Luna Appliance Software 7.9.0

Luna Appliance Software 7.9.0 was released in March 2025.

>Download Luna Appliance Software 7.9.0 (includes firmware update to Luna HSM Firmware 7.8.9)

This package also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).

New Features and Enhancements

Luna Appliance Software 7.9.0 includes the following new features and enhancements:

Appliance Account Password Management

Luna Appliance Software 7.9.0 and newer includes enhanced password management and configuration for administrative roles on the Luna Network HSM 7 appliance. You can now configure:

>password length constraints

>the number of previous passwords that are remembered and not permitted to re-use (password history)

>the lifetime of a user password (expiry)

> handling of bad login attempts

CAUTION!   This feature is not supported for use with Clusters; do not enable it on any Luna Network HSM 7 that is a member of a cluster.

Refer to:

>New procedures: Manage Appliance User Passwords

>New LunaSH commands:

•lunash:> sysconf user login

•lunash:> sysconf user password expire

•lunash:> sysconf user password history

•lunash:> sysconf user password length

•lunash:> sysconf user show

Access Partition Utilization Metrics without HSM SO Login

You can now choose whether Partition Utilization Metrics can be viewed/exported and reset without needing login to the HSM. For continuity, the option defaults to requiring SO login, but that can be changed with a single command, to suit your security and auditing regimes. The existing QoS commands function as previously; only access to them is affected. This option is set using HSM Policy 58: Allow Unrestricted Metrics Access.

See Setting HSM Policies Manually. This feature also requires Luna HSM Firmware 7.8.9 or newer.

Consistent Allowed Characters for HSM and Partition Role Passwords and Challenge Secrets

This release enforces the set of allowed characters for all HSM and partition role passwords/challenge secrets, entered using LunaSH or LunaCM. Passwords and activation challenge secrets must be 8-255 characters in length. Spaces are allowed; to specify a password with spaces using command-line options, enclose the password in double quotation marks. The space character may not be used as the first character in a password.

The following characters are allowed:

!#$%'()*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~

This character set is enforced when using Luna Appliance Software 7.9.0 or Luna HSM Client 10.8.0 or newer, and recommended for all previous versions. Previously-set passwords and challenge secrets are unaffected, but the new character set is enforced when these passwords are changed.

SFTP for File Transfers

SFTP is available to Luna shell commands that transfer files (logs, certificates, secure packages, etc.). Your clients and other servers should move from scp to sftp, where possible. Denied operations (see Disallowed filepaths for SFTP) can be viewed using the following command in Luna Shell (lunash):

lunash:> syslog tail -logname secure

By default, scp is still enabled on the appliance, for compatibility. You can, however, disable it to ensure that sftp is used for all file transfers. Refer to:

>New LunaSH commands:

•lunash:> sysconf scp disable

•lunash:> sysconf scp enable

•lunash:> sysconf scp show

Network Time Security Secures Network Time Protocol

You can continue to use NTP without NTS. New certificate exchanges will be necessary when you start using NTS servers. Refer to:

>New feature description: Network Time Security

>New LunaSH commands:

•lunash:> sysconf ntp ntsAuth cert add

•lunash:> sysconf ntp ntsAuth cert clear

•lunash:> sysconf ntp ntsAuth cert delete

•lunash:> sysconf ntp ntsAuth cert list

Audit Log Improvement

Ability to track individual sessions and client activity is improved. A single client with connections to multiple Luna Network HSM 7 appliances can track each individual session.

>Audit logs show C_Initialize()/C_Finalize() markers with partition serial number for NTLS and STC.

>Audit logs show partition label.

>Multiple threads from an application generate the same access ID.

See Audit Logging Enhancement.

This feature also requires Luna HSM Firmware 7.8.9 and Luna HSM Client 10.8.0.

Additional Changes

Luna Appliance Software 7.9.0 also includes the following changes:

>LunaSH command removed

The deprecated command lunash:> sysconf ntp log tail has been removed in this release. To display the NTP logs, use lunash:> syslog tail -logname ntp instead.

>New command output: lunash:> network interface bonding show

>New command output: lunash:> network route show

>Appliance reimage operation now deletes bonded interface configuration

Refer to Appliance Re-Image Now Deletes Bonded Interfaces.

Luna REST API 16

This release includes Luna REST API 16.0.0, which has the following new features and enhancements:

Access Partition Utilization Metrics without HSM SO Login

You can now choose whether Partition Utilization Metrics can be viewed/exported and reset without needing login to the HSM. For continuity, the option defaults to requiring SO login, but that can be changed with a single command, to suit your security and auditing regimes. The existing QoS commands function as previously; only access to them is affected. This option is set using HSM Policy 58: Allow Unrestricted Metrics Access.

See PATCH /api/lunasa/hsms/{hsmid}/policies/{policyid}. This feature also requires Luna HSM Firmware 7.8.9 or newer.

Network Time Security Secures Network Time Protocol

You can continue to use NTP without NTS. New certificate exchanges will be necessary when you start using NTS servers. Refer to:

>New REST request parameters:

•POST /api/lunasa/ntp/servers "nts": <true/false>, "port": <port>

•PUT /api/lunasa/ntp/servers/{serverid} "nts": <true/false>, "port": <port>

•PATCH /api/lunasa/ntp/servers/{serverid} "nts": <true/false>, "port": <port>

•POST /api/lunasa/ntp/actions/{actionid} "nts": <true/false>

>New REST response: GET /api/lunasa/ntp/status {"lastOffset": "<offset>", "ntpTime": "<time>", "rootDelay": "<delay>", "rootDispersion": "<dispersion>"}

Users Service Synchronized Between LunaSH and REST API

Changes to the Luna Network HSM 7 users service are now synchronized between LunaSH and REST API; the following operations performed using LunaSH are now reflected in the REST API database:

>lunash:> sysconf config backup -service users

>lunash:> sysconf config restore -service users

>lunash:> sysconf config factoryReset -service users

TLS 1.3 Ciphers Enabled by Default

TLS 1.3 ciphers are now enabled by default for use with the REST API webserver, and some less-secure ciphers have been removed in this release. Refer to:

>New available ciphers listed:

•PUT /api/lunasa/webServer

•PATCH /api/lunasa/webServer

Additional Changes in REST API 16

Luna REST API 16.0.0 also includes the following changes:

>Appliance hostnames can no longer contain the underscore character (_). Refer to Hostname requirements are tightened for details. The following resources are affected:

•PUT /api/lunasa/network

•PATCH /api/lunasa/network

Valid Update Paths

You can update the Luna Network HSM 7 appliance software to version 7.9.0 from the following previous versions:

>7.8.3, 7.8.4, 7.8.5

Advisory Notes

This section highlights important issues you should be aware of before deploying Luna Appliance Software 7.9.0.

Appliance Re-Image Now Deletes Bonded Interfaces

Using Luna Appliance Software 7.9.0 or newer, the appliance re-image operation deletes all bonded interfaces and supporting network configurations. Those must be reconfigured, if they are needed, after the re-image operation is complete. If you are using bonded interfaces, run lunash:> sysconf reimage start via a serial connection or a physical network interface (eth0/eth1/eth2/eth3) to avoid losing contact with the Luna Network HSM 7.

Refer to Re-Imaging the Appliance to Baseline Software/Firmware Versions.

Disallowed filepaths for SFTP

Using Luna Appliance Software 7.9.0 or newer, the following criteria apply to file transfers to the Luna Network HSM 7:

Filepath	Allowed/Disallowed
Any file path with "../" in it	Disallowed
server.pem	Only allowed to get. Cannot replace server.pem on the Luna Network HSM 7 appliance.
client_syslog.pem	Only allowed to get. Cannot replace client_syslog.pem on the Luna Network HSM 7 appliance.
File name with a length less than 1 or greater than 64	Disallowed
Any file name with "/" in it	Disallowed
File name that ends with a space	Disallowed
File name with "-" (dash)	Allowed
File name that starts with a space	Disallowed
File name with special characters other than letters, digits, underscores, periods, spaces, or hyphens. Such as @,#,$,%,^,&,*	Disallowed
Empty file names	Disallowed

Files can be sent to/from only the current user's "my files".

Hostname requirements are tightened

Requirements for hostnames are tightened using Luna Appliance Software 7.9.0 or newer, to be more compliant with internet standards. If you have hostnames with embedded underscore characters "_", those will have that disallowed character removed during upgrade; so, for example, my_hostname becomes myhostname. Additionally, you may not start or end a hostname with a period "." character or a dash "-" character, but they are suitable to use within a hostname if you wish (example "host-name" or "my.host.name" are acceptable, but not ".hostname" or "hostname-"). Be sure to update scripts and any working notes or instructions.

Appliance system-level user password policy is changed

Using Luna Appliance Software 7.9.0 or newer, the password policy mandates that passwords must contain characters from all four categories, in accordance with updated Linux standards. Previous releases required characters from only three of the four categories. Existing passwords continue to work until a password change is requested.

Package List Output Revised

The output of the command to list software packages installed on the Luna Network HSM 7 has been trimmed from the previous "everything" list, to a more useful list of product-level packages that include all installed product options in which you would have an interest, as well as external interface packages and application packages needed by our support and engineering teams to perform troubleshooting analysis. Requires Luna Appliance Software 7.8.4 or newer.

See package list.

One-Step NTLS Connections Require Update to Luna HSM Client 10.7.0 Components

Luna Appliance Software 7.9.0 and newer includes changes that require an update to the pscp and plink utilities. If you plan to use the One-Step NTLS Connection Procedure to establish client connections to your appliance, either update the client software to Luna HSM Client 10.7.0 or newer, or replace the pscp and plink utilities in your older client installation with the versions included with Luna HSM Client 10.7.0 or newer.

Appliance System Clock Must Be Set Before Starting the Cluster Service

If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.

REST API Webserver Automatically Enabled

When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:

2022 Nov 22 16:39:29 10  daemon notice  systemd: nginx.service: control process exited, code=exited status=1
2022 Nov 22 16:39:29 10  daemon err  systemd: Failed to start nginx - high performance web server.
2022 Nov 22 16:39:29 10  daemon notice  systemd: Unit nginx.service entered failed state.
2022 Nov 22 16:39:29 10  daemon warning  systemd: nginx.service failed.

These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.

Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer

Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.

The following ciphers have been removed:

MACS

>umac-64-etm@openssh.com

>umac-128-etm@openssh.com

>umac-64@openssh.com

>umac-128@openssh.com

Host-Based Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Host Key Algorithms

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Public Key Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-dss

Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances

If your Luna Network HSM 7 was shipped to you before December 2019, and you currently have software older than Luna Appliance Software 7.7.0 installed, the software update will not proceed unless you first install the Luna Network HSM 7 Reboot Patch. Appliances shipped from the factory since December 2019 have this patch already installed. If you installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.

sysconf snmp trap set command now defaults to "inform"

Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.