Converting Partitions from V0 to V1 or V1 to V0

CAUTION! Back up any important keys and objects before proceeding.

This section describes how to convert partitions from V0 to V1 and from V1 to V0. It assumes that you have updated your Luna HSMs to Luna HSM Firmware 7.7.0 or newer, with all pre-existing partitions automatically converted to V0. For more information about V0 and V1 partitions, refer to Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions.

Converting a Partition From V0 to V1

To convert a partition from V0 to V1, the procedure differs, depending on whether the partition is a member partition of an HA group or a non-member partition.

Converting a non-member partition from V0 to V1

To convert your non-member partitions to V1 partitions with minimum application downtime, use the following procedure.

To convert a non-member partition from V0 to V1

1.Have the chosen partition visible in lunaCM.

2.Select that partition with the lunaCM command slot set -slot <slot number>

3.[Optional] Show the current partition policy values and verify that policy 41 is set to version 0, partition showpolicies

4.Log in to the partition as the Partition Security Officer with role login -name po

5.Change the value of Partition Policy 41: Enable Partition Version to version 1, with partition changepolicy -policy 41 -value 1

Converting an HA group member partition from V0 to V1

To convert your HA group member partitions to V1 partitions with minimum application downtime, use the following procedure. This procedure is performed by the HSM SO for each Luna Network HSM 7, the Partition SO and Crypto Officer for the HA group members.

Prerequisites

>You must be aware of the guidelines for upgrading an HA member partition to any firmware version and adhere to them carefully. For more information, read Guidelines and Recommendations For Updating or Converting HA Member Partitions.

NOTE You must update/convert secondary partitions first and the primary partition last. If you do not adhere to this guideline, you may experience issues while updating/converting.

>You require admin-level access to the Luna Network HSM 7.

To convert an HA group member partition from V0 to V1

1.Migrate the HA group to V0 by completing the procedures described in Special Considerations for Luna HSM Firmware 7.7.0 and Newer for every member partition.

2.On the client workstation that administers the HA group, stop all client applications.

3.Update the Luna HSM Client software to Luna HSM Client 10.3.0 or newer (see Updating the Luna HSM Client Software).

4.[Optional] You may now restart your client applications, or wait until the end of the procedure.

5.Launch LunaCM and use the following procedure to convert each HA member partition to V1. To prevent the HA group serial number from changing and disrupting your client applications, the member originally used to create the group must be the last member still remaining in the group:

NOTE The member partition that has the same serial number as the HA group, minus the leading 1, is the original member.

a.Remove a member partition from the HA group (see Adding/Removing an HA Group Member).

lunacm:> hagroup removemember -group <label> {-slot <slotnum> | -serial <serialnum>}

b.Log in as Partition SO.

lunacm:> role login -name po

c.Convert the partition to V1 by changing partition policy 41: Partition Version.

lunacm:> partition changepolicy -policy 41 -value 1

d.Repeat steps a-c until only the original member remains in the HA group.

e.When only the original member remains in the group, log in as Partition SO and convert it to V1. This member's SMK will be the one used for the entire HA group (see Scalable Key Storage for more information).

lunacm:> role login -name po

lunacm:> partition changepolicy -policy 41 -value 1

f.Add each V1 partition back to the HA group (see Adding/Removing an HA Group Member). The primary member's SMK is automatically cloned to each new member added to the HA group.

lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}

Converting a Partition From V1 to V0

1.Backup any valuable keys or objects.

CAUTION! This operation, going from V1 back to V0, is destructive. All objects on the partition are destroyed, as well as the SMK(s). If any valuable objects were created and archived from a version one (V1) partition, then they must have been SKS-stored off the HSM, and the SMK that encrypted those objects must be preserved on a Backup HSM or in another partition (that remains at V1), if those objects might ever be needed in future.

If no valuable SKS blobs have been encrypted by the partition's current SMK, then there is no need for backup.

2.Have the chosen partition visible in lunaCM.

3.Select that partition with the lunaCM command slot set -slot <slot number>

4.[Optional] Show the current partition policy values and verify that policy 41 is set to version 1, partition showpolicies

5.Log into the partition as the Partition Security Officer with role login -name po

6.Change the value of policy 41 to version 0, with partition changepolicy -policy 41 -value 0



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-04-15 13:18:27 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information