Moving from Pre-7.7.0 to Firmware 7.7.0 or Newer
One of the major changes at version 7.7.0 (or newer) and V1 partitions is PP 419-221.5 compliance and the addition of key object attributes that support Per-Key Authentication.
Any relevant key objects created in a V1 partition are automatically assigned CKA_AUTH_DATA attribute. However:
>the default partition format at partition creation time, in firmware 7.7.0 (or newer) HSMs is V0, which does not immediately provide per-key authentication data or attributes;
>V0 is also the partition version to which any pre-firmware-7.7.0 partitions are automatically converted when HSM firmware is updated to version 7.7;
>V0 partitions can receive key objects from partitions on other HSMs (7.x-pre-7.7.0 HSMs, as well as 5.x and 6.x HSMs), and these come into the partition without auth data.
In a historic Luna HSM context, no auth data is needed, and non-visible auth-data (after firmware update or migration of keys) is irrelevant to the existing application or end user. The only noticeable changes, when remaining in the Luna context, for firmware 7.7.0 (or newer) partitions are:
•the increased size of objects to allow for authentication data, and
•the increased memory allotted to allow any objects that fit an earlier HSM/partition to likewise fit an updated partition.
In the eIDAS use case (such as Remote Signing and Sealing), specific authentication data is required, therefore an explicit call to CA_SetAuthorizationData() should be made, for such key objects, so that keys can be assigned.
Various paths are possible to get existing objects from a partition on another HSM to a firmware 7.7.0 (or newer) partition.
If you have no need for PP 419-221.5 or eIDAS compliance or for SKS or PKA functionality, yet still have use for another aspect of firmware 7.7.0 (or newer), then
>existing 7.x HSMs can have their firmware updated, and existing partitions become V0 partitions with all that implies
(see What are "pre-firmware 7.7.0", and V0, and V1 partitions? )
>key objects on existing 6.x and 5.x HSM partitions can be transferred to partitions on 7.x HSMs at pre-7.7.0 firmware
NOTE If you are attempting to migrate an SKS Master Key (SMK) from a 5.x or 6.x partition to Luna 7.7.0+ via a backup/restore procedure, Thales recommends one of the following:
>Back up your SMK(s) to a Luna Backup HSM (G5) with firmware 6.25.0 to 6.25.9, to ensure compatibility with your older (6.x) client version.
>If you have already updated the Backup HSM to a firmware version newer than 6.25.9, update Luna HSM Client to minimum version 10.3.0 before attempting the backup.
Once you have migrated your keys to Luna 7.7.0+ partitions, you require minimum Luna Backup HSM firmware 6.28.0 (G5) or 7.7.1 (G7) to do future backup/restore operations.
If you do require PP 419-221.5 or eIDAS compliance, then you will need to use V1 partitions on firmware 7.7.0 (or newer) HSMs.
Your objects from older partitions or HSMs can be:
>already existing in a firmware 7.x (less than version 7.7) HSM that you update, causing the containing partition to become V0, and then you convert that partition, with your objects, to V1, or
>imported from a pre-7.x HSM (5.x or 6.x) into a version zero (V0) partition on the firmware 7.7.0 (or newer) HSM, just as you would any object, and the V0 partition with the imported objects is then converted to a V1 partition (a one-way operation), or
>cloned, unwrapped, or legacy-SKS-inserted, directly to a V1 partition (i.e., SIMinsert) - note that cloning is such case is a one-way operation; V1 partitions perform outbound cloning only for SMKs
Guidelines and Tips when partitions are part of an HA group
Refer to General guidelines for updating or converting of HA member partitions
