Updating the Luna HSM Firmware

A new Luna Network HSM is delivered with the current FIPS- validated firmware installed on the HSM card, and the most recently released firmware version saved on the Luna Network HSM hard drive as an optional update. When you install an appliance software update, this optional update is replaced with the latest firmware version. If you wish to use a different HSM firmware version, you can download it from the Thales Support Portal.

To update the firmware on a Luna Backup HSM (G5), see Updating the Luna Backup HSM (G5) Firmware.

CAUTION!   Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

Updating the HSM Firmware After an Appliance Software Update

After an appliance software update, the latest firmware version is saved on the appliance and ready to install.

Required for 7.7.0 update!  

CAUTION!   Before updating to appliance 7.7, you must install lunasa-reboot-patch-3.spkg first - the package is bundled with the Luna Network HSM 7.7 update package, and prevents an intermittent appliance boot issue that could have serious consequences if it occurred during a firmware update procedure. See Network HSM Appliance BIOS and BMC Firmware Update Patch.

NOTE   If the package lunasa-reboot-patch-3.spkg is not installed before you begin the Luna Network Appliance 7.7 update, the software update process halts with a message directing you to install the reboot fix.  

NOTE   If you are updating the firmware to version 7.7.x or newer, objects and partitions must be re-sized to include additional object overhead associated with the new V1 partitions - this is included in the process, no additional action from you (see What are "pre-firmware 7.7.0", and V0, and V1 partitions?). This conversion can take much longer than previous firmware updates, depending on the number of objects stored on the HSM (a few minutes to several hours). Ensure that you can leave the update operation uninterrupted for this amount of time. Do not interrupt the procedure even if the operation appears to have stalled.

To update the HSM firmware after a software appliance update

1.Log in to LunaSH on the appliance as admin.

2.At the LunaSH prompt, login as HSM SO.

lunash:> hsm login

3.[Optional Step] Check that the desired firmware version is ready to install.

lunash:> hsm firmware show

CAUTION!   If you are using STC on the HSM Admin channel, disable it by running lunash:> hsm stc disable before you update the HSM firmware.

4.Update the firmware to the version currently stored on the appliance.

lunash:> hsm firmware upgrade

Updating the HSM Firmware to a Different Version

If you are not installing the firmware update provided in the appliance software update, download your desired HSM firmware from the Thales Support Portal. You require:

>Luna Network HSM firmware update package file (<filename>.spkg)

>the secure package authentication code, provided in a text file accompanying the update package

NOTE   If HSM firmware is updated to version 7.7 or newer, from a pre-7.7 version, the sizes of existing partitions are adjusted to accommodate new overhead due to new features. Firmware rollback is destructive; the HSM is zeroized and application partitions destroyed.

To update the HSM firmware to a version downloaded from the Support Portal

1.Transfer the secure package update file to the Luna Network HSM using pscp or scp.

pscp <filepath>/<packagename>.spkg admin@<appliance_host_or_IP>:

2.Stop all client applications to the Luna Network HSM appliance.

3.Using a serial or SSH connection, log in to the appliance as admin.

4.At the LunaSH prompt, login as HSM SO.

lunash:> hsm login

5.[Optional Step] Verify that the secure package file is present on the Luna Network HSM.

lunash:> package listfile

6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales.

lunash:> package verify <filename>.spkg -authcode <code_string>

7.Install the firmware update package, specifying the authorization code you received from Thales.

lunash:> package update <filename>.spkg -authcode <code_string>

NOTE   If you are using a service provider model, you can use the -useevp option to specify the OpenSSL EVP (Digital EnVeloPe library) API to validate the update package, rather than invoking the HSM. This allows you to install the update package without logging in as HSM SO (package update).

The package update process takes a few seconds. The firmware package is now stored on the appliance, waiting to be applied to the HSM.

8.[Optional Step] Check that the desired firmware version is ready to apply.

lunash:> hsm firmware show

CAUTION!   If you are using STC on the HSM Admin channel, disable it by running lunash:> hsm stc disable before you update the HSM firmware.

9.Update the firmware to the version currently stored on the appliance.

lunash:> hsm firmware upgrade