Known and Resolved Issues
The following table lists known issues in all released versions of Luna 7 components. Workarounds are provided where available. Use the buttons below to display issues related to specific Luna software/firmware components.
Issues listed in green have been resolved and the component and version including the fix is provided.
| Issue | Labels | Synopsis |
|---|---|---|
| LUNA-30881 | fixed clusterpkg |
Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time. Resolved: Fixed in cluster package version 1.0.4. |
| LUNA-30782 | open clusterpkg |
Problem: When entering an incorrect keyring PO password, the failed login counter that is displayed does not decrease. The failed login count for the CO role decreases by one. Workaround: None. The actual counter does decrease as expected, and both the PO and CO roles are locked when the counter reaches zero. |
| LUNA-30449 | fixed client clusterpkg |
Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions. Resolved: Fixed in the lnh_cluster package version 1.0.4. |
| LUNA-30377 | fixed clusterpkg |
Problem: Read-only operations running while the primary cluster member is down fail when the primary is reconnected to the cluster and Read-Write status is restored. An error is returned ( Workaround: None. Resolved: Fixed in Luna HSM Client 10.7.2. |
| LUNA-30374 | fixed clusterpkg |
Problem: If the network connection to one or more members of a cluster is interrupted, the reported number of crypto operations done during the period of interruption can be inaccurate. Workaround: None. Resolved: Fixed in lnh_cluster package 1.0.4. |
| LUNA-30232 | fixed client |
Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Workaround: Use Luna HSM Client 10.4.1 instead. Resolved: Fixed in Luna HSM Client 10.7.0. You must add |
| LUNA-30115 | fixed clusterpkg |
Problem: Network configuration changes on a cluster member sometimes result in loss of member authorization, and this is not resolved by manual authorization. Workaround: None. Resolved: Fixed in the lnh_cluster package version 1.0.4. |
| LUNA-30050 | open |
Problem: If the clusteradmin service is stopped on the Luna Network HSM 7, attempting to join a cluster produces a confusing error: Error: Precondition specified in the request is not satisfied.
Synchronize the time between LNHs
Workaround: None. Ensure that the clusteradmin service is running on both the joining member and the member being joined before attempting cluster join (or any other cluster operations). |
| LUNA-28874 | fixed client |
Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms ( Workaround: None. Resolved: Fixed in Luna HSM Client 10.6.0. The |
| LUNA-28807 | fixed client |
Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error. Workaround: None. Resolved: Fixed in Luna HSM Client 10.6.0. |
| LUNA-28230 | open |
Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED. |
| LUNA-27183 | fixed client |
Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu). Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server. Resolved: Fixed in Luna HSM Client 10.6.0. |
| LUNA-27110 | fixed client |
Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully. Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead. Resolved: Fixed in Luna HSM Client 10.6.0. |
| LUNA-26981 | fixed G7BU |
Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled. Workaround: None. Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled. |
| LUNA-26960 | open client |
Problem: On AIX, the LunaCM command partition domainlist returns an error: lunacm:>partition domainlist Error in execution: host memory error. Command Result : 0x6 (Internal Error) Workaround: None. |
| LUNA-26926 | open client |
Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient. Workaround: None. |
| LUNA-26681 | fixed applianceSW |
Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route. Workaround:None. Resolved: Fixed in Luna Network HSM 7.8.1 appliance software. |
| LUNA-26488 | fixed client |
Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI. Workaround: Re-register the partition with the Luna CSP. Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility. |
| LUNA-26370 | fixed client |
Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone). Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.1. |
| LGX-4950 | open firmware |
Problem: It is possible to resize a Luna USB HSM 7 partition to 0 bytes using the LunaCM command partition resize. Workaround: None; do not configure a partition this way. |
| LUNA-24800 | fixed client |
Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications. Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.0. |
| LUNA-24462 | fixed firmware |
Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2. Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM. |
| LUNA-24019 | fixed client |
Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0). Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.0. |
| LUNA-23945 | fixed cloudHSM |
Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable. Workaround: None. Resolved: Fixed in Luna HSM Client 10.5.0. |
| LUNA-23764 | fixed client |
Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script. Resolved: Fixed in Luna HSM Client 10.5.0. |
| LUNA-23695 | fixed client |
Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time. Workaround:None. Resolved: Fixed in Luna HSM Client 10.5.0. |
| LGX-4942 | open G7BU |
Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password. Workaround: Change all passwords to use a minimum of 8 characters. |
| LUNA-22750 | fixed client |
Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called. Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0. |
| LUNA-22378 | fixed client |
Problem: cmu importkey fails to import encrypted keys. Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx : >openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key Enter Import Password: >openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key >cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA Resolved: Fixed in Luna HSM Client 10.4.0. |
| LUNA-22289 | fixed client |
Problem: Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0. |
| LKX-9286 | fixed client |
Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail. Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0. |
| LGX-4240 | fixed G7BU |
Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with Workaround: None. Resolved: Fixed in Luna Backup HSM firmware 7.7.2. |
| LUNA-16839 | fixed client |
Problem: When using HA, the poll function can fail with Workaround: None. Resolved: Fixed in Luna HSM Client 10.4.0. |
| LUNA-16125 | fixed client |
Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode. Workaround: None. Operations succeed when not in FIPS mode. Resolved: Fixed in Luna HSM Client 10.4.0. |
| LUNA-14009 | fixed client cloudHSM |
Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing". Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string" Resolved: Fixed in Luna HSM Client 10.4.0. |
| LUNA-10992 | fixed client |
Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error. Workaround: Ensure that all HA group members are available before initiating 3DES keygen. Resolved: Fixed in Luna HSM Client 10.4.0. |
| SH-4194 | open cloudHSM |
Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail. Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted. |
