Version Dependencies by Feature
Some of the Luna Network HSM 7 functionality described in the documentation has been introduced in updates since the initial product release. For your own reasons, you might wish to apply some aspects of a product update and not others. For example:
>you could choose to update
>if you are maintaining a large number of client workstations, it might be cumbersome to apply software updates to all of them
The following table outlines the Luna Network HSM 7 functions that depend on a certain software/firmware version, or have other requirements you must consider.
Function | Minimum Version Requirements | Notes |
---|---|---|
Low-latency HA status |
Client: 10.7.0 |
Query the HA virtual slot to quickly get the status. |
Change password for all HA members |
Client: 10.7.0 |
A single lunacm command (invoked on the HA virtual partition slot) changes the CO password for all partitions in that HA group.. |
Mechanisms/operations blocked |
Firmware: 7.8.4 |
Beginning with Luna HSM Firmware 7.8.4, to align with FIPS 140-3 requirements, any forward operations using 3DES are no longer allowed in approved mode, even if a block/usage counter is in place (forward operation = encrypt, sign, wrap). |
ED448 and Curve448 support |
Firmware: 7.8.4 |
Beginning with Luna HSM Firmware 7.8.4, support for Edwards curve 448 and Curve448 is added. |
Package list output revised |
Appliance: 7.8.4 |
The package list output is filtered for compactness and relevance. |
Enhanced access control of Clients, using extended DN attribute validation |
Appliance: 7.8.4 |
Previously, validation of a client certificate was against the common name (CN) only. Using Luna Appliance Software 7.8.4 and newer, validation matches multiple fields of the distinguished name (DN). |
Configurable key size and type support for NTLS and SSH |
Appliance: 7.8.4 Client: 10.7.0 |
Key size can be specified for RSA, other key types can be specified, and curve can be specified for appropriate key type. |
Cryptographic traffic control |
Appliance: 7.8.3 |
Measure bandwidth usage per client, and manage "noisy neighbors". See Crypto Traffic Controller for QoS. |
CA-signed Client Certificates Can be Registered without being Copied to Luna Network HSM |
Appliance: 7.8.3 |
Specify a -nocert option to register a client for NTLS without immediate need for a CA-signed certificate from the client. |
Configurable SSH ciphers |
Appliance: 7.8.3 |
Customize Luna Network HSM 7 SSH ciphers used by the appliance. |
Configurable TLS ciphers |
Appliance: 7.8.3 Client: 10.6.0 |
Customize Luna Network HSM 7 TLS ciphers used by the appliance. |
Certificate rotation in HA Mode |
Client: 10.6.0 |
A new certificate is used immediately upon recovery of an HA member, rather than using a cached copy of the outgoing cert, as in previous releases. There is no need to launch a new client instance to invoke a new certificate. |
Key translation function for 5G |
Firmware: 7.8.2 |
Allows to securely import subscriber authentication keys into a 5G authentication platform (UDM). See Luna Key Translation. |
Choose whether a password change logs out all sessions |
Firmware: 7.8.2 Client: 10.5.1 |
You can now choose whether open sessions are allowed to continue under the previous authentication until overtly closed (such as during routine password rollover) or are immediately logged out when role changepw, role resetpw. |
HMAC accepts zero-byte input |
Firmware: 7.8.2 |
All cryptographic mechanisms with "HMAC" in the name now accept zero-byte input. |
Session memory management optimization |
Firmware: 7.8.2 |
Perform appropriate administration tasks, maintain the availability of your platform, and prevent a crash, when applications are lax in releasing resources. |
New Configuration File Entry Used to Refresh Partition Label Cache | Client: 10.5.1 | Refresh application partition and keyring labels without requiring an application restart. |
Support for AIX and RHEL 9 | Client: 10.5.1 | See Supported Operating Systems. |
Cluster and Keyring enhancements | Client: 10.5.1 | Improvements to the Cluster/Keyring evaluation Technical Preview. |
Partition Configuration Management in Luna Shell (lunash) |
Appliance: 7.8.1 Firmware: 7.8.1 |
New commands added. See partition for the full list of partition commands in LunaSH. |
Time management by HSM SO |
Appliance: 7.8.1 Firmware: 7.8.1 |
New commands added. See hsm time for the full list of partition commands in LunaSH. |
Clusters and Keyrings (technical preview) |
Appliance: 7.8.1 Firmware: 7.8.1 |
Appliance-mediated redundancy and high availability (contrast with client-mediated HA already in use), and a more granular alternative to the partition model for handling keys. Requires installing a secure package, and is made available for early evaluation only, at this time. |
Configurable mutex folder on Linux |
Client: 10.5.0 |
Can set a custom location for temporary files. See Configuration File Summary. |
Universal Cloning |
Firmware: 7.8.1 Client: 10.5.0 |
Includes: >Updated encryption >Enhanced cipher suite options >Multiple domains per partition >Session Key lifetime management See Universal Cloning. |
NOTE: Firmware 7.8.0 was replaced by firmware 7.8.1 so as to have the most robust candidate possible under FIPS evaluation. Any features that were originally attributed to 7.8.0 are listed in this table as belonging to firmware 7.8.1, and 7.8.0 is withdrawn. | ||
ECIES Hardware Acceleration using Curve25519 |
Firmware: 7.7.2 |
Adds enhanced performance for ECIES using Curve25519. |
ECIES AES-CTR ICB Derivation |
Firmware: 7.7.2 |
processing of Subscription Concealed Identifier (SUCI) de-concealment requests. See CKM_ECIES. |
Key Wrapping/Unwrapping with AES GCM |
Firmware: 7.7.2 |
Supports wrap/unwrap operations using the CKM_AES_GCM mechanism. |
Validate Integrity of Functionality Modules |
Firmware: 7.7.2 |
Assist the verification of FMs in compliance with industry and national standards. See FMSW_GetImage API to validate an FM. |
Clone Objects From Multifactor Quorum-Authenticated Luna HSMs to Luna Cloud HSM |
Client: 10.4.1 |
You can now use Luna Cloud HSM services to back up any Luna 7 HSM securely in the cloud. |
CMU allows Crypto User Login |
Client: 10.4.0 | Refer to cmu. |
Updates and Enhancements to High Availability Functionality |
Client: 10.4.0 |
>SimMultisign in JCPROV (requires minimum Luna HSM Firmware 7.7.0)
>ECIES structure CK_ECIES_PARAMS_EXT in JCPROV (requires minimum Luna HSM Firmware 7.7.0) >SHA-3 in JCPROV/JSP (requires minimum Luna HSM Firmware 7.4.2) >BIP32 Sample Java Application Extended to Demonstrate BIP44 Key Derivation (requires minimum Luna HSM Firmware 7.3.0) Refer to Luna HSM Client 10.4.0 and Luna HSM Client 10.4.0 for more information. |
Updates and Enhancements to Java Provider |
Client: 10.4.0 |
>OUID Methods GetObjectUID and GetObjectHandle Usable With HA Groups >CK_MILENAGE_SIGN_PARAMS can now be used in HA Groups (requires minimum Luna HSM Firmware 7.4.2) Refer to High-Availability Groups. |
Set CKA_EXTRACTABLE Using Luna KSP |
Client: 10.4.0 |
Now possible to set CKA_EXTRACTABLE when creating private keys using Luna KSP. |
Network HSM Admin can initialize partitions via Luna Shell |
Appliance: 7.7.1 |
Luna Shell (lunash) on the Network HSM appliance now includes partition init and partition initco commands to initialize a new partition. |
Allowlisting of permitted IP addresses for control of SSH access to the Network HSM appliance |
Appliance: 7.7.1 |
Optionally configure and manage SSH access control at the HSM appliance, by creating an allowlist of IP addresses that are permitted to connect to a given HSM appliance userid via SSH. |
REST API supports use of third-party certificates >see REST API 10.0.0 Reference in REST API References |
Appliance: 7.7.1 |
REST API 10 for Luna Network HSM now allows you to use client certificates signed by a trusted Certificate Authority (CA). |
REST API provides additional capabilities previously available only in Luna Shell >see REST API 10.0.0 Reference in REST API References |
Appliance: 7.7.1 |
REST API 10 for Luna Network HSM adds equivalents for lunash token backup commands, sysconf config commands, and any status commands and ntls commands not previously migrated. |
REST API enables CSR generation >see REST API 10.0.0 Reference in REST API References |
Appliance: 7.7.1 |
REST API 10 for Luna Network HSM adds equivalents for lunash token backup commands, sysconf config commands, and any status commands and ntls commands not previously migrated. |
SSH inactivity timeout |
Appliance: 7.7.1 |
SSH sessions now timeout after 30 minutes of inactivity. |
SHA1 ciphers are disabled for SSH |
Appliance: 7.7.1 |
For security, the appliance does not allow SHA1 ciphers when negotiating a connection. |
Mandatory password while creating a user >user |
Appliance: 7.7.1 |
The command prompts for a password, and proceeds when one is provided. |
V0 and V1 partitions |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
This new cloning protocol is a necessary underpinning for some of the features that ensure eIDAS compatibility. It affects backup and restore operations, High Availability, Scalable Key Storage. Migration from earlier cloning-version HSMs is one-way V0/V1 HSMs/partitions can accept and decrypt older objects, but can encrypt and export only V0/V1 objects. |
Scalable Key Storage |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
SKS allows off-boarding of objects and keys as encrypted blobs, for handling of much greater numbers of objects than can be contained within the HSM. With firmware 7.7.0, backup and restore and HA are implemented using SKS blobs, while the latest cloning protocol is used for replicating or archiving the SKS Master Key (that encrypts and decrypts the blobs). Migration from the earlier version of SKS in firmware 6.xis supported, but the reverse direction is not. |
Per-Key Authorization (PKA) |
Client: 10.3.0 Appliance: 7.7 Firmware: 7.7.0 |
PKA meets a requirement of PP 419-221.5, and allows each key in a partition to have its own authorization and rules governing its use, including integration with a SAM. and sole control of keys. The resulting overhead increases the size of partition headers, affecting the size and number of objects that can be stored, which invokes new considerations for backup and restore. Existing applications (with no PKA awareness) can still work if the new Client Cryptoki library is installed. Existing partitions become "backward compatible" when the HSM is upgraded to f/w 7.7.0. New partitions can be backward compatible or PP 419-221.5-compatible by setting an option at creation time. |
Luna Backup HSM 7 Firmware 7.7.1 |
Client: 10.3.0 Appliance: 7.7.0 |
The Luna Backup HSM 7 requires minimum firmware 7.7.1 to back up and restore Luna 7.7.x partitions, or to migrate keys from Luna HSMs using older firmware. You require, at minimum, Luna HSM Client 10.3.0 |
Appliance-Connected Luna Backup HSM 7 >Luna Backup HSM 7 Connected to Luna Network HSM 7 Using Remote Multifactor Quorum Authentication |
Appliance: 7.7.0 | The Luna Backup HSM 7 can now be connected to one of the USB ports on the Luna Network HSM 7 appliance and operated using LunaSH. |
Updated Secure Trusted Channel |
Client: 10.3.0 Appliance: 7.7.0 Firmware: 7.7.0 |
Secure Trusted Channel (STC) connections have been updated for the Luna 7.7.0 release. Refer to Migrating STC Connections to Luna HSM Firmware 7.7.0 or Newer for important instructions on updating your existing STC partitions. |
Client and Appliance Certificates can be Signed by a Trusted Certificate Authority >Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority |
Client: 10.1.0 Appliance: 7.7 |
Prior to the release of appliance software version 7.7.0, only the client-side certificate could be signed by a third-party CA, using Luna HSM Client 10.1.0 or newer. See Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority for that procedure. |
Support for Multiple Trap Targets |
Appliance: 7.7.0 |
|
Support for 3GPP, SM2/SM4, and SHA-3 Cryptographic Algorithms |
Firmware: 7.4.2 Client: 10.2 |
Refer also to Firmware 7.4.2 Mechanisms for descriptions of the applicable mechanisms. Refer to the Luna HSM Firmware 7.4.2 Technical Note for installation instructions. |
DPoD Luna Cloud HSM Support |
Client: 10.1 | Refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum for more information on using a Luna Cloud HSM service with Luna HSMs. |
Remote PED Server Support on Linux Clients |
Client: 10.1 | |
Client NTLS Certificates can be Signed by a Trusted Certificate Authority |
Client: 10.1 | |
Luna Backup HSM 7 Support >Luna Backup HSM 7 Connected to Luna HSM Client Using Remote Multifactor Quorum Authentication |
Client: 10.1 | |
Functionality Modules |
Hardware: FM-Ready Firmware: 7.4.0 Appliance: 7.4 Client: 7.4 |
Refer to Preparing the Luna Network HSM 7 to Use FMs for an overview of hardware/software/firmware requirements. |
Manage Allowed Origin Domains for REST API |
Appliance: 7.4 |
|
Support for BIP32 Cryptographic Algorithms |
Firmware: 7.3.0 Client: 7.3.0 |
Refer also to Firmware 7.3.0 Mechanisms for descriptions of the applicable mechanisms. |
Appliance Re-image >Re-Imaging the Appliance to Baseline Software/Firmware Versions |
Firmware: 7.3.0 Appliance: 7.3 |
The Appliance Re-image feature is not supported on HSMs that use Functionality Modules. If you have ever enabled HSM policy 50: Allow Functionality Modules, even if the policy is currently disabled, you cannot re-image the HSM appliance. See FM Deployment Constraints for details. |
Partition Utilization Metrics |
Firmware: 7.3.0 Appliance: 7.3 Client: 7.3 |
|
Improved Luna HSM Client >Version-Compatible Luna HSM Client (Luna HSMs version 6.2.1 and higher) >Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum >Modifying the Installed Windows Luna HSM Client Software >User-Defined Luna HSM Client install paths >Luna Minimal Client (for Linux) |
Client: 7.2 |
>Luna HSM Client 10.1 or higher is required to use Luna partitions with DPoD Luna Cloud HSM services >The PE1756Enabled setting on Luna 6.x HSMs is not supported for use with the Version-Compatible Luna HSM Client >Minimum OS requirements for Luna HSM Client 7.2 must be met (Refer to the CRN for details) >Minimal Client does not include tools, and is intended for customer application containers connecting to the Network HSM. A separate full Luna HSM Client installation and configuration must be performed on the container host (and the resulting config file and certificate folders saved on the host), to establish NTLS or STC connections for use by the containers (note, STC is replaced by STC2 in release 7.7.0 (and client 10.3) with a new database format and file locations. |
Initialize the orange RPV key remotely |
Appliance: 7.2 Client: 7.2 |
|
Configure Cipher Suites |
Appliance: 7.2 Client: 7.2 |
The Luna 7.2 appliance update includes the sysconf tls ciphers LunaSH commands, but you must update Luna HSM Client to use any of the newly-included ciphers. For older clients, the ciphers available for negotiation are those that are common to your client version and to the updated Network HSM. |
Customize system logging by severity level |
Appliance: 7.2 |
If you were using remote logging before you upgraded the appliance software to 7.2, you must delete any existing remote hosts (see syslog remotehost delete) and re-add them before you can customize severity levels. |
|
Firmware: 7.2.0 Appliance: 7.2 Client: 7.2 |
|
Crypto User can clone public objects | Firmware: 7.2.0 |
The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication. |
Configure partition policies for export of private keys >Configuring the Partition for Cloning or Export of Private/Secret Keys |
Firmware: 7.1.0 |
You can configure partition policies for Cloning or Key Export Mode manually, as long as you have updated the HSM firmware. To set these modes using Policy Templates, you must meet the Policy Template requirements. |
Policy Templates |
Firmware: 7.1.0 Appliance: 7.1 Client: 7.1 |