Updating the Luna PCIe HSM 7 Firmware

To update the firmware on a Luna PCIe HSM 7, download the desired firmware version from the Thales Support Portal. Use LunaCM on the host workstation to apply the update. You require:

>Luna PCIe HSM 7 firmware update file (<filename>.fuf) and

>the firmware update authentication code file (<filename>.txt)

CAUTION!   Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

NOTE   If you are updating to Luna HSM Firmware 7.7.0 or newer, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the firmware update.

To update the Luna PCIe HSM 7 firmware

1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the Luna HSM Client root directory.

Windows: C:\Program Files\SafeNet\LunaClient

Linux/AIX: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

NOTE   On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.

2.Launch LunaCM.

3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.

lunacm:> slot set -slot <slot_number>

4.Log in as HSM SO.

lunacm:> role login -name so

5.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the Luna HSM Client root directory, specify the full filepaths.

lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt

Changing the Firmware Upgrade Permissions (Linux only)

By default, the root user and any user who is part of the hsmusers group can perform a firmware update. You can use this procedure to restrict firmware update operations to root only (that is, disable firmware update for members of the hsmusers group).

To restrict firmware update operations to the root user only

1.Open the the /etc/modprobe.d/k7.conf file for editing:

sudoedit /etc/modprobe.d/k7.conf

2.Change the k7_rootonly_reset option from 0 to 1. Save the file and exit the editor.

3.Stop any processes that are using the K7 driver. Typically this means stopping the pedclient service, and the luna-snmp service, if you are using SNMP.

sudo systemctl stop pedclient_service

sudo systemctl stop luna-snmp

4.Reload the driver:

sudo systemctl reload k7