Luna HSM Client 10.4.0
Luna HSM Client 10.4.0 was released in October 2021. It includes bug fixes and security updates.
New Features and Enhancements
Luna HSM Client 10.4.0 includes the following new features and enhancements:
CMU allows Crypto User Login
CMU now includes a command line option to allow login by the Crypto User (CU) on a partition. It should be noted that the CU role is limited to read-only access and can not be used to manage objects.
Updates and Enhancements to Java Provider
>SimMultisign in JCPROV (requires minimum Luna HSM Firmware 7.7.0)
>ECIES structure CK_ECIES_PARAMS_EXT in JCPROV (requires minimum Luna HSM Firmware 7.7.0)
>New HA Login API in JCPROV (requires minimum Luna HSM Firmware 7.7.0). Includes a new sample, HALogin_v2.java.
>SHA-3 in JCPROV/JSP (requires minimum Luna HSM Firmware 7.4.2)
>BIP32 Sample Java Application Extended to Demonstrate BIP44 Key Derivation (requires minimum Luna HSM Firmware 7.3.0)
Updates and Enhancements to High Availability Functionality
Luna HSM Client 10.4.0 includes some improvements to HA functionality (see High-Availability Groups).
>OUID Methods GetObjectUID and GetObjectHandle Usable With HA Groups
>CK_MILENAGE_SIGN_PARAMS can now be used in HA Groups (requires minimum Luna HSM Firmware 7.4.2)
Set CKA_EXTRACTABLE Using Luna KSP
It is now possible to set CKA_EXTRACTABLE when creating private keys using Luna KSP.
Release 10.4.0 Advisory Notes
This section highlights important issues you should be aware of before deploying Luna HSM Client 10.4.0.
RHEL 8.x introduced system-wide cryptographic modes. The full Luna HSM Client installer is supported only when RHEL 8.x is in DEFAULT mode. If your RHEL 8.x OS is in FIPS mode, use the minimal Luna HSM Client.
One-Step NTLS Fails on SUSE 11 Linux
Incompatibility of new Luna HSM Client components with older ones on SUSE 11 cause the one-step NTLS procedure to fail. Instead, use the multi-step procedure to establish an NTLS connection manually.
Refer to Multi-Step NTLS Connection Procedure.
Luna HSM Client No Longer Supports Luna PCIe HSM 6 on Windows
Luna HSM Client 10.4.0 and newer cannot be used with an installed Luna PCIe HSM 6.
Support for Windows Server 2012 R2 is Ended
Luna HSM Client 10.3.0 is the last version that will support Windows Server 2012 R2.
Red Hat Enterprise Linux / CentOS 6 Support is Ended
Luna HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.
Support for 32-bit OS Platforms is Ended
Starting with Luna HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release
Older JAVA Versions Require Patch/Update
The .jar files included with Luna HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.
>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to Luna HSM Client 10.x (see APAR IJ25459 for details).
"CKR_MECHANISM_INVALID" Messages in Mixed Luna Cloud HSM Implementations
When using a DPoD Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a DPoD Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM
Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna 7.3 release.
As of release 7.3:
>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).
>JNI accepts and preserves values set by applications via the following Java calls:
LunaSlotManager.getInstance().setSecretKeysDerivable( true );
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );
NOTE If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.
In cases where a derived key must be extractable, add the following line to the java.security file:
Supported Luna HSM Client 10.4.0 Operating Systems
You can install Luna HSM Client 10.4.0 on the following operating systems:
|Operating System||Version||Secure Boot Supported|
|Windows Server Standard||2022||Yes|
|Windows Server Core||2022||Yes|
|Redhat-based Linux (including variants like CentOS and Oracle Enterprise Linux)||8.0, 8.1, 8.2, 8.3, 8.4 (†)||No|
|OpenSuse Linux (minimal client only)||15||No|
* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:
apt-get install build-essential alien
If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.
† RHEL and CentOS 8.0 and 8.1 with their original kernels. For 8.2 and newer, if your current Linux kernel does not include the file dma_remapping.h, acquire it (from RHEL or CentOS 8.1 kernel version 4.18.0-147 or earlier ) and copy it into “/usr/src/kernels/22.214.171.124.28.1.el8_2.x86_64/include/linux/” in your current Client installation target.
Supported Cryptographic APIs
Applications can perform cryptographic operations using the following APIs:
>JCA within Oracle Java 7*/8*/9/10/11
*Luna HSM Client 10.1 and newer requires the advanced version of Oracle Java 7/8.
>JCA within OpenJDK 7/8/9/10/11