Luna HSM Client 10.8.0
Luna HSM Client 10.8.0 was released in March 2025. It includes bug fixes and security updates.
>Download Luna HSM Client 10.8.0 for Windows
>Download Luna HSM Client 10.8.0 for Linux
>Download Luna HSM Client 10.8.0 for AIX
>Download Minimal Luna HSM Client 10.8.0 for Linux
>Download Minimal Luna HSM Client 10.8.0 for ARM64 (see ARM64 Architecture Minimal Client Support)
NOTE This version of Luna HSM Client is compatible with Luna HSMs with firmware 6.2.1 and newer. Features that do not have client version dependencies will function without issue.
New Features and Enhancements
Luna HSM Client 10.8.0 includes the following new features and enhancements:
LMS and HSS Mechanisms for Post Quantum Computing
This release adds support for post-quantum algorithm HSS/LMS (Hierarchical Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based signature algorithm) to Luna Network HSM 7. You should be familiar with the relevant section of the PKCS#11 crypto API. LMS is not specified directly, but is supported by specifying HSS level 1 only. Refer to:
>New PKCS extension descriptions: LMS and HSS
>New cryptographic mechanisms:
This feature also requires Luna HSM Firmware 7.8.9 or newer.
New Wrapping Mechanism in SCP03
CKM_AES_CBC_CMAC_WRAP is added to Secure Channel Protocol 03 (SCP03). Refer to:
>New cryptographic mechanism: CKM_AES_CBC_CMAC_WRAP
This feature also requires Luna HSM Firmware 7.8.9 or newer.
Audit Log Improvement
Ability to track individual sessions and client activity is improved.
>Audit logs show C_Initialize()/C_Finalize() markers with partition serial number for NTLS and STC.
>Audit logs show partition label.
>Multiple threads from an application generate the same access ID.
See Audit Logging Enhancement.
This feature also requires
Consistent Allowed Characters for HSM and Partition Role Passwords and Challenge Secrets
This release enforces the set of allowed characters for all HSM and partition role passwords/
The following characters are allowed:
!#$%'()*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
This character set is enforced when using
List of Resolved Issues
| Issue | Severity | Synopsis |
|---|---|---|
| LCH-2347 | M |
Problem: When running cmu verifyhsm it will fail with client 10.7.2. Other client versions can successfully run this command. Resolution: Fixed in HSM Client 10.8.0. |
Supported Operating Systems
You can install Luna HSM Client 10.8.0 on the following operating systems:
| Operating System | Version |
|---|---|
| Windows | 10, 11 |
| Windows Server Standard | 2025 |
| 2022 | |
| 2019 | |
| 2016 | |
| Windows Server Core | 2022 |
| 2019 | |
| 2016 | |
| Red Hat Enterprise Linux (RHEL) | 8.8, 8.9, 9.0, 9.1, 9.2, 9.3, 9.5** |
| Red Hat Universal Base Image (UBI) | 8.8, 8.9, 9.0, 9.1, 9.2, 9.3 |
| AIX | 7.2, 7.3 |
| SUSE Linux Enterprise Server (minimal client only) | 15 |
| 12.4 | |
| 11.4 | |
|
Ubuntu * |
24.04.1 |
| 22.04 | |
| 20.04 | |
| Debian | 12 |
| 11 | |
| 10 |
* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:
apt-get install build-essential alien
If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.
** RHEL and CentOS 8.0-9.0 with their original kernels.
Secure Boot Support
Luna HSM Client can be used on all supported OS platforms in the table above, with Secure Boot enabled. If you are using Luna HSM Client to access partitions on a Luna Network HSM 7 only, no drivers are required. On Windows, the drivers for all other Luna HSM variants and components (Luna PCIe HSM 7, Luna USB HSM 7, Luna Backup HSM 7, Luna Backup HSM G5, Luna PED) are signed by Thales for use with Windows Secure Boot. In both these cases, you can proceed with the standard Luna HSM Client Software Installation
On Linux, these drivers are compiled for the host OS during Luna HSM Client installation. If Secure Boot is enabled on the host system, these drivers must be signed as directed by the host OS provider:
>Secure Boot on Red Hat Enterprise Linux
On AIX, no hardware drivers are included; only Luna Network HSM 7 partition access is supported.
ARM64 Architecture Minimal Client Support
Not included in this release -- conditioned Note
You can install the minimal Luna HSM Client 10.8.0 on ARM64 computers with the following operating systems:
| Operating System | Version | Secure Boot Supported |
|---|---|---|
| Red Hat Enterprise Linux (RHEL) | 9.2 | No |
| Debian | 12 | No |
| 11 | No | |
| Ubuntu | 18.04 | No |
Supported Cryptographic APIs
Applications can perform cryptographic operations using the following APIs:
>PKCS#11 2.20
>OpenSSL
>Microsoft CAPI
>Microsoft CNG
>Supported Java versions:
•Open JDK 7 up to Open JDK 21
•Oracle Java 7 up to JDK 21
•IBM Java 7, 8 and 11
Advisory Notes
This section highlights important issues you should be aware of before deploying Luna HSM Client 10.8.0.
PED-Initiated Remote PED Connection with Self-signed Certificates only
Luna Appliance Software 7.8.1 or newer with Luna HSM Client 10.5.1 or newer uses self-signed certificates for PED-initiated Remote PED connections and does not support using 3rd-party (trusted Certificate Authority) certificates for that purpose at this time.
Luna HSM Client 10.5.x on AIX Has Dependencies
Before installing Luna HSM Client 10.5.x for AIX, download and install libgcc10 from the IBM portal:
The LNHClientRegistration script will not work properly with the AIX-standard version of the sed utility. If you will use the LNHClientRegistration script to register your clients, download and install the GNU version of sed.
>https://www.ibm.com/support/pages/node/883796
Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected
Due to changes in Windows 10 and Server 2022, device drivers are not installed unless the USB or PCIe device is connected to the client workstation. If you plan to use a Luna Backup HSM 7, Luna Backup HSM G5, Luna USB HSM 7, or Luna PCIe HSM 7 with these operating systems, use one of the following workarounds:
>Connect the Luna device to the workstation (or install the Luna PCIe HSM 7 card) before installing the Luna HSM Client software
>After installing the Luna HSM Client software:
a.Connect the Luna device(s) to the workstation (or install the Luna PCIe HSM 7 card)
b.Run LunaHSMClient.exe.
c.Select the devices you want to install drivers for.
d.Click Modify.
Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer
Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.
The following ciphers have been removed:
MACS
>umac-64-etm@openssh.com
>umac-128-etm@openssh.com
>umac-64@openssh.com
>umac-128@openssh.com
Host-Based Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Host Key Algorithms
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Public Key Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-dss
CentOS 8.4 Missing Dependency
Due to a missing dependency on CentOS 8.4 [specifically the symlink (libnsl.so.1) to libnsl was removed], when installing Luna HSM Client 10.5.0 or newer, you must install an additional rpm package first:
Run yum install libnsl before invoking the install.sh script.
CSP/KSP Registrations Can Fail if Windows Update Missing
CSP or KSP registration includes a step that verifies the DLLs are signed by our certificate that chains back to the DigiCert root of trust G4 (in compliance with industry security standards).
This step can fail if your Windows operating system does not have the required certificate. If you have been keeping your Windows OS updated, you should already have that certificate.
If your Luna HSM Client host is connected to the internet, use the following commands to update the certificate manually:
certutil -urlcache -f http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
certutil -addstore -f root DigiCertTrustedRootG4.crt
To manually update a non-connected host
1. Download the DigiCert Trusted Root G4 (http://cacerts.digicert.com/DigiCertTrustedRootG4.crt) to a separate internet-connected computer.
2.Transport the certificate, using your approved means, to the Luna HSM Client host into a <downloaded cert path> location of your choice
3.Add the certificate to the certificate store using the command:
certutil -addstore -f root <downloaded cert path>
One-Step NTLS Fails on SUSE 11 Linux
Incompatibility of new Luna HSM Client components with older ones on SUSE 11 cause the one-step NTLS procedure to fail. Instead, use the multi-step procedure to establish an NTLS connection manually.
Refer to Multi-Step NTLS Connection Procedure.
Luna HSM Client No Longer Supports Luna PCIe HSM 6 on any platform
Luna HSM Client 10.5.0 and newer cannot be used with a Luna PCIe HSM 6 that might be present in the host. If you need to use a version 6.x HSM card with your application, install Luna HSM Client 10.3.0 or older for Windows, or Luna HSM Client 10.4.1 or older for Linux.
Luna HSM Client No Longer Supports Luna PCIe HSM 6 on Windows
Luna HSM Client 10.4.0 and newer cannot be used with an installed Luna PCIe HSM 6.
Support for Windows Server 2012 R2 is Ended
Luna HSM Client 10.3.0 is the last version that will support Windows Server 2012 R2.
Red Hat Enterprise Linux / CentOS 6 Support is Ended
Luna HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.
Support for 32-bit OS Platforms is Ended
Starting with Luna HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release
Older JAVA Versions Require Patch/Update
The .jar files included with Luna HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.
>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to Luna HSM Client 10.x (see APAR IJ25459 for details).
CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations
When using a Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM
Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna HSM Client 7.3.0.
As of Luna HSM Client 7.3.0:
>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).
>JNI accepts and preserves values set by applications via the following Java calls:
LunaSlotManager.getInstance().setSecretKeysDerivable( true );
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );
NOTE If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.
In cases where a derived key must be extractable, add the following line to the java.security file:
com.safenetinc.luna.provider.createExtractablePrivateKeys=true
