Adapter. PED v2.8 is functionally equivalent to your existing (pre-generation) PEDs and is compatible with HSM versions, 5.x, 6.x, and 7.x.

PED v2.8 ships with firmware 2.8.0. Note that you cannot upgrade older PEDs to the 2.8.0 version; they require a separate DC power adapter for remote PED and upgrade use. The model number on the manufacturer's label identifies the refreshed PED: PED-06-0001.

To use the new USB-powered PED

1.Ensure the Luna HSM Client software is installed on the Windows computer that will act as the PED Server to your Luna HSM. Installing the Remote PED component of the Luna HSM Client installs the required driver.

2.Connect the PED to the computer where you installed the Remote PED component of the Luna HSM Client using the USB micro connector on the PED and a USB socket on your computer.

3.After you connect the PED to the host computer, it will take 30 to 60 seconds for initial boot-up, during which time a series of messages are displayed, as listed below:

BOOT V.1.1.0-1

CORE V.3.0.0-1

Loading PED...

Entering...

4.After the boot process is complete, the PED displays Local PED mode and the Awaiting command... prompt. Your new PED is now ready for use.

5.To enter Remote PED mode, if needed, exit Local PED mode with the < key, and from the Select Mode menu, select option 7 Remote PED.

Remote Backup Over IPv6 is Unavailable

Network connections from the Luna HSM Client to a Remote Backup Server must use IPv4.

NOTE   Network connections from the client to the HSMs you want to backup using RBS can use IPv6. Only the connection from the client to the RBS server requires IPv4.

Luna Backup HSM Firmware Upgrade 6.26.0 Limitations

You can apply firmware upgrade 6.26.0 to your existing Luna Backup HSMs to increase their backup storage capacity from 15.5 MB to 32 MB. This allows you to fully back up a Luna HSM 7 HSM that takes advantage of the increased key storage capacity offered in this release.

Before upgrading your Luna Backup HSMs to firmware 6.26.0, consider the following limitations:

>If you upgrade your Backup HSM to FW 6.26.0, it is no longer compatible with previous releases of Luna HSM.

>If you are migrating from previous releases to Luna HSM 7.7.0, we recommend that you do not upgrade to firmware 6.26.0. Note, however, that your backups will be limited to 15.5 MB. Therefore, if the objects in the partition you want to back up consume more than 15.5 MB, you will need to split the backup into two separate operations.

>If you are using only Luna HSM 7, we recommend that you upgrade your Luna Backup HSMs to firmware 6.26.0.

HSM Logs Sent to Messages Log

The hsm.log file is deprecated and has been removed from this release. The HSM logs are now sent to the messages log.

NOTE   Although it is ignored, the hsm option appears in the syntax for some syslog commands (such as syslog tail -logfiles).

Deprecated and Discontinued Features

The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:

>Host trust links (HTL)

>NTLS keys in hardware

>PKI bundle

>Small form factor (SFF) backup

>Watchdog, CPU Governor

>Time drift correction