HSM Client 10.2.0

HSM Client 10.2.0 was released in March 2020.

>Download HSM Client 10.2.0 for Windows

>Download HSM Client 10.2.0 for Linux

>Download Minimal HSM Client 10.2.0 for Linux

>Download HSM Client 10.2.0 for Solaris SPARC

>Download HSM Client 10.2.0 for Solaris x86

>Download HSM Client 10.2.0 for AIX

New Features and Enhancements

HSM Client 10.2.0 includes the following new features and enhancements:

HSM Client 10.2.0 Supports Both Luna HSMs and Luna Cloud HSM Services From Data Protection on Demand

HSM Client can now be used with Luna Cloud HSM services provided by Thales Data Protection on Demand. This allows you to migrate keys from a password-authenticated Luna HSM partition to a Luna Cloud HSM service or vice-versa, set up High-Availability (HA) groups that include both password-authenticated Luna partitions and Luna Cloud HSM services, and operate your local (Luna PCIe HSM and Luna USB HSM 7), remote (Luna Network HSM), and cloud HSM solutions on the same client workstation.

New HSM Client Operating System Support

HSM Client 10.2.0 can be installed on the following new operating systems:

>Windows Server Core 2016/2019

>Red Hat Enterprise Linux 8 (including variants like CentOS 8)

>AIX 7.2

3GPP Cryptography for 5G Mobile Networks

The new 3GPP crypto functions support the authentication and re-synchronization of a mobile device to the back-end authentication center (AUC). Milenage, Tuak and Comp128 algorithms are available and are relevant to 2/2.5G, 3G, 4G(LTE) and newer 5G mobile networks. The primary benefit of using the Luna HSM ensures that the subscribers key (Ki) is never exposed in the clear outside the security perimeter of a hardware security device. Optionally the Operators Variant string (OP) may also be encrypted under a storage key only found inside the HSM. See 3GPP Mechanisms for 5G Mobile Networks.

SM2/SM4 Support

SM2 is comparable to Elliptic Curve (EC) in terms of key structure though the signing algorithm is different. SM2 is required for sign/verify. There is a new key type CKK_SM2. SM4 is comparable to Advanced Encryption Standard (AES-128) in terms of key size though the encryption algorithm is different. SM4 is required for encrypt/decrypt (modes ECB, CBC, CBC-PAD). There is a new key type CKK_SM4. See SM2/SM4 Mechanisms.

SHA-3 Function Support

This provides a guide to using the SHA-3 crypto functions in the Luna HSM. The SHA-3 implementation conforms to the NIST publication FIPS PUB 202. The SHA-3 hash algorithm has been implemented in the K7 FW. This provides the ability to send message data to the Luna HSM in order to receive the SHA-3 digest of the data. The algorithm is implemented for digest bit lengths of 224, 256, 384 and 512 similar to the SHA-2 family of hash algorithms. Other mechanisms that make use of a digest include support for SHA-3 by either specifying the mechanism type or specifying mechanism parameters. See SHA-3 Mechanisms.

Supported Operating Systems

You can install the HSM Client 10.2.0 on the following 64-bit operating systems:

Operating System Version Secure Boot Supported
Windows 10 Yes
Windows Server Standard 2019 Yes
2016 Yes
2012 R2 No
Windows Server Core 2019 Yes
2016 Yes
Red Hat Enterprise Linux (including variants like CentOS) 8.0 No
7 No
6 No
Ubuntu * 14.04 No
18 No
AIX ** 7.2 No
7.1 No
Solaris (SPARC/x86) ** 11

* The Linux installer for HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:

apt-get install build-essential alien

If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.

** Although the AIX and Solaris installers display the options, Luna PCIe HSM and Luna USB HSM 7 are not supported in this release. Select only Luna Network HSM during installation.

Supported Cryptographic APIs

Applications can perform cryptographic operations using the following APIs:

>PKCS#11 2.20

>JCA within Oracle Java 7*/8*/9/10/11

*HSM Client 10.1.0 and newer requires the advanced version of Oracle Java 7/8.

>JCA within OpenJDK 7/8/9/10/11


>Microsoft CAPI

>Microsoft CNG

Advisory Notes

This section highlights important issues you should be aware of before deploying HSM Client 10.2.0.

Older Clients Can Fail to Complete One-Step NTLS with Newer Appliance Software

Newer Luna Network HSM can have outdated (weaker) ciphers removed from file transfer protocols, as a security measure. If you have HSM Client 7.3.0 or older installed, it might not be possible to negotiate a common cipher for a secure link. You might see an error similar to: FATAL ERROR: Couldn't agree a host key algorithm (available: ecdsa-sha2-nistp256,ssh-ed25519).

To resolve this issue, you can download a new version of PuTTY from PuTTY.org at: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Copy pscp.exe and plink.exe to C:\Program Files\SafeNet\LunaClient and retry One-Step NTLS.

Alternatively, install HSM Client 10.4.0 or newer, which includes plink and pscp 0.76 or newer.

Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal HSM Client

RHEL 8.x introduced system-wide cryptographic modes. The full HSM Client installer is supported only when RHEL 8.x is in DEFAULT mode. If your RHEL 8.x OS is in FIPS mode, use the minimal HSM Client.

Red Hat Enterprise Linux / CentOS 6 Support is Ended

HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.

Support for 32-bit OS Platforms is Ended

Starting with HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release or migrate to 64-bit platform.

Older JAVA Versions Require Patch/Update

The .jar files included with HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.

>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to HSM Client 10.x (see APAR IJ25459 for details).

CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations

When using a Luna Cloud HSM service with HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.