Luna Appliance Software 7.8.3
Luna Appliance Software 7.8.3 was released in August 2023.
>Download Luna Appliance Software 7.8.3
This version also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).
>Download the Cluster 1.0.3 Package
New Features and Enhancements
Luna Network HSM 7 7.8.3 includes the following new features and enhancements:
Cryptographic Traffic Control
Measure the egress traffic for clients using each of the Luna Network HSM 7 interfaces, to determine which might be high bandwidth users (noisy neighbors) at the expense of other clients. Create classes with minimum and maximum bandwidth entitlements, and assign clients to classes, to achieve fair access for all clients.
See Crypto Traffic Controller for QoS.
Configurable SSH Ciphers
Customize Luna Network HSM 7 SSH ciphers to meet security needs. Choose from the provided list, to include or exclude appliance-side ciphers that are available to be negotiated with a client.
CA-signed Client Certificates Can be Registered without being Copied to Luna Network HSM 7
When using CA-signed certificates, Luna Network HSM 7 can specify a -nocert option to register a client for NTLS without immediate need for a CA-signed certificate from the client. This mirrors the existing ability of a client to register a Luna Network HSM 7 without need for a CA-signed certificate from the appliance.
See Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority.
NTLS Client Certificates Can Be Updated Without Re-registration
You can now update an NTLS client certificate on the appliance without having to delete and re-register the client.
See new LunaSH command client update.
Configurable TLS Ciphers
Customize Luna Network HSM 7 TLS ciphers used by the appliance in:
>NTLS: Network Trust Link Service
>STC: Secure Trusted Channel
>CBS: Call Back Server (Used for audit logs, as well as the PED Client)
Choose from the provided list, to include or exclude appliance-side ciphers. Client and appliance support TLS 1.3.
This feature also requires minimum Luna HSM Client 10.6.0.
See sysconf tls ciphers.
Syslog Encryption
You can now encrypt syslog messages sent to a remote server, improving the security of your logs by preventing their interception during transit.
See Syslog Encryption.
Luna Cluster Package 1.0.3
lnh_cluster-1.0.3
CAUTION! TECHNICAL PREVIEW -- EVALUATION ENVIRONMENT ONLY
Clusters are presented as a technical preview, to give customers the opportunity to validate our new HSM management features, designed to reduce operation cost and maximize the return on investment of a fleet of HSMs. This release does not provide a migration path from standard Luna partitions or Luna Cloud HSM services to keyrings. Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
DO NOT INSTALL THE CLUSTER PACKAGE ON A LUNA NETWORK HSM IN PRODUCTION
When the lnh_cluster package is installed, access to any existing partitions on the HSM is disabled, and this can only be reversed by re-imaging the Luna Network HSM 7 appliance (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). Re-imaging is a destructive action; all roles, partitions, and keys are destroyed. The Luna Network HSM 7 must be completely reconfigured; all partitions must be recreated and their contents restored from backup. In particular, do not attempt to configure clustering on a Luna Network HSM 7 that already has V1 partitions created; either delete these partitions or re-image the appliance before configuring a cluster.
This release includes the following enhancements to the Clusters feature:
>Cluster Capacity Increased to 3500 Keyrings
Up to 3500 keyrings can be created on the cluster, and each keyring can contain up to 256 objects. Each Luna HSM Client can manage up to 3500 keyrings, which can be spread across multiple clusters.
>Scheduled Cluster Backups Now Continue Indefinitely
Scheduled weekly cluster backups will now continue indefinitely without the need to reschedule. After the specified number of backup files is saved, the oldest file will be deleted to make room for each new backup file. See Cluster Backup and Restore.
>Affinity Group Updates
You can now create up to 64 affinity groups within a cluster, and move members between them freely. It is no longer necessary to restart client applications after making changes to member affinity groups. See Moving a Member to a Different Affinity Group.
>Expanded PKCS#11 Support on Keyrings
Support for PKCS#11 on keyrings has been expanded to include many more standard calls (see PKCS#11 Compliance), and new custom calls have been provided by Thales (see Cluster Extensions).
>Clusters Now Supported on Multifactor Quorum-Authenticated Luna Network HSM 7
Multifactor Quorum-Authenticated Luna Network HSM 7 users can now create and use clusters.
Cluster REST API changes
>New resource added: SUPPORT
This new resource allows the admin user to enable or disable certificate authentication, allowing them to turn monitor access from that client on or off at will. The only error code it can return is 400: Bad Request.
See also Certificate-Based monitor Role Authentication.
This status is also returned by SUPPORT when "Accept: application/json:"
is specified, in a boolean parameter certificateAuthenticationEnabled
.
>New resource added: SUPPORT
This new resource retrieves a list of all affinity groups registered on the cluster, even if no members are currently assigned to that group. It returns an array containing groupLabel
and groupUUID
for each group. The only error code it can return is 500: Internal Server Error.
>Affinity groups can accept any 1-32 character label
SUPPORT can now specify any 1-32 character label for affinity groups (previously only "group":"remote"
was accepted)
Valid Update Paths
You can update the Luna Network HSM 7 appliance software to version 7.8.3 from the following previous versions:
>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1, 7.8.0,7.8.1
Advisory Notes
This section highlights important issues you should be aware of before deploying appliance software 7.8.3.
TLS 1.3 Ciphers Automatically Added to Approved List
When the Luna Network HSM 7 is updated to Luna Appliance Software 7.8.3 or newer from a version older than 7.8.3, the TLS 1.3 ciphers are automatically added to the top of the approved ciphers list, meaning they will be prioritized for use ahead of TLS 1.2 ciphers. Use lunash:> sysconf tls ciphers show to check the configuration.
Appliance System Clock Must Be Set Before Starting the Cluster Service
If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.
REST API Webserver Automatically Enabled
When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:
2022 Nov 22 16:39:29 10 daemon notice systemd: nginx.service: control process exited, code=exited status=1 2022 Nov 22 16:39:29 10 daemon err systemd: Failed to start nginx - high performance web server. 2022 Nov 22 16:39:29 10 daemon notice systemd: Unit nginx.service entered failed state. 2022 Nov 22 16:39:29 10 daemon warning systemd: nginx.service failed.
These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.
Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer
Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.
The following ciphers have been removed:
MACS
>umac-64-etm@openssh.com
>umac-128-etm@openssh.com
>umac-64@openssh.com
>umac-128@openssh.com
Host-Based Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Host Key Algorithms
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Public Key Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-dss
Change in Network Routing Default Requires Precaution Before Update
A change to network routing when updating to Luna Appliance Software 7.7.0 or newer, from any prior 7.x version, can cause your appliance to become unreachable via network connection. Older appliance versions permitted the existence of multiple default routes. Beginning with Luna Appliance Software 7.7.0, only one instance of the default route can exist.
Options for a successful update with minimal disruption are:
>Remove all but one instance of the ‘default route’, using the network route delete command, before upgrading from any appliance software version older than Luna Appliance Software 7.7.0.
>Connect locally via serial cable to perform the update, so your access to the network appliance is not lost when network connection becomes temporarily unavailable (pending proper network configuration).
Note also that if you re-image, going back to a version older than Luna Appliance Software 7.7.0, the routing table goes back to the old format and you must apply one of the above precautions again, to update.
If the above precautions are not taken and the appliance becomes unreachable, complete the following steps to restore connection to the appliance:
1.Connect locally via serial cable.
2.Delete all network interfaces. See network interface delete.
3.Configure a network interface to use a default route by doing one of the following:
•Configure the network interface to use a static IP configuration while specifying the -gateway option. See network interface static.
•Configure the network interface to use DHCP. See network interface dhcp.
After you complete the above steps, network connectivity to the appliance is restored and any remaining interfaces that are configured do not have a default route set.
Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances
If your Luna Network HSM 7 was shipped to you before December 2019, and you currently have software older than Luna Appliance Software 7.7.0 installed, the software update will not proceed unless you first install the Luna Network HSM 7 Reboot Patch. Appliances shipped from the factory since December 2019 have this patch already installed. If you installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.
sysconf snmp trap set command now defaults to "inform"
Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.