Version Dependencies by Feature

Some of the Luna Network HSM functionality described in the documentation has been introduced in updates since the initial product release. For your own reasons, you may wish to apply some aspects of a product update and not others. For example:

>you may choose to update appliance or client software while keeping an earlier, FIPS-certified firmware version

>if you are maintaining a large number of client workstations, it may be cumbersome to apply software updates to all of them

The following table outlines the Luna Network HSM functions that depend on a certain software/firmware version, or have other requirements you must consider.

Function Minimum Version Requirements Notes

V0 and V1 partitions

>What are "pre-firmware 7.7.0", and V0, and V1 partitions?

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

This new cloning protocol is a necessary underpinning for some of the features that ensure eIDAS compatibility. It affects backup and restore operations, High Availability, Scalable Key Storage. Migration from earlier cloning-version HSMs is one-way V0/V1 HSMs/partitions can accept and decrypt older objects, but can encrypt and export only V0/V1 objects.

Scalable Key Storage

>Scalable Key Storage (SKS)

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

SKS allows off-boarding of objects and keys as encrypted blobs, for handling of much greater numbers of objects than can be contained within the HSM. With firmware 7.7.0, backup and restore and HA are implemented using SKS blobs, while the latest cloning protocol is used for replicating or archiving the SKS Master Key (that encrypts and decrypts the blobs).
Migration from the earlier version of SKS in firmware 6.xis supported, but the reverse direction is not.

Per-Key Authorization (PKA)

>Per-Key Authorization (PKA)

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

PKA meets a requirement of PP 419-221.5, and allows each key in a partition to have its own authorization and rules governing its use, including integration with a SAM. and sole control of keys. The resulting overhead increases the size of partition headers, affecting the size and number of objects that can be stored, which invokes new considerations for backup and restore.

Existing applications (with no PKA awareness) can still work if the new Client Cryptoki library is installed. Existing partitions become "backward compatible" when the HSM is upgraded to f/w 7.7.0. New partitions can be backward compatible or PP 419-221.5-compatible by setting an option at creation time.

Luna G7 Backup HSM Firmware 7.7.1

>Updating the Luna Backup HSM (G7) Firmware

>Rolling Back the Luna Backup HSM (G7) Firmware

Client: 10.3.0

Appliance: 7.7

The Luna G7 Backup HSM requires minimum firmware 7.7.1 to back up and restore Luna 7.7.x partitions, or to migrate keys from Luna HSMs using older firmware. You require, at minimum, Luna HSM Client 10.3.0 or Luna Network HSM appliance software 7.7.0 to upgrade the Luna G7 Backup HSM firmware. The Backup HSM firmware is included with the appliance software secure package, or it can be downloaded as a separate file from the Thales Customer Support Portal.

Appliance-Connected Luna G7 Backup HSM

>Initializing an Appliance-Connected Luna Backup HSM (G7)

>Backing Up to an Appliance-Connected Luna Backup HSM (G7)

>Restoring From an Appliance-Connected Luna Backup HSM (G7)

Appliance: 7.7 The Luna G7 Backup HSM can now be connected to one of the USB ports on the Luna Network HSM appliance and operated using LunaSH.

Updated Secure Trusted Channel

>Creating an STC Connection

>Converting Initialized NTLS Partitions to STC

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

Secure Trusted Channel (STC) connections have been updated for the Luna 7.7.0 release. Refer to Updating Luna Network HSM with STC Partitions to 7.7.0 or Newer for important instructions on updating your existing STC partitions.

Client and Appliance Certificates can be Signed by a Trusted Certificate Authority

>Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority

Client: 10.1.0

Appliance: 7.7

Prior to the release of appliance software version 7.7.0, only the client-side certificate could be signed by a third-party CA, using Luna HSM Client 10.1.0 or newer. See Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority for that procedure.

Support for Multiple Trap Targets

>Configuring and Enabling Traps on Luna Network HSM

Appliance: 7.7

 

Support for 3GPP, SM2/SM4, and SHA-3 Cryptographic Algorithms

>3GPP Mechanisms for 5G Mobile Networks

>SM2/SM4 Mechanisms

>SHA-3 Mechanisms

Firmware: 7.4.2

Client: 10.2
(or patched 7.4)

Refer also to Firmware 7.4.2 Mechanisms for descriptions of the applicable mechanisms. Refer to the Luna HSM Firmware 7.4.2 Technical Note for installation instructions.

DPoD Luna Cloud HSM Support

>Adding a Luna Cloud HSM Service

Client: 10.1 Refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM for more information on using a Luna Cloud HSM service with Luna HSMs.

Remote PED Server Support on Linux Clients

>Remote PED Setup

Client: 10.1  

Client NTLS Certificates can be Signed by a Trusted Certificate Authority

>Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority

Client: 10.1  

Luna Backup HSM (G7 model) Support

>Backup and Restore Using a Luna Backup HSM (G7)

Client: 10.1  

Functionality Modules

>Functionality Modules

>About the FM SDK Programming Guide

Hardware: FM-Ready

Firmware: 7.4.0

Appliance: 7.4

Client: 7.4

Refer to Preparing the Luna Network HSM to Use FMs for an overview of hardware/software/firmware requirements.

Manage Allowed Origin Domains for REST API

>webserver origin

Appliance: 7.4

 

Support for BIP32 Cryptographic Algorithms

>BIP32 Mechanism Support and Implementation

Firmware: 7.3.0

Client: 7.3.0

Refer also to Firmware 7.3.0 Mechanisms for descriptions of the applicable mechanisms.

Appliance Re-image

>Re-Imaging the Appliance to Factory Baseline

Firmware: 7.3.0

Appliance: 7.3

The Appliance Re-image feature is not supported on HSMs that use Functionality Modules. If you have ever enabled HSM policy 50: Allow Functionality Modules, even if the policy is currently disabled, you cannot re-image the HSM appliance. See FM Deployment Constraints for details.

Partition Utilization Metrics

>Partition Utilization Metrics

Firmware: 7.3.0

Appliance: 7.3

Client: 7.3

 

Improved Luna HSM Client

>Version-Compatible Luna HSM Client (Luna HSMs version 6.2.1 and higher)

>Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM

>Modifying the Installed Windows Luna HSM Client Software

>User-Defined Luna HSM Client install paths

>Luna Minimal Client (for Linux)

Client: 7.2

>Luna HSM Client 10.1 or higher is required to use Luna partitions with DPoD Luna Cloud HSM services

>The PE1756Enabled setting on Luna 6.x HSMs is not supported for use with the Version-Compatible Luna HSM Client

>Minimum OS requirements for Luna HSM Client 7.2 must be met (Refer to the CRN for details)

>Minimal Client does not include tools, and is intended for customer application containers connecting to the Network HSM. A separate full Luna HSM Client installation and configuration must be performed on the container host (and the resulting config file and certificate folders saved on the host), to establish NTLS or STC connections for use by the containers.

Initialize the orange RPV key remotely

>Remote RPV Initialization

Appliance: 7.2

Client: 7.2

 

Configure Cipher Suites

>Setting TLS Ciphers

Appliance: 7.2

Client: 7.2

The Luna 7.2 appliance update includes the sysconf tls ciphers LunaSH commands, but you must update Luna HSM Client to use any of the newly-included ciphers. For older clients, the ciphers available for negotiation are those that are common to your client version and to the updated Network HSM.

Customize system logging by severity level

>Customizing Severity Levels

>Customizing Remote Logging Severity Levels

Appliance: 7.2

If you were using remote logging before you upgraded the appliance software to 7.2, you must delete any existing remote hosts (see syslog remotehost delete) and re-add them before you can customize severity levels.

Re-name/Re-label partitions

>partition rename

>partition changelabel

Firmware: 7.2.0

Appliance: 7.2

Client: 7.2

 
Crypto User can clone public objects Firmware: 7.2.0

The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication.

Configure partition policies for export of private keys

>Configuring the Partition for Cloning or Export of Private Keys

Firmware: 7.1.0

You can configure partition policies for Cloning or Key Export Mode manually, as long as you have updated the HSM firmware. To set these modes using Policy Templates, you must meet the Policy Template requirements.

Policy Templates

>Setting HSM Policies Using a Template

>Setting Partition Policies Using a Template

Firmware: 7.1.0

Appliance: 7.1

Client: 7.1