Known and Resolved Issues

The following table lists known issues in all released versions of Luna 7 components. Workarounds are provided where available. Use the buttons below to display issues related to specific Luna software/firmware components.

Issues listed in green have been resolved and the component and version including the fix is provided.

Issue	Synopsis
RAPI-4135	Problem Using REST API to upgrade the Luna Appliance Software from version 7.8.4/7.8.5, the operation fails with message `"We failed to parse your request."` This error affects CCC users. Workaround: Use LunaSH to update the Luna Appliance Software. Resolved: Fixed in the following software patches: >Luna Network HSM 7.8.5-20 Appliance REST API Patch >Luna Network HSM 7.8.4-350 Appliance REST API Patch
LUNA-30881	Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with `CKR_DEVICE_ERROR`. Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time. Resolved: Fixed in cluster package version 1.0.4.
LUNA-30782	Problem: When entering an incorrect keyring PO password, the failed login counter that is displayed does not decrease. The failed login count for the CO role decreases by one. Workaround: None. The actual counter does decrease as expected, and both the PO and CO roles are locked when the counter reaches zero.
LUNA-30449	Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error `CKR_FUNCTION_FAILED`. Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions. Resolved: Fixed in the lnh_cluster package version 1.0.4.
LUNA-30377	Problem: Read-only operations running while the primary cluster member is down fail when the primary is reconnected to the cluster and Read-Write status is restored. An error is returned (`CKR_USER_NOT_LOGGED_IN`). Workaround: None. Resolved: Fixed in Luna HSM Client 10.7.2.
LUNA-30374	Problem: If the network connection to one or more members of a cluster is interrupted, the reported number of crypto operations done during the period of interruption can be inaccurate. Workaround: None. Resolved: Fixed in lnh_cluster package 1.0.4.
LUNA-30232	Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error `Unknown Mechanism Type`. Workaround: Use Luna HSM Client 10.4.1 instead. Resolved: Fixed in Luna HSM Client 10.7.0. You must add `map_aes_cmac_general_old=1` to the Toggles section of the Cryptoki.conf/cryptoki.ini file.
LUNA-30115	Problem: Network configuration changes on a cluster member sometimes result in loss of member authorization, and this is not resolved by manual authorization. Workaround: None. Resolved: Fixed in the lnh_cluster package version 1.0.4.
LUNA-30050	Problem: If the clusteradmin service is stopped on the Luna Network HSM 7, attempting to join a cluster produces a confusing error: Error: Precondition specified in the request is not satisfied. Synchronize the time between LNHs Workaround: None. Ensure that the clusteradmin service is running on both the joining member and the member being joined before attempting cluster join (or any other cluster operations).
LUNA-28874	Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (`LunaSA Client = {ReceiveTimeout = 1000}`, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected. Workaround: None. Resolved: Fixed in Luna HSM Client 10.6.0. The `ReceiveTimeout` setting now applies to the NTLS handshake as well.
LUNA-28807	Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error. Workaround: None. Resolved: Fixed in Luna HSM Client 10.6.0.
LUNA-28230	Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that `HSM slot 1 listening to local PED (PED id=0)`. This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected). Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.
LUNA-27183	Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu). Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server. Resolved: Fixed in Luna HSM Client 10.6.0.
LUNA-27110	Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully. Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead. Resolved: Fixed in Luna HSM Client 10.6.0.
LUNA-26981	Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled. Workaround: None. Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.
LUNA-26960	Problem: On AIX, the LunaCM command partition domainlist returns an error: lunacm:>partition domainlist Error in execution: host memory error. Command Result : 0x6 (Internal Error) Workaround: None.
LUNA-26926	Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient. Workaround: None.
LUNA-26681	Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route. Workaround:None. Resolved: Fixed in Luna Network HSM 7.8.1 appliance software.
LUNA-26488	Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI. Workaround: Re-register the partition with the Luna CSP. Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.
LUNA-26370	Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone). Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.1.
LGX-4950	Problem: It is possible to resize a Luna USB HSM 7 partition to 0 bytes using the LunaCM command partition resize. Workaround: None; do not configure a partition this way.
LUNA-24800	Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications. Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-24462	Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2. Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM.
LUNA-24019	Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0). Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-23945	Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable. Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-23764	Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with `ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section`. Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script. Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-23695	Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time. Workaround:None. Resolved: Fixed in Luna HSM Client 10.5.0.
LGX-4942	Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password. Workaround: Change all passwords to use a minimum of 8 characters.
LUNA-22750	Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called. Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-22378	Problem: cmu importkey fails to import encrypted keys. Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx : >openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key Enter Import Password: >openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key >cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-22289	Problem: `CK_MILENAGE_SIGN_PARAMS` does not function correctly when the application is used with an HA group. Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0.
LKX-9286	Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail. Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0.
LGX-4240	Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with `CKR_INVALID_ENTRY_TYPE`. Workaround: None. Resolved: Fixed in Luna Backup HSM firmware 7.7.2.
LUNA-16839	Problem: When using HA, the poll function can fail with `CKR_DEVICE_ERROR` or `CKR_TOKEN_NOT_PRESENT`. HA logs show a failover followed by an immediate recovery. Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-16125	Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode. Workaround: None. Operations succeed when not in FIPS mode. Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-14009	Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing". Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string" Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-10992	Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error. Workaround: Ensure that all HA group members are available before initiating 3DES keygen. Resolved: Fixed in Luna HSM Client 10.4.0.
SH-4194	Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail. Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.

Showing 1 to 38 of 38 entries



	SUPPORT	LEGAL
Luna USB HSM 7 Documentation © Copyright 2001-2025, Thales Group Last Updated: 2025-02-14 18:51:21 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information