Luna Appliance Software 7.8.4

Luna Appliance Software 7.8.4 was released in December 2023.

>Download Luna Appliance Software 7.8.4

This version also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).

New Features and Enhancements

Luna Appliance Software 7.8.4 includes the following new features and enhancements:

HSM Communication Confidentiality, Integrity and Availability Updates

Configurable Key Size and Type Support for NTLS and SSH

The lunash:> sysconf regenCert command now includes a -keysize option to support RSA key sizes of 2048, 3072, and 4096, along with a -keytype option to support Ed25519 and select ECC curves, as well as a -curve option to specify which of the supported ECC curves you wish to use. Also requires Luna HSM Client 10.7.0 or newer.Refer to:

>New procedure: Configure NTLS and SSH Key Size and Type

>New command options: lunash:> sysconf regenCert [-keytype <keytype>] [-keysize <keysize>] [-curve <curve>]

Added IPv6 Support and Broadcast Mode Option to Bonded Interfaces

Adding load balancing to the fault tolerance of the previous "active-only" bonding mode, network configuration now includes the option to specify "broadcast" bonding mode. Refer to:

>New command options: lunash:> network interface bonding config [-mode broadcast] [-ipv6]

Enhanced Access Control of Clients, using Extended DN Attribute Validation

The ability to select/restrict PKI client certificates is enhanced -- the Luna Network HSM 7 can now use a DN attribute filter to inspect and verify against X509 RDN OIDs of a client certificate, where previously only the Common Name (CN) was verified. Refer to:

>New feature description: Client certificates

>New commands:

lunash:> client dn assign

lunash:> client dn delete

lunash:> client dn show

Appliance-Connected Luna Backup HSM 7 v2 Direct Multifactor Quorum Authentication Support

When a Luna Backup HSM 7 v2 is connected directly to the Luna Network HSM 7 with Luna Appliance Software 7.8.4, PED keys can now be connected directly to the Luna Backup HSM 7 for authentication. It is no longer necessary to set up a Remote PED server. Refer to:

>New procedure: Luna Backup HSM 7 Connected to Luna Network HSM 7 Using Direct Multifactor Quorum Authentication.

Configurable TLS 1.3 Ciphers for REST API Webserver

You can now configure the Luna REST API webserver to use TLS 1.3 ciphers. Refer to:

>New command options: lunash:> webserver ciphers set [-tls1_2] [-tls1_3]

>New command: lunash:> webserver ciphers reset

The newly-available ciphers can be displayed using the existing command:

lunash:> webserver ciphers show

Luna REST API 14

This release includes Luna REST API 14.0.0, which has the following new features and enhancements:

Export an HSM or Partition Policy Template File

You can now use the REST API to export an HSM or partition policy template file to the logged-in user's files. Refer to:

>New REST resources:

Export an HSM policy template: POST /api/lunasa/hsms/{hsmid}/policies

Export a partition policy template: POST /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/policies

Support For clusteradmin Service Management

Luna REST API 14 includes updated resources for managing the clusteradmin service, which was introduced in lnh_cluster-1.0.4, released with Luna Appliance Software 7.8.5. Refer to:

>Luna Appliance Software 7.8.5: New clusteradmin Service Manages the Cluster REST API Webserver

>New response object: GET /api/lunasa/services "services": [{"id": "clusteradmin", "url": "/api/lunasa/services/clusteradmin"}]

>New valid value clusteradmin for {serviceid}:

GET /api/lunasa/services/{serviceid}

PUT /api/lunasa/services/{serviceid}

PATCH /api/lunasa/services/{serviceid}

GET /api/lunasa/services/{serviceid}/actions

POST /api/lunasa/services/{serviceid}/actions/{actionid}

Configure SSH Ciphers Using REST API

Luna REST API 14 allows you to configure SSH ciphers for Luna Network HSM 7 communications. This feature was introduced in LunaSH in Luna Appliance Software 7.8.3. Refer to:

>Updated REST resources:

New response parameter: GET /api/lunasa/ssh "cipherList": "<list_of_configured_ciphers>"

New request parameter: PUT /api/lunasa/ssh "cipherList": "<list_of_configured_ciphers>"

New request parameter: PATCH /api/lunasa/ssh "cipherList": "<list_of_configured_ciphers>"

New response parameter: GET /api/lunasa/ssh/actions "actions": [{"id": "resetCiphers", "url": "/api/lunasa/ssh/actions/resetCiphers"}]

New valid value resetCiphers for {actionid}: POST /api/lunasa/ssh/actions/{actionid}

Configurable TLS 1.3 Ciphers for REST API Webserver

You can now configure the Luna REST API webserver to use TLS 1.3 ciphers. The newly-available ciphers can be managed using the following existing resources:

>Get a list of available ciphers: GET /api/lunasa/webServer

>Set the cipher suite for webserver communication: PUT /api/lunasa/webServer

>Change the cipher suite for webserver communication: PATCH /api/lunasa/webServer

Valid Update Paths

You can update the Luna Network HSM 7 appliance software to version 7.8.4 from the following previous versions:

>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.3

Advisory Notes

This section highlights important issues you should be aware of before deploying appliance software 7.8.4.

REST API Webserver Has TLS 1.3 Ciphers Disabled by Default

Using Luna Appliance Software 7.8.4, TLS 1.3 ciphers are disabled by default. If you had TLS 1.3 ciphers enabled, and updated from Luna Appliance Software 7.8.3, you must re-enable them after the update. Otherwise, your webserver traffic could default to less-secure TLS 1.2 ciphers (if you had all ciphers enabled), or stop entirely (if you had TLS 1.2 disabled).

lunash:> webserver ciphers set -list all -tls1_3

REST API Patch Fixes Performance and Update Issues in This Version

Luna REST API 14.0.0, included with Luna Appliance Software 7.8.4, has issues affecting performance and the ability to update the appliance software from this version using REST API (refer to fixed issue RAPI-4135). A patch was released to address these issues, and Thales recommends that you install it if you are using Crypto Command Center or the Luna REST API:

>Luna Network HSM 7.8.4-350 Appliance REST API Patch

Package List Output Revised

The output of the command to list software packages installed on the Luna Network HSM 7 has been trimmed from the previous "everything" list, to a more useful list of product-level packages that include all installed product options in which you would have an interest, as well as external interface packages and application packages needed by our support and engineering teams to perform troubleshooting analysis. Requires Luna Appliance Software 7.8.4 or newer.

See package list.

TLS 1.3 Ciphers Automatically Added to Approved List

When the Luna Network HSM 7 is updated to Luna Appliance Software 7.8.4 or newer from a version older than 7.8.3, the TLS 1.3 ciphers are automatically added to the top of the approved ciphers list, meaning they will be prioritized for use ahead of TLS 1.2 ciphers. Use lunash:> sysconf tls ciphers show to check the configuration.

Appliance System Clock Must Be Set Before Starting the Cluster Service

If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.

REST API Webserver Automatically Enabled

When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:

2022 Nov 22 16:39:29 10  daemon notice  systemd: nginx.service: control process exited, code=exited status=1
2022 Nov 22 16:39:29 10  daemon err  systemd: Failed to start nginx - high performance web server.
2022 Nov 22 16:39:29 10  daemon notice  systemd: Unit nginx.service entered failed state.
2022 Nov 22 16:39:29 10  daemon warning  systemd: nginx.service failed.

These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.

Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer

Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.

The following ciphers have been removed:

MACS

>umac-64-etm@openssh.com

>umac-128-etm@openssh.com

>umac-64@openssh.com

>umac-128@openssh.com

Host-Based Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Host Key Algorithms

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Public Key Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-dss

Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances

If your Luna Network HSM 7 was shipped to you before December 2019, and you currently have software older than Luna Appliance Software 7.7.0 installed, the software update will not proceed unless you first install the Luna Network HSM 7 Reboot Patch. Appliances shipped from the factory since December 2019 have this patch already installed. If you installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.

sysconf snmp trap set command now defaults to "inform"

Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.