Known and Resolved Issues

Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with CKR_DEVICE_ERROR.

Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time.

Resolved: Fixed in cluster package version 1.0.4.

Problem: When entering an incorrect keyring PO password, the failed login counter that is displayed does not decrease. The failed login count for the CO role decreases by one.

Workaround: None. The actual counter does decrease as expected, and both the PO and CO roles are locked when the counter reaches zero.

Problem: When using a Luna HSM with firmware 7.8.1 or newer installed to wrap RSA CRT using KM_CUSTOM_FORMAT or RSA_CRT and DSA private key using KM_GEMPLUS_GPK4000_FORMAT, the wrap command fails with log error Mechanism Param Invalid.

Workaround: None. Use a firmware version older than 7.8.1.

Resolved: Fixed in Luna HSM firmware 7.8.7.

Problem: Using Luna HSM Firmware 7.8.4 in FIPS mode, migration of keys from a Microsoft provider to Luna provider using the ms2luna utility fails with error CKR_MECHANISM_INVALID.

Workaround: None. Key migration to Luna HSM Firmware 7.8.4 is only possible in non-FIPS mode.

Resolved: Fixed in Luna HSM Client 10.7.1.

Problem: After deleting an HA group, ActiveEnhanced mode is turned off and the client returns to ActiveBasic mode.

Workaround: Turn ActiveEnhanced mode back on manually using LunaCM (hagroup recoverymode -mode activeEnhanced).

Resolved: Fixed in Luna HSM Client 10.7.2.

Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error CKR_FUNCTION_FAILED.

Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

Problem: Read-only operations running while the primary cluster member is down fail when the primary is reconnected to the cluster and Read-Write status is restored. An error is returned (CKR_USER_NOT_LOGGED_IN).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.7.2.

Problem: If the network connection to one or more members of a cluster is interrupted, the reported number of crypto operations done during the period of interruption can be inaccurate.

Workaround: None.

Resolved: Fixed in lnh_cluster package 1.0.4.

Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Unknown Mechanism Type.

Workaround: Use Luna HSM Client 10.4.1 instead.

Resolved: Fixed in Luna HSM Client 10.7.0. You must add map_aes_cmac_general_old=1 to the Toggles section of the Cryptoki.conf/cryptoki.ini file.

Problem: Network configuration changes on a cluster member sometimes result in loss of member authorization, and this is not resolved by manual authorization.

Workaround: None.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

Problem: If the clusteradmin service is stopped on the Luna Network HSM 7, attempting to join a cluster produces a confusing error:

Error: Precondition specified in the request is not satisfied.
    Synchronize the time between LNHs

Workaround: None. Ensure that the clusteradmin service is running on both the joining member and the member being joined before attempting cluster join (or any other cluster operations).

Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (LunaSA Client = {ReceiveTimeout = 1000}, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0. The ReceiveTimeout setting now applies to the NTLS handshake as well.

Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that HSM slot 1 listening to local PED (PED id=0). This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected).

Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled.

Workaround: None.

Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist
Error in execution: host memory error.
Command Result : 0x6 (Internal Error)

Workaround: None.

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.

Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route.

Workaround:None.

Resolved: Fixed in Luna Network HSM 7.8.1 appliance software.

Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI.

Workaround: Re-register the partition with the Luna CSP.

Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: PEDclient crashes when more than 10 network interfaces are configured.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2.

Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM.

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: The Milenage mechanism generates an incorrect authentication verification quintet.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.2.

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key
Enter Import Password:
>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key
>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When auto-activation is enabled on PED-authenticated HSM partitions using firmware 7.7.0 or 7.7.1, the verification string generated by entering Secure Transport Mode will differ from the one received during STM recovery.

Workaround: Deactivate all roles on all partitions before entering STM on the HSM.

Resolved: Fixed in Luna HSM firmware 7.7.2.

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna Backup HSM firmware 7.7.2.

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Luna HSM Client fails to re-init partition with partition policy template on FW7.7

Resolved: Fixed in Luna HSM Client 10.3.0 and newer.

Problem: Memory leak issue in Luna HSM Client 10.1 with SUSE Linux.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When partition policy 34: Allow CBC-PAD (un)wrap keys of any size is set to 0, the AES_KWP mechanism is blocked, although it does not have the same vulnerabilities as the other blocked mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0.

Problem: If the client fails to resolve the Luna Cloud service's DNS hostname, other client slots fail to load in LunaCM.

Workaround: Ensure that your DNS network is stable before deploying a Luna Cloud HSM in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: If an application running against an HA group fails over to the Luna Cloud HSM member and the DNS hostname does not resolve, a segmentation fault can occur.

Workaround: Ensure that your DNS network is stable before deploying the Luna Cloud HSM service in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Luna Backup HSM 7 does not appear as a slot in LunaCM if ShowAdminTokens = no in the Luna HSM Client configuration file (Chrystoki.conf/crystoki.ini).

Workaround: Edit the configuration file to set ShowAdminTokens = yes.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail.

Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.

Problem: When using a one-time password to initialize the Luna Backup HSM 7's RPV (orange PED key), including the -pwd option before -ip or -hostname causes the command to fail.

Workaround: Specify the -ip or hostname before the -pwd option in the command:

lunacm:>ped connect -ip <IP_address> -pwd

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Running slot list after disconnecting and reconnecting the Luna Backup HSM 7 may cause LunaCM to exit. For example:

1.Connect the Luna Backup HSM 7 and let it complete the boot sequence.

2.Disconnect it after it has completed the boot sequence and run slot list. The backup HSM is not listed.

3.Reconnect the backup HSM and let it complete the boot sequence.

4.Run slot list. LunaCM exits.

Workaround: Do not disconnect the Luna Backup HSM 7 during a LunaCM session, unless you are finished using it.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Application cannot change CKA_EXTRACTABLE default value via JSP.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Minimal Luna HSM Client 7.4.0 tar file has an additional character that could affect customer scripts.

Workaround: Change filename from LunaClient-Minimal-v7.4.0-226.x86_64.tar to LunaClient-Minimal-7.4.0-226.x86_64.tar before running scripts.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Command output of vtl examineCert and vtl fingerprint are reversed.

Workaround: None. Use each command to view the other's output.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: When backing up objects to a Luna Backup HSM 7 from user partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up: CKR_CONTAINER_OBJECT_STORAGE_FULL

Workaround: If you receive this message when backing up a user partition to a Luna Backup HSM 7, use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When creating an RSA key using CKDEMO, the user is mistakenly prompted for the Derive attribute (RSA key derivation is not allowed).

Workaround: None. The value entered is dropped and can be safely ignored.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Partition utilization metrics reports a different serial number (hardware SN) for the admin partition than other LunaCM commands.

Workaround: This information can be safely ignored.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When partition policy 29: Perform RSA signing without confirmation is set to 0 (OFF), all RSA sign operations fail with an error (CKR_DATE_LEN_RANGE).

Workaround: If you use RSA signing, do not turn off partition policy 29.

Resolved: Fixed in Luna HSM firmware 7.7.0.

Problem: Java DERIVE and EXTRACT flag settings for keys injected into the HSM were forced to "true" in the JNI, which overrode any values passed by applications via Java.

Workaround: Refer to the CRN Advisory Notes.

Resolved: Fixed in Luna HSM firmware 7.3.0 and Luna HSM Client 7.3.0.

Problem: Private BIP32 Key Injection (combination of private key encryption and unwrapping operations) was not implemented in Luna 7.3.

Resolved: The call has been included; requires Luna HSM firmware 7.4.0 and Luna HSM Client 7.4.0.

Problem: When using CKdemo to perform a multipart sign/verify operation with a key that has exceeded its specified usage count, an expected error is returned (CKR_KEY_NOT_ACTIVE). The next sign/verify operation with an active key fails with an unexpected error (CKR_OPERATION_ACTIVE).

Workaround: Restart CKdemo and attempt the operation again.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: Encrypt operations using DES3_CBC_PAD and specifying a NULL buffer fail (CKR_BUFFER_TOO_SMALL).

Workaround: Manually specify a buffer size for these operations.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When running commands in some Luna utilities on Windows 10, password characters are duplicated.

Workaround: Contact Thales Customer Support.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: When you delete a key from a Luna Cloud HSM service, CKlog displays an incorrect object handle.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: After a firmware update, duplicate entries are produced in the audit logs. These duplicate entries cause log verification to fail with an error (CKR_LOG_BAD_RECORD_HMAC).

Workaround: There is no way to avoid the duplicate entries. However, the other entries in the log file can be verified without error. When verifying the logs, specify a range that excludes the duplicate entries:

LunaSH: audit log verify -file [log_file] -start [first_entry] -end [last_entry]

LunaCM: audit verify file <log_file> start [first_entry] end [last_entry]

Resolved: Fixed in Luna HSM firmware 7.4.0.

Problem: When running cmu commands on Windows 10, password characters are duplicated.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When installing PCIe HSM drivers from Luna HSM Client software on a host machine with a fresh, non-upgraded version of Windows 10, Windows reports an error with the driver signatures.

Workaround: Disable Windows 10 driver signature enforcement before installing Luna HSM Client.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: In LunaCM, when switching the active slot between partitions on different HSMs, ped connect and ped get sometimes report an active Remote PED connection, even though the connection is broken. Authentication commands fail.

Workaround: Use ped disconnect on the active slot before switching to a different slot and running ped connect.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: CA_DeriveKeyAndWrap does not handle AES_KW, AES_KWP, or AES_CTR mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0 and Luna HSM Client 10.3.0.

Problem: When resetting the HSM to factory conditions with audit logging enabled and an existing audit log file, new events are not logged after the Auditor role is re-initialized.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: On Linux clients, when a non-root user attempts to uninstall the Luna HSM Client software, the process fails and the client software remains installed, but Uninstall of the Luna HSM Client 7.3.0-165 completed is displayed in the command output.

Workaround: Ignore this message and log in as the root user to uninstall the Luna HSM Client software.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: When installing Backup HSM and Luna PED drivers from Luna HSM Client software on a host machine with a fresh, non-upgraded version of Windows 10, Windows reports an error with the driver signatures.

Workaround:

>Luna Network HSM: Download and install Luna HSM Client patch 7.2.1 from the Thales Customer Support Portal (DOW0003077). Alternatively, disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

>Luna PCIe HSM: Disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When using CKdemo to query an application partition, the Crypto Officer password is entered in visible plaintext.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: On Luna HSM *700 and *750 models, asymmetric digest-and-sign or digest-and-verify mechanisms produce the wrong result when the data length exceeds 64 kB.

Resolved: Fixed in Luna HSM firmware 7.2.0 and 7.0.3.

Problem: Cannot migrate keys using ms2Luna.exe for CSP.

Workaround: Copy a version of ms2Luna.exe from an older client package (6.2 or older).

Resolved: Fixed in Luna Client HSM 7.3.0.

Problem: When LunaCM is launched in Luna Minimal Client, an unexpected error is displayed (Error: Failed to initialize remote PED support).

Workaround: Edit Chrystoki.conf/crystoki.ini and remove Toolsdir from the Misc section.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: CMU Export Public Key - Incorrect formatting of exported key. A public key, exported with command cmu export -handle [handle#] -outputfile [filename] -key has incorrect header and footer text.

Workaround: Edit the exported public key file, replacing
----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----
with
----- BEGIN PUBLIC KEY ----- and ----- END PUBLIC KEY ----- respectively.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: Unable to change CKA_EXTRACTABLE key attribute via Java (LunaProvider/JSP).

Workaround: Download and apply the Luna HSM 7.1 Java Patch from the Thales Customer Support Portal. Follow the README instructions to ensure that your Java application sets the appropriate key attributes.

Resolved: Fixed in Luna HSM Client 7.2.0.

Problem: Connecting a Luna Backup HSM 7 to a USB 3.0 (SuperSpeed) port may result in error messages being displayed by the host operating system. This behavior occurs in both Windows and Linux.

For example, on Windows, you may see a USB device not recognized error.

On Linux, you may see messages like the following (visible using dmesg or in /var/log/messages):

usb 1-4: device descriptor read/64, error -71
usb 1-4: Device not responding to setup address.
usb 1-4: device not accepting address 32, error -71

Workaround: You can ignore these messages, as they have no effect on the normal operation of the device.

Resolved: Resolved in Luna Backup HSM with firmware 7.7.x installed from the factory. Backup HSMs upgraded to firmware 7.7.x still display the messages.

Problem: Value for HSM policy 46 (Disable Decommission) cannot be changed. Attempting to change it returns an error (CKR_CONFIG_FAILS_DEPENDENCIES).

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: Incorrect options displayed in LunaCM when running hsm init on Luna PCIe HSM slot.

Workaround: Ignore. The options to "Initialize a Backup Device with PED-Auth" and "Initialize a Backup Device with PWD-Auth" should appear only for a slot corresponding to a Luna Backup HSM that is in un-initialized state.

Resolved: Fixed in Luna HSM Client 7.2.0.

Problem: When you initialize an STC partition by applying a partition policy template, a confusing error (CKR_TOKEN_NOT_PRESENT) is returned.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: When you use an older client, and query partition-level capabilities and policies, the HSM returns incorrect policy numbers

Workaround: Refer to the documentation for the correct policy numbers.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: In LunaCM, hsm information monitor incorrectly reports HSM utilization.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: Multipart AES_KW operations on non-block-sized-data returns incorrect error code CKR_DEVICE_ERROR.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.2.0 onward.

Problem: When partition policy 39: Allow start/end date attributes is enabled, all start dates must be later than January 01, 1970.

Workaround: Ensure that start date attribute is later than January 01, 1970.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: C_DeriveKey does not reject templates that contain CKA_VALUE, and uses the CKA_VALUE that is provided in the external template.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.0.2 and 7.1.0.

Problem: The HSM reports 3072-bit as the maximum allowed key size for the RSA 186-3 mechanisms (CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN and CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN), when it should report 4096-bit.

C_GetMechanismInfo will report 3072 as the maximum size for these mechanisms. If your application uses C_GetMechanismInfo to query the maximum key size, it may prevent 4096 operations from working.

Workaround: Ignore the reported limit. 4096-length keys will generate successfully.

Resolved: Fixed in Luna HSM firmware 7.0.2.

Problem: On Linux, the Luna HSM Client software fails to install to a directory with spaces in its name.

Workaround: Remove spaces from the directory name before installing the client.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: On Linux, non-root users cannot initialize the STC token or create an STC client identity.

Workaround: Start LunaCM as root with sudo ./lunacm.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: On Linux, non-root users cannot configure the RBS server.

Workaround: As root, run the following commands:

1.chown -R root:hsmusers /usr/safenet/lunaclient/rbs/

2.chmod g+w -R usr/safenet/lunaclient/rbs/

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: On Linux, non-root users receive error (CKR_DATA_INVALID) when creating an HA group.

Workaround: Before installing the Luna HSM Client software, adjust the ownership of the Chrystoki.conf rpmsave with the command chown root:hsmusers /etc/Chrystoki.conf

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: In LunaCM, clientconfig deleteserver deregisters the HSM server on the Client, but does not delete the HSM server certificate file from the [LunaClient_dir]/cert/server directory. Attempts to re-register the same server with a regenerated certificate fail.

Workaround: Manually delete the certificate from the cert/server directory.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: On Windows, a system crash can occur when you disconnect a Luna Backup HSM from the computer while the PEDclient service is running.

Resolved: Fixed in Luna HSM Client 7.1.0.