Update Considerations

Before you install any of the updates, consider the following guidelines:

>Back up all important cryptographic material.

>Stop all client applications running cryptographic operations on the HSM.

>If you are using STC on the HSM Admin channel, disable it by running lunash:> hsm stc disable before you update the HSM firmware.

>Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

FIPS-Validated Firmware Versions

The following firmware versions are all FIPS-140-2 Level 3 certified per certificate #3205:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3205

>Luna firmware v. 7.3.3 (recommended)

>Luna firmware v. 7.0.3 (factory-shipped version)

>Luna firmware v. 7.0.2 (see F5 note, below)

Valid Update Paths

The following table provides tested paths for updating to the current software/firmware versions.

Component Directly from version To version
Luna HSM Client software Any 10.3.0
Luna Network HSM appliance software 7.0, 7.1, 7.2, 7.3, 7.4 7.7.0
Luna HSM firmware 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.3.0, 7.3.3, 7.4.0, 7.4.1, 7.4.2 7.7.0
Luna Backup HSM (G5) firmware 6.10.9, 6.26.0, 6.27.0 6.28.0**
Luna Backup HSM (G7) firmware 7.3.2 N/A
Luna PED firmware 2.6.0 (pre-Luna 7) 2.7.1, 2.7.4
2.7.1, 2.7.2, 2.7.3 2.7.4
2.8.0 2.9.0

* Refer to Special Considerations for PED-Authenticated Luna HSMs before updating to firmware 7.3.3 or 7.4.2.

* * Firmware 6.24.7 is the latest FIPS-validated version for the Luna Backup HSM (G5). FIPS validation might not be strictly necessary for a Backup HSM because it does not perform cryptographic operations with contained objects, but some audit checklists might not make that distinction.

Special considerations for Updating to firmware 7.7.0

It will take longer than usual firmware updates, due to conversion of all existing application partitions to V0, with additional attributes applied to existing keys, and memory and partition sizes increased to accommodate the other changes. If you have a small number of keys, expect the firmware update to take at least 15 minutes. For large numbers of keys, the update and conversion could take as much as a few hours. Use independent uninterruptible power supplies and do not stop or restart the HSM during the update process.

Special Considerations for PED-Authenticated Luna HSMs

Refer to the following table for special firmware 7.3.3 and 7.4.2 update procedures for PED-authenticated HSMs. These procedures apply depending on what firmware version was used to create the application partitions. The install paths described in Valid Update Paths apply.

Luna HSM Client 10.2.0 or newer, or a patched version of Luna HSM Client 7.4.0, is required to make full use of firmware 7.4.2 capabilities. Refer to the Luna Network HSM Firmware 7.4.2 Luna HSM Client 7.4.0 Patch technical note for full patch installation instructions.

Partition created in HSM at firmware version Procedure
7.0.3, 7.3.3 Normal firmware update procedure (refer to HSM documentation)
7.1.0, 7.2.0, 7.3.0, or 7.4.0

with HSM Policy 15 set to ON*
Normal firmware update procedure (refer to HSM documentation) - EXCEPT the Partition SO must reset the challenge secret(s) after the firmware update, so that partition objects become accessible again.
7.1.0, 7.2.0, 7.3.0, 7.4.0, or 7.4.1
with HSM Policy 15 set to OFF*

1. Before updating firmware, back up your partition contents.

2.Update your HSM to firmware version 7.3.3 or 7.4.2 (refer to Valid Update Paths).

3.Your existing partition is no longer accessible; re-initialize the existing partition.

4.Restore your partition objects from backup.

* By default, HSM Policy 15 is OFF. Turning Policy 15 ON is destructive.

Recommended Minimum Versions

Generally, Thales recommends that you always keep your HSM firmware, appliance software, and client software up to date, to benefit from the latest features and bug fixes. If regular updates are not possible or convenient, the following table lists the recommended minimum firmware and software versions for use with Luna 7 HSMs. If you are running an earlier version, Thales advises upgrading to the version(s) below (or later) to ensure that you have critical bug fixes and security updates.

  Luna HSM Client Appliance Software Luna HSM Firmware
Luna Network HSM 7 Minimum Recommended Configuration 7.2 7.2 7.2.0
7.0.3

NOTE   Customers who wish to use Luna 7 HSMs with F5 Network BIG-IP 13.1 appliances should follow F5 guidelines for Supported Luna client and HSM versions (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-safenet-hsm-version-interoperability-matrix.html). At the time of this release, F5’s supported versions for Luna 7 are Luna HSM Client 7.1 with appliance software 7.1 and firmware 7.0.2.