Advisory Notes
This section highlights important issues you should be aware of before deploying various releases.
7.7.0
Multi-factor (PED)-Authenticated HSMs with Firmware 7.7.0 (and newer)
HSM 7.7.0 and associated PEDs introduce new communications security protocols for compliance with evolving standards.
Updated HSMs need updated PEDs
An HSM at firmware 7.7.0 or newer requires connection with a PED that has f/w 2.7.4 (old PED series with power block) or f/w 2.9.0 (newer PED series with USB power).
Two PED-firmware update packages are available. Old-series PEDs (f/w 2.6.x through 2.7.2) have an upgrade path to PED f/w version 2.7.4.
New-series PEDs (f/w 2.8.x ) have an upgrade path to PED f/w version 2.9.0.
When an HSM is at f/w version 7.7.0 or newer, it verifies that any connecting PED is at PED f/w 2.7.4 or 2.9.0, respectively, or the HSM refuses the connection and issues an error (LUNA_RET_PED_UNSUPPORTED_PROTOCOL).
Earlier version HSMs function with updated PEDs
A PED at f/w version 2.7.4 (older-series powered by power-block) or 2.9.0 (newer-series USB-powered) is able to work with updated HSMs and with older HSMs.
The result is that an updated PED can function with older HSMs (HSM f/w 5.x and 6.x) that will not be updated with the new PED communication protocols, or with earlier f/w 7.x HSMs that have yet to be updated for compliance with current eIDAS/Common Criteria and NIST standards.
This means that, if you have PED-Authenticated version pre-7.7.0 HSMs that are to be updated to f/w 7.7.0 (or newer), then you must update at least one PED first, so that you can continue to authenticate to roles on the HSM while updating.
CentOS 8 throws errors if install directory is not default
Installing Luna Client software on CentOS 8 can result in error messages being logged for the pedclient service, if the chosen install directory is not the default /usr. This can be prevented by setting SELinux to permissive mode, before installing.
LunaSH sysconf snmp trap set command now defaults to "inform"
Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with release 7.7; which adds the option "inform", which is the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.
Change in network routing default needs precautions when updating
A change to network routing when updating to Network HSM appliance version 7.7.0 or newer, from any prior 7.x version, can cause your appliance to become unreachable via network connection. Older appliance versions permitted the existence of multiple default routes. Beginning with appliance version 7.7.0, only one instance of the default route can exist.
Options for a successful update with minimal disruption are:
•Remove all but one instance of the ‘default route’, using the network route delete command, before upgrading from any pre-7.7.0 appliance software version.
OR
•Connect locally via serial cable to perform the update, so your access to the network appliance is not lost when network connection becomes temporarily unavailable (pending proper network configuration).
Note also that if you reimage, going back to a pre-7.7.0 version, the routing table goes back to the old format and you must apply one of the above precautions again, to update.
Luna HSM Firmware 7.4.1 is No Longer Available
Luna HSM firmware 7.4.1 is no longer available for download from the Thales Customer Portal. Thales recommends that all customers using HSM firmware version 7.4.1 update to 7.4.2 or higher.
Luna HSM Client 7.5 is No Longer Available
Luna HSM Client 7.5 is no longer available for download from the Thales Customer Portal. Thales strongly recommends that all customers using version 7.5 update their client software to 10.1 or higher.
Older JAVA Versions Require Patch/Update
The .jar files included with Luna HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.
>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to Luna HSM Client 10.x (see APAR IJ25459 for details).
"CKR_MECHANISM_INVALID" Messages in Mixed Luna Cloud HSM Implementations
When using a DPoD Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna Network HSM partition and a DPoD Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
<CKR_CONTAINER_OBJECT_STORAGE_FULL> Error When Backing Up Release 5.x or 6.x Partitions to a G7-based Backup HSM
When using the G7-based Backup HSM to backup objects from partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up:
<CKR_CONTAINER_OBJECT_STORAGE_FULL>
If you receive this message when backing up a user partition, you can use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.
Install Luna PCIe HSM BIOS/BMC Patch Before Updating to Luna 7.3.3
Thales recommends installing the Luna PCIe HSM BIOS/BMC Patch (KB0019562) before upgrading to Luna PCIe HSM appliance software 7.3.3.
Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM
Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This is resolved in Luna 7.3 release.
As of release 7.3:
>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).
>JNI accepts and preserves values set by applications via the following Java calls:
LunaSlotManager.getInstance().setSecretKeysDerivable( true );
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );
NOTE If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.
In cases where a derived key must be extractable, add the following line to the java.security file:
com.safenetinc.luna.provider.createExtractablePrivateKeys=true
Resolved Issue LKX-3338
Thales Group has identified an issue with asymmetric digest-and-sign, or digest-and-verify mechanisms when the data length exceeds 64KB, for all SHAxxx_RSA_xxx, SHAxxx_DSA and SHAxxx_ECDSA mechanisms.
Please note:
>Simple (i.e. not combined with digest) RSA/ECDSA/DSA sign/verify operations are NOT affected, and work as expected for all HSM models.
>This issue only affects HSMs with standard- and enterprise-level performance (*700 and *750 models). Maximum-performance (*790) models are not affected.
This issue is resolved in both firmware 7.2.0 and 7.0.3.
Thales strongly recommends that you update to firmware 7.2.0 or later, or firmware 7.0.3, to avoid this issue in the future.
CKA_EXTRACTABLE=FALSE on New Private Keys
Using Luna HSM firmware 7.1.0 or newer, private keys now have their CKA_EXTRACTABLE attribute set to FALSE by default when they are created. Your applications must specify a value of 1 (TRUE) for this attribute on private keys you wish to wrap and export in Key Export mode.
A patch for the Luna Java Provider (LunaProvider) on 32-bit and 64-bit Linux client systems is available from the Thales Customer Support Portal (DOW0002629).
Resolved Issues LKX-2832/LUNA-956: CKA_EXTRACTABLE Default Setting
Formerly, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys was incorrectly set to TRUE by default. This was resolved in Luna HSM firmware 7.0.2 and higher. In firmware 7.0.2 and higher, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys is set to FALSE by default.
NOTE If you have existing code or applications that expect keys to be extractable by default, you must modify them to explicitly set the CKA_EXTRACTABLE attribute value to TRUE.
PED Firmware Upgrade Needed for Luna 6 PEDs
If you have older PEDs that you intend to use with Luna HSM 7.0 or later, you must upgrade to firmware 2.7.1 (or newer). The upgrade and accompanying documentation (007-012337-003_PED_upgrade_2-7-1-5.pdf) are available from the Thales Support Portal.
New USB-powered PED
Thales is pleased to announce the availability of Luna HSM PIN Entry Device (PED) v2.8. The v2.8 PED contains new hardware that enables the PED to be USB-powered; there is no longer a requirement for an external DC power Adapter. PED v2.8 is functionally equivalent to your existing (pre-generation) PEDs and is compatible with HSM versions, 5.x, 6.x, and 7.x.
PED v2.8 ships with firmware 2.8.0. Note that you cannot upgrade older PEDs to the 2.8.0 version; they require a separate DC power adapter for remote PED and upgrade use. The model number on the manufacturer's label identifies the refreshed PED: PED-06-0001.
To use the new USB-powered PED
1.Ensure the Luna HSM Client software is installed on the Windows computer that will act as the PED Server to your Luna HSM. Installing the Remote PED component of the Luna HSM Client installs the required driver.
2.Connect the PED to the computer where you installed the Remote PED component of the Luna HSM Client using the USB micro connector on the PED and a USB socket on your computer.
3.After you connect the PED to the host computer, it will take 30 to 60 seconds for initial boot-up, during which time a series of messages are displayed, as listed below:
BOOT V.1.1.0-1
CORE V.3.0.0-1
Loading PED...
Entering...
4.After the boot process is complete, the PED displays Local PED mode and the Awaiting command... prompt. Your new PED is now ready for use.
5.To enter Remote PED mode, if needed, exit Local PED mode with the < key, and from the Select Mode menu, select option 7 Remote PED.
Remote Backup Over IPv6 is Unavailable
Network connections from the Luna HSM Client to a Remote Backup Server must use IPv4.
NOTE Network connections from the client to the HSMs you want to backup using RBS can use IPv6. Only the connection from the client to the RBS server requires IPv4.
Luna Backup HSM Firmware Upgrade 6.26.0 Limitations
You can apply firmware upgrade 6.26.0 to your existing Luna Backup HSMs to increase their backup storage capacity from 15.5 MB to 32 MB. This allows you to fully back up a Luna HSM 7 HSM that takes advantage of the increased key storage capacity offered in this release.
Before upgrading your Luna Backup HSMs to firmware 6.26.0, consider the following limitations:
>If you upgrade your Backup HSM to FW 6.26.0, it is no longer compatible with previous releases of Luna HSM.
>If you are migrating from previous releases to Luna HSM 7.x, we recommend that you do not upgrade to firmware 6.26.0. Note, however, that your backups will be limited to 15.5 MB. Therefore, if the objects in the partition you want to back up consume more than 15.5 MB, you will need to split the backup into two separate operations.
>If you are using only Luna HSM 7, we recommend that you upgrade your Luna Backup HSMs to firmware 6.26.0.
Deprecated and Discontinued Features
The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:
>Small form factor (SFF) backup