Luna HSM Client 10.3.0

Luna HSM Client 10.3.0 was released in October 2020.

>Download Luna HSM Client 10.3.0 for Windows

>Download Luna HSM Client 10.3.0 for Linux

>Download Minimal Luna HSM Client 10.3.0 for Linux

NOTE   This version of Luna HSM Client is compatible with Luna HSMs with firmware 6.2.1 and newer. Features that do not have client version dependencies will function without issue. However, Thales has some recommendations when using certain firmware versions. See General Version Compatibility Recommendations.

New Features and Enhancements

Luna HSM Client 10.3.0 includes the following new features and enhancements:

Scalable Key Storage

Scalable Key Storage is an optional feature that allows off-board storage of keys and objects in quantities greater than the capacity of a cryptographic module (HSM) - virtually unlimited storage, for use with your RSS (Remote Signing and Sealing) and other applications that require thousands or millions of keys. An SKS Master Key (SMK, which never leaves the crypto module) securely encrypts extracted keys and objects, such that they remain within the cryptographic module's security perimeter, and can be reinserted (decrypted inside the crypto module) for immediate use by your application.

Preserves key attributes through the life-cycle of a key.

Provides the option of new SKS function, or classic Luna "keys always in hardware" operation, on a partition-by-partition basis.

This feature also requires Luna HSM Firmware 7.7.0 or newer.

Per-Key Authorization

Per-Key Authorization allows granular control of key material for applications requiring high assurance by providing authorization on a per-key basis.

This feature also requires Luna HSM Firmware 7.7.0 or newer.

Initialize the Orange RPV Key Remotely

You can now initialize the Luna PCIe HSM 7's Remote PED Vector (orange key) using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO only has remote SSH access to the HSM host. The HSM must be in a zeroized state (uninitialized), for security. Your firewall settings must allow an HSM-initiated Remote PED connection.

See Initializing the Remote PED Vector and Creating an Orange Remote PED key.

This feature also requires Luna HSM Firmware 7.7.0.

Supported Operating Systems

You can install Luna HSM Client 10.3.0 on the following 64-bit operating systems:

Operating System Version
Windows 10
Windows Server Standard 2019
2016
2012 R2
Windows Server Core 2019
2016
Redhat-based Linux (including variants like CentOS) 8.0, 8.1, 8.2 (†)
7
OpenSuse Linux (minimal client only) 13
12.4
11.4
Ubuntu * 18
14.04

* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:

apt-get install build-essential alien

If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.

RHEL and CentOS 8.0 and 8.1 with their original kernels. For 8.2 and newer, if your current Linux kernel does not include the file dma_remapping.h, acquire it (from RHEL or CentOS 8.1 kernel version 4.18.0-147 or earlier ) and copy it into “/usr/src/kernels/4.18.0.193.28.1.el8_2.x86_64/include/linux/” in your current Client installation target. See also Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal Luna HSM Client.

Secure Boot Support

Luna HSM Client can be used on all supported OS platforms in the table above, with Secure Boot enabled. If you are using Luna HSM Client to access partitions on a Luna Network HSM 7 only, no drivers are required. On Windows, the drivers for all other Luna HSM variants and components (Luna PCIe HSM 7, Luna USB HSM 7, Luna Backup HSM 7, Luna Backup HSM G5, Luna PED) are signed by Thales for use with Windows Secure Boot. In both these cases, you can proceed with the standard Luna HSM Client Software Installation procedure.

On Linux, these drivers are compiled for the host OS during Luna HSM Client installation. If Secure Boot is enabled on the host system, these drivers must be signed as directed by the host OS provider:

>Secure Boot on Red Hat Enterprise Linux

>Secure Boot on Ubuntu

>Secure Boot on Debian

Supported Cryptographic APIs

Applications can perform cryptographic operations using the following APIs:

>PKCS#11 2.20

>JCA within Oracle Java 7*/8*/9/10/11

*Luna HSM Client 10.1.0 and newer requires the advanced version of Oracle Java 7/8.

>JCA within OpenJDK 7/8/9/10/11

>OpenSSL

>Microsoft CAPI

>Microsoft CNG

Advisory Notes

This section highlights important issues you should be aware of before deploying Luna HSM Client 10.3.0.

Older Clients Can Fail to Complete One-Step NTLS with Newer Appliance Software

Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal Luna HSM Client

RHEL 8.x introduced system-wide cryptographic modes. The full Luna HSM Client installer is supported only when RHEL 8.x is in DEFAULT mode. If your RHEL 8.x OS is in FIPS mode, use the minimal Luna HSM Client.

Support for Windows Server 2012 R2 is Ended

Luna HSM Client 10.3.0 is the last version that will support Windows Server 2012 R2.

Support for 32-bit OS Platforms is Ended

Starting with Luna HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release (such as 7.2, 7.3, or 7.4), or migrate to 64-bit platform.

Three STC configuration commands are removed

With the STC improvements, new cipher suites, AES-GCM and AES-CTR + HMAC, replace those previously used, and these commands are removed as of client version UC 10.3.0, network appliance software version 7.7.0, and HSM firmware version 7.7.0:

>stcconfig ciphershow

>stcconfig cipherdisable

>stcconfig cipherenable

CentOS 8 throws errors if install directory is not default

Installing Luna HSM Client software on CentOS 8 can result in error messages being logged for the PEDclient service, if the chosen install directory is not the default /usr. This can be prevented by setting SELinux to permissive mode, before installing.

Red Hat Enterprise Linux / CentOS 6 Support is Ended

Luna HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.

Older JAVA Versions Require Patch/Update

The .jar files included with Luna HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.

>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to Luna HSM Client 10.x (see APAR IJ25459 for details).

CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations

When using a Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.

Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM

Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna HSM Client 7.3.0.

As of Luna HSM Client 7.3.0:

>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).

>JNI accepts and preserves values set by applications via the following Java calls:

LunaSlotManager.getInstance().setSecretKeysDerivable( true ); 
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );

NOTE   If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.

In cases where a derived key must be extractable, add the following line to the java.security file:

com.safenetinc.luna.provider.createExtractablePrivateKeys=true