Updating Luna Network HSM HA Group Members to Luna 7.7.0 or Newer
Luna HSM firmware 7.7.0 and newer includes changes to the Luna cloning protocol that HA groups use to duplicate cryptographic objects among their individual members. These changes make it impossible to support HA groups combining 7.7.0+ and older firmware versions (see Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM). Therefore, all HSMs containing HA group members must be updated to firmware 7.7.0+ at the same time to allow the HA group to continue functioning normally. You can use the following procedures to update your Luna 7 HA group members with minimal service disruption.
CAUTION! If your HA group uses STC connections, refer to Updating Luna Network HSM with STC Partitions to 7.7.0 or Newer before continuing. The upgrade process for STC partitions is destructive of existing key material; you must back up your partitions and then restore them to the updated HA group as described in that procedure.
This procedure differs depending on whether you plan to upgrade your HA group to full eIDAS compliance using V1 partitions, or use V0 partitions to simply gain new features and bug fixes (see What are "pre-firmware 7.7.0", and V0, and V1 partitions?).
>Updating Luna Network HSM HA Group Members to Luna 7.7.0 + V1 Partitions
>Updating Luna Network HSM HA Group Members to Luna 7.7+ V0 partitions
Guidelines and Tips when partitions are part of an HA group
Refer to General guidelines for updating or converting of HA member partitions
Updating Luna Network HSM HA Group Members to Luna 7.7.0 + V1 Partitions
To convert your HA group members to V1 partitions, use the following procedure to ensure a minimal amount of application downtime. This procedure is performed by the HSM SO for each Luna Network HSM, the Partition SO and Crypto Officer for the HA group members, and requires admin-level access to the Luna Network HSM appliance.
To update Luna Network HSM HA group members to V1 partitions
1.[Optional] Back up the contents of the HA group members to a Luna Backup HSM capable of restoring objects to V1 partitions. Backup/restore should not be necessary as part of this procedure, but it is good practice in case of equipment failure.
•Backing Up to a Client-Connected Luna Backup HSM (G7)
•Backing Up to an Appliance-Connected Luna Backup HSM (G7)
•Backup/Restore Using a Client-Connected Luna Backup HSM (G5)
•Backup/Restore Using an Appliance-Connected Luna Backup HSM (G5)
NOTE Once you update the Luna HSM firmware to 7.7.0 or newer, you will require a Luna Backup HSM with minimum firmware version 7.7.1 (G7) or 6.28.0 (G5) to back up and restore partitions. You can use earlier firmware versions to migrate keys to 7.7.0+ partitions.
2.Using an SSH or serial connection, log in to one of the Luna Network HSM appliances containing an HA group member partition as admin (see Logging In to LunaSH) and turn off the NTLS service on the appliance.
lunash:> service stop ntls
3.Update the Luna Network HSM appliance software to 7.7.0 or newer (see Updating the Luna Network HSM Appliance Software).
4.Update the Luna Network HSM firmware (see Updating the Luna HSM Firmware).
5.Confirm that the NTLS service has resumed running on the appliance.
lunash:> service status ntls
6.Repeat steps 2-5 for each Luna Network HSM containing an HA group member.
7.On the client workstation that administers the HA group, stop all client applications.
8.Update the Luna HSM Client software to version 10.3.0 or newer (see Updating the Luna HSM Client Software).
9.[Optional] You may now restart your client applications, or wait until the end of the procedure.
10.Launch LunaCM and use the following procedure to convert each HA member partition to V1. To prevent the HA group serial number from changing and disrupting your client applications, the member originally used to create the group must be the last member still remaining in the group:
NOTE The member partition that has the same serial number as the HA group, minus the leading 1, is the original member.
a.Remove a member partition from the HA group (see Adding/Removing an HA Group Member).
lunacm:> hagroup removemember -group <label> {-slot <slotnum> | -serial <serialnum>}
b.Log in as Partition SO.
lunacm:> role login -name po
c.Convert the partition to V1 by changing partition policy 41: Partition Version.
lunacm:> partition changepolicy -policy 41 -value 1
d.Repeat steps a-c until only the original member remains in the HA group.
e.When only the original member remains in the group, log in as Partition SO and convert it to V1. This member's SMK will be the one used for the entire HA group (see Scalable Key Storage (SKS) for more information).
lunacm:> role login -name po
lunacm:> partition changepolicy -policy 41 -value 1
f.Add each V1 partition back to the HA group (see Adding/Removing an HA Group Member). The primary member's SMK is automatically cloned to each new member added to the HA group.
lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}
Updating Luna Network HSM HA Group Members to Luna 7.7+ V0 partitions
To update your HA group members to V0 partitions in Luna 7.7.0 or newer, use the following procedure to ensure a minimal amount of application downtime. This procedure is performed by the HSM SO for each Luna Network HSM, the Crypto Officer for the HA group members, and requires admin-level access to the Luna Network HSM appliance.
To update Luna Network HSM HA group members to V0 partitions
1.[Optional] Back up the contents of the HA group members to a Luna Backup HSM capable of restoring objects to Luna 7.7+ partitions.
•Backing Up to a Client-Connected Luna Backup HSM (G7)
•Backing Up to an Appliance-Connected Luna Backup HSM (G7)
•Backup/Restore Using a Client-Connected Luna Backup HSM (G5)
•Backup/Restore Using an Appliance-Connected Luna Backup HSM (G5)
NOTE Once you update the Luna HSM firmware to 7.7.0 or newer, you will require a Luna Backup HSM with minimum firmware version 7.7.1 (G7) or 6.28.0 (G5) to back up and restore partitions. You can use earlier firmware versions to migrate keys to 7.7.0+ partitions.
2.Using an SSH or serial connection, log in to one of the Luna Network HSM appliances containing an HA group member partition as admin (see Logging In to LunaSH) and turn off the NTLS service on the appliance.
lunash:> service stop ntls
3.Update the Luna Network HSM appliance software to 7.7.0 or newer (see Updating the Luna Network HSM Appliance Software).
4.Update the Luna Network HSM firmware (see Updating the Luna HSM Firmware).
5.Confirm that the NTLS service has resumed running on the appliance.
lunash:> service status ntls
6.Repeat steps 2-5 for each Luna Network HSM containing an HA group member.
7.[Optional] On the client workstation that administers the HA group, stop all client applications.
8.[Optional] Update the Luna HSM Client software to version 10.3.0 or newer (see Updating the Luna HSM Client Software).
9.[Optional] You may now restart your client applications.