Converting pre-7.7.0 partitions to V0, or V0 partitions to V1

CAUTION!   Be sure to back up any important keys and objects.

If your application partition is a member of an HA group...

... there are some additional considerations. See Updating Luna Network HSM HA Group Members to Luna 7.7.0 or Newer.  

If your application partitions have been using STC...

...(secure trusted channel) to secure the client-to-network-HSM-partition connection, see Updating Luna Network HSM with STC Partitions to 7.7.0 or Newer.

Guidelines and Tips  when partitions are part of an HA group  

Refer to General guidelines for updating or converting of HA member partitions

To convert from pre-7.7.0 to V0

If you have application partitions on your pre-firmware 7.7.0 HSM that you wish to convert to V0, do the following:

1.Update at least one client computer to Luna HSM Client version 10.3.0 or newer. The newer client can readily handle functioning with both current and older HSM firmware and Network HSM appliance software. To update an existing client installation, simply uninstall it, and then install the newer version -the configuration and certificate files are preserved.

2.In the case of a Luna Network HSM appliance, update the appliance software to version 7.7.0 or newer - follow the steps at Updating the Luna Network HSM Appliance Software.

3.Update the HSM firmware. Either update to the ready version that accompanied the HSM software, or acquire, from the Support Portal, and install the latest 7.7.0-or-newer firmware that has been FIPS-validated (whichever is desired) - Updating the Luna HSM Firmware.

4.As part of the firmware update process from pre-7.7.0 firmware to 7.7.0 (or newer), any existing partitions are converted to V0, which adds key attributes where appropriate, and increases the HSM memory and the partition size to accommodate the new overhead requirements.

To convert from V0 to V1

1.Have the chosen partition visible in lunacm.

2.Select that partition with the lunacm command slot set -slot <slot number>

3.[Optional] Show the current partition policy values and verify that policy 41 is set to version 0, partition showpolicies  

4.Log into the partition as the Partition Security Officer with role login -name po  

5.Change the value of policy 41 to version 1, with partition changepolicy -policy 41 -value 1   

To convert from V1 to V0

1.Backup any valuable keys or objects.

CAUTION!   This operation, going from V1 back to V0, is destructive. All objects on the partition are destroyed, as well as the SMK(s). If any valuable objects were created and archived from a version one (V1) partition, then they must have been SKS-stored off the HSM, and the SMK that encrypted those objects must be preserved on a Backup HSM or in another partition (that remains at V1), if those objects might ever be needed in future.

If no valuable SKS blobs have been encrypted by the partition's current SMK, then there is no need for backup.

2.Have the chosen partition visible in lunacm.

3.Select that partition with the lunacm command slot set -slot <slot number>

4.[Optional] Show the current partition policy values and verify that policy 41 is set to version 1, partition showpolicies  

5.Log into the partition as the Partition Security Officer with role login -name po  

6.Change the value of policy 41 to version 0, with partition changepolicy -policy 41 -value 0