Copying Files to and from the Appliance
Historically, file transfers between Luna Network HSM 7 appliance and clients or between the appliance and other servers (certificate exchanges, log files, update packages, etc.) have used the scp protocol via scp command on Linux/Unix hosts and PSCP or other utilities on Windows hosts.
SCP has reached its limits and is being supplanted across the internet by the secure ftp (SFTP) protocol, which has scope for future adaptability for general improvements to functionality and for keeping up with advancing security requirements. On Luna Network HSM 7 appliances, the change is part of a larger refresh/update of the the onboard base (hardened) operating system with Luna Appliance Software 7.9.0 and newer.
Many customers are using earlier versions, so for compatibility, any commands or operations that transfer files in-and-out of the appliance, and any instructions and examples that refer to such transfers, might still reference SCP. However, the default protocol that is actually called is SFTP. Whether the operation negotiates the SFTP protocol or needs to downgrade to SCP, this occurs transparently to the user - your scripts should continue to work.
NOTE As cryptographic algorithms age, and might eventually be deemed unsafe, the suite of ciphers available and selectable for securing SCP/SFTP operations is subject to change and individual ciphers might be dropped in future, which could affect scripted automated tasks. In general, Thales will warn you via mention in the CRN that a cipher is being discontinued for SSL, SSH, or SCP/SFTP.
Disallowed filepaths for SFTP
Using Luna Appliance Software 7.9.0 or newer, the following criteria apply to file transfers to the Luna Network HSM 7:
| Filepath | Allowed/Disallowed |
|---|---|
| Any file path with "../" in it | Disallowed |
| server.pem | Only allowed to get. Cannot replace server.pem on the Luna Network HSM 7 appliance. |
| client_syslog.pem | Only allowed to get. Cannot replace client_syslog.pem on the Luna Network HSM 7 appliance. |
| File name with a length less than 1 or greater than 64 | Disallowed |
| Any file name with "/" in it | Disallowed |
| File name that ends with a space | Disallowed |
| File name with "-" (dash) | Allowed |
| File name that starts with a space | Disallowed |
| File name with special characters other than letters, digits, underscores, periods, spaces, or hyphens. Such as @,#,$,%,^,&,* | Disallowed |
| Empty file names | Disallowed |
Files can be sent to/from only the current user's "my files".
TIP SCP is deprecated and SFTP is enabled by default for file transfer operations with Luna HSMs and clients. While you can continue using scp with Luna products, for the time being, eventually openSSL might discontinue scp support, and we recommend that you "future-proof" your operations by updating scripts and procedures to call sftp by preference.
