Luna HSM Client 7.3.0

Luna HSM Client 7.3.0 was released in September 2018.

>Download Luna HSM Client 7.3.0

NOTE   This version of Luna HSM Client is compatible with Luna HSMs with firmware 6.2.1 and newer. Features that do not have client version dependencies will function without issue. However, Thales has some recommendations when using certain firmware versions. See General Version Compatibility Recommendations.

New Features and Enhancements

Luna HSM Client 7.3.0 includes the following new features and enhancements:

JavaSP support for ECC Curve 25519

The Luna Java Provider now includes support for mechanisms using ECC Curve 25519.

Supported Operating Systems

You can install the Luna HSM Client 7.3.0 on the following operating systems:

Operating System Version 64-bit applications on 64-bit OS 32-bit applications on 64-bit OS 32-bit applications on 32-bit OS
Windows 10 Yes Yes No
Windows Server 2016 Yes Yes No
2012 R2 Yes Yes No
Redhat-based Linux (including variants like CentOS and Oracle Enterprise Linux) 7 Yes Yes Yes
6 Yes Yes Yes
AIX ** 7.1 Yes No No
Solaris (SPARC/x86) ** 11

Yes No No
Ubuntu * 14.04 Yes No Yes

* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:

apt-get install build-essential alien

If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.

** Although the AIX and Solaris installers display the options, Luna PCIe HSM 7 and Luna USB HSM 7 are not supported in this release. Select only Luna Network HSM during installation.

Supported Cryptographic APIs

Applications can perform cryptographic operations using the following APIs:

>PKCS#11 2.20

>Java 7/8/9

>OpenSSL

>Microsoft CAPI

>Microsoft CNG

Advisory Notes

This section highlights important issues you should be aware of before deploying Luna HSM Client 7.3.0.

Older Clients Can Fail to Complete One-Step NTLS with Newer Appliance Software

Newer Luna Network HSM 7 can have outdated (weaker) ciphers removed from file transfer protocols, as a security measure. If you have Luna HSM Client 7.3.0 or older installed, it might not be possible to negotiate a common cipher for a secure link. You might see an error similar to: FATAL ERROR: Couldn't agree a host key algorithm (available: ecdsa-sha2-nistp256,ssh-ed25519).

To resolve this issue, you can download a new version of PuTTY from PuTTY.org at: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Copy pscp.exe and plink.exe to C:\Program Files\SafeNet\LunaClient and retry One-Step NTLS.

Alternatively, install Luna HSM Client 10.4.0 or newer, which includes plink and pscp 0.76 or newer.

Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM

Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna HSM Client 7.3.0.

As of Luna HSM Client 7.3.0:

>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).

>JNI accepts and preserves values set by applications via the following Java calls:

LunaSlotManager.getInstance().setSecretKeysDerivable( true ); 
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );

NOTE   If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.

In cases where a derived key must be extractable, add the following line to the java.security file:

com.safenetinc.luna.provider.createExtractablePrivateKeys=true

STC over IPv6 is Unavailable

STC client-partition links are not available over an IPv6 network.