Version Dependencies by Feature
Some of the Luna Network HSM functionality described in the documentation has been introduced in updates since the initial product release. For your own reasons, you may wish to apply some aspects of a product update and not others. For example:
>you may choose to update
>if you are maintaining a large number of client workstations, it may be cumbersome to apply software updates to all of them
The following table outlines the Luna Network HSM functions that depend on a certain software/firmware version, or have other requirements you must consider.
Function | Minimum Version Requirements | Notes |
---|---|---|
V0 and V1 partitions |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
This new cloning protocol is a necessary underpinning for some of the features that ensure eIDAS compatibility. It affects backup and restore operations, High Availability, Scalable Key Storage. Migration from earlier cloning-version HSMs is one-way V0/V1 HSMs/partitions can accept and decrypt older objects, but can encrypt and export only V0/V1 objects. |
Scalable Key Storage |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
SKS allows off-boarding of objects and keys as encrypted blobs, for handling of much greater numbers of objects than can be contained within the HSM. With firmware 7.7.0, backup and restore and HA are implemented using SKS blobs, while the latest cloning protocol is used for replicating or archiving the SKS Master Key (that encrypts and decrypts the blobs). Migration from the earlier version of SKS in firmware 6.xis supported, but the reverse direction is not. |
Per-Key Authorization (PKA) |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
PKA meets a requirement of PP 419-221.5, and allows each key in a partition to have its own authorization and rules governing its use, including integration with a SAM. and sole control of keys. The resulting overhead increases the size of partition headers, affecting the size and number of objects that can be stored, which invokes new considerations for backup and restore. Existing applications (with no PKA awareness) can still work if the new Client Cryptoki library is installed. Existing partitions become "backward compatible" when the HSM is upgraded to f/w 7.7.0. New partitions can be backward compatible or PP 419-221.5-compatible by setting an option at creation time. |
Luna G7 Backup HSM Firmware 7.7.1 |
Client: 10.3.0 Appliance: 7.7 |
The Luna G7 Backup HSM requires minimum firmware 7.7.1 to back up and restore Luna 7.7.x partitions, or to migrate keys from Luna HSMs using older firmware. You require, at minimum, Luna HSM Client 10.3.0 |
Appliance-Connected Luna G7 Backup HSM >Initializing an Appliance-Connected Luna Backup HSM (G7) |
Appliance: 7.7 | The Luna G7 Backup HSM can now be connected to one of the USB ports on the Luna Network HSM appliance and operated using LunaSH. |
Updated Secure Trusted Channel |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
Secure Trusted Channel (STC) connections have been updated for the Luna 7.7.0 release. Refer to Updating Luna Network HSM with STC Partitions to 7.7.0 or Newer for important instructions on updating your existing STC partitions. |
Client and Appliance Certificates can be Signed by a Trusted Certificate Authority >Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority |
Client: 10.1.0 Appliance: 7.7 |
Prior to the release of appliance software version 7.7.0, only the client-side certificate could be signed by a third-party CA, using Luna HSM Client 10.1.0 or newer. See Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority for that procedure. |
Support for Multiple Trap Targets |
Appliance: 7.7 |
|
Support for 3GPP, SM2/SM4, and SHA-3 Cryptographic Algorithms |
Firmware: 7.4.2 Client: 10.2 |
Refer also to Firmware 7.4.2 Mechanisms for descriptions of the applicable mechanisms. Refer to the Luna HSM Firmware 7.4.2 Technical Note for installation instructions. |
DPoD Luna Cloud HSM Support |
Client: 10.1 | Refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM for more information on using a Luna Cloud HSM service with Luna HSMs. |
Remote PED Server Support on Linux Clients |
Client: 10.1 | |
Client NTLS Certificates can be Signed by a Trusted Certificate Authority |
Client: 10.1 | |
Luna Backup HSM (G7 model) Support |
Client: 10.1 | |
Functionality Modules |
Hardware: FM-Ready Firmware: 7.4.0 Appliance: 7.4 Client: 7.4 |
Refer to Preparing the Luna Network HSM to Use FMs for an overview of hardware/software/firmware requirements. |
Manage Allowed Origin Domains for REST API |
Appliance: 7.4 |
|
Support for BIP32 Cryptographic Algorithms |
Firmware: 7.3.0 Client: 7.3.0 |
Refer also to Firmware 7.3.0 Mechanisms for descriptions of the applicable mechanisms. |
Appliance Re-image |
Firmware: 7.3.0 Appliance: 7.3 |
The Appliance Re-image feature is not supported on HSMs that use Functionality Modules. If you have ever enabled HSM policy 50: Allow Functionality Modules, even if the policy is currently disabled, you cannot re-image the HSM appliance. See FM Deployment Constraints for details. |
Partition Utilization Metrics |
Firmware: 7.3.0 Appliance: 7.3 Client: 7.3 |
|
Improved Luna HSM Client >Version-Compatible Luna HSM Client (Luna HSMs version 6.2.1 and higher) >Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM >Modifying the Installed Windows Luna HSM Client Software >User-Defined Luna HSM Client install paths >Luna Minimal Client (for Linux) |
Client: 7.2 |
>Luna HSM Client 10.1 or higher is required to use Luna partitions with DPoD Luna Cloud HSM services >The PE1756Enabled setting on Luna 6.x HSMs is not supported for use with the Version-Compatible Luna HSM Client >Minimum OS requirements for Luna HSM Client 7.2 must be met (Refer to the CRN for details) >Minimal Client does not include tools, and is intended for customer application containers connecting to the Network HSM. A separate full Luna HSM Client installation and configuration must be performed on the container host (and the resulting config file and certificate folders saved on the host), to establish NTLS or STC connections for use by the containers. |
Initialize the orange RPV key remotely |
Appliance: 7.2 Client: 7.2 |
|
Configure Cipher Suites |
Appliance: 7.2 Client: 7.2 |
The Luna 7.2 appliance update includes the sysconf tls ciphers LunaSH commands, but you must update Luna HSM Client to use any of the newly-included ciphers. For older clients, the ciphers available for negotiation are those that are common to your client version and to the updated Network HSM. |
Customize system logging by severity level |
Appliance: 7.2 |
If you were using remote logging before you upgraded the appliance software to 7.2, you must delete any existing remote hosts (see syslog remotehost delete) and re-add them before you can customize severity levels. |
|
Firmware: 7.2.0 Appliance: 7.2 Client: 7.2 |
|
Crypto User can clone public objects | Firmware: 7.2.0 |
The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication. |
Configure partition policies for export of private keys >Configuring the Partition for Cloning or Export of Private Keys |
Firmware: 7.1.0 |
You can configure partition policies for Cloning or Key Export Mode manually, as long as you have updated the HSM firmware. To set these modes using Policy Templates, you must meet the Policy Template requirements. |
Policy Templates |
Firmware: 7.1.0 Appliance: 7.1 Client: 7.1 |