Luna Appliance Software 7.8.4
Luna Appliance Software 7.8.4 was released in December 2023.
>Download Luna Appliance Software 7.8.4
This version also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).
New Features and Enhancements
Luna Appliance Software 7.8.4 includes the following new features and enhancements:
HSM communication CIA (confidentiality integrity and availability) updates
Configurable Key Size and Type Support for NTLS and SSH
The Luna Network HSM 7 adds a -keysize option to support RSA key sizes of 2048, 3072, and 4096, along with a -keytype option to support Ed25519 and select ECC curves, as well as a -curve option to specify which of the supported ECC curves you wish to use. At the same time, the vtl createCert command in the vtl utility on the client is updated to match. Requires Luna Appliance Software 7.8.4 or newer, and Luna HSM Client 10.7.0 or newer.
See Configure NTLS and SSH Key Size and Type.
Added Broadcast mode option to network interface bonding
Adding load balancing to the fault tolerance of the previous "active-only" bonding mode, network configuration now includes the option to specify "broadcast" bonding mode. Requires Luna Appliance Software 7.8.4 or newer.
Enhanced Access Control of Clients, using Extended DN Attribute Validation
The ability to select/restrict PKI client certificates is enhanced -- the Luna Network HSM 7 can now use a DN attribute filter to inspect and verify against X509 RDN OIDs of a client certificate, where previously only the Common Name (CN) was verified. Requires Luna Appliance Software 7.8.4 or newer.
See Client certificates.
Appliance-Connected Luna Backup HSM 7 v2 Direct Multifactor Quorum Authentication Support
When a Luna Backup HSM 7 is connected directly to the Luna Network HSM 7 with Luna Appliance Software 7.8.4, PED keys can now be connected directly to the Luna Backup HSM 7 for authentication. It is no longer necessary to set up a Remote PED server.
See Luna Backup HSM 7 Connected to Luna Network HSM 7 Using Direct Multifactor Quorum Authentication.
Valid Update Paths
You can update the Luna Network HSM 7 appliance software to version 7.8.4 from the following previous versions:
>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.3
Advisory Notes
This section highlights important issues you should be aware of before deploying appliance software 7.8.4.
Package List Output Revised
The output of the command to list software packages installed on the Luna Network HSM 7 has been trimmed from the previous "everything" list, to a more useful list of product-level packages that include all installed product options in which you would have an interest, as well as external interface packages and application packages needed by our support and engineering teams to perform troubleshooting analysis. Requires Luna Appliance Software 7.8.4 or newer.
See package list.
Appliance System Clock Must Be Set Before Starting the Cluster Service
If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.
REST API Webserver Automatically Enabled
When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:
2022 Nov 22 16:39:29 10 daemon notice systemd: nginx.service: control process exited, code=exited status=1 2022 Nov 22 16:39:29 10 daemon err systemd: Failed to start nginx - high performance web server. 2022 Nov 22 16:39:29 10 daemon notice systemd: Unit nginx.service entered failed state. 2022 Nov 22 16:39:29 10 daemon warning systemd: nginx.service failed.
These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.
Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer
Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.
The following ciphers have been removed:
MACS
>umac-64-etm@openssh.com
>umac-128-etm@openssh.com
>umac-64@openssh.com
>umac-128@openssh.com
Host-Based Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Host Key Algorithms
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Public Key Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-dss
Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances
If your Luna Network HSM 7 was shipped to you before December 2019, and you currently have software older than Luna Appliance Software 7.7.0 installed, the software update will not proceed unless you first install the Luna Network HSM 7 Reboot Patch. Appliances shipped from the factory since December 2019 have this patch already installed. If you installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.
sysconf snmp trap set command now defaults to "inform"
Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.