Thales UC 10.5.1
CRYPTOVISOR CUSTOMER RELEASE NOTEs
Issue Date: 18 May 2023
Product Description
Thales Luna Cloud HSM is a specialized HSM (hardware security module) allowing for cloud deployment, combining high assurance key protection with cloud service advantages such as scalability, elasticity and durability. A pool of Thales Luna Cloud HSM HSMs provides on demand cryptographic services for tenant customer applications. Thales Luna Cloud HSM HSM integrates with existing service provider infrastructure for identity management and storage.
As with all Thales HSMs, the end-user keys never leave a Thales Luna Cloud HSM HSM in plaintext. End-user keys are protected with a strong encryption and authentication scheme outside the HSM, and are only able to be decrypted inside an authorized HSM.
Release Description
Release UC 10.5.1 is available as a new client package, which includes bug fixes and performance improvements.
New Features and Enhancements
Universal Cloning
Cloning (or migration) of keys and objects between Thales HSMs, has been enhanced as follows.
Updated encryption
Cloning encryption is now ECC-based (formerly RSA) and separates session-key negotiation from the use of session keys for migrating/transfering keys and objects within the security envelope with the following advantages:
>Consolidate HSM resources with secure and transparent exchanges of cryptographic material among mixed authentication modes:
•multifactor quorum-authenticated and
•password-authenticated partitions.
>Transfer keys to an entirely new domain, providing full interoperability between on-premises Luna Cloud HSM partitions and Luna Cloud HSM services.
Enhanced cipher suite options
Multiple cipher suites are available for cloning.
>Ciphers can be individually enabled or disabled by command.
>The protocol negotiates the strongest common suite enabled on source and target.
Multiple domains
Extended Domain Management widens the scope of key-migration/key-cloning operations, while maintaining the HSM security envelope.
>Up to three domains can be associated with a partition.
>Domains can be labeled for ease of management, and the labels can be changed for convenience.
>Password-authenticated cloning domains (text string) and multifactor quorum-authenticated domains (PED key secret) can be mixed on a single partition.
>Keys and objects can be shifted from one domain to another.
Session Key Lifetime Management
>Negotiated sessions have a finite lifetime (minimizing possibility of abuse), while being renegotiated with no burden to your applications.
>Multiple keys/objects can be transferred at one time, from one partition to another without requiring key-negotiation for each transfer (compare with prior behavior).
See Universal Cloning.
UC Dynamic UserID Loading
As of UC 10.5, the configuration of multiple users will be supported which allows multiple partition slots to be accessed from a single client instance. This allows customers to add multiple UserID's (a combination of unique AuthTokenClientID, AuthTokenClientSecret, AuthTokenConfigURI) without the need to restart the application after the addition of a new UserID. This will enable a service provider to configure multiple UserID's without impacting the service any of the other users in the same UC instance.
The ability to load multiple partitions to the same UserID without impacting service to other users will also be supported. If an attempt is made to add the same partition ID to a different user that will be ignored and a Warning log will be generated.
More info can be found here: Dynamic Partition Loading for Luna Cloud HSM Services
Capture IP Address and Time Format into Audit Logs
There is a new field in the audit log called "clientip" which is found in the "meta" sub-section. This captures the valid IPv4 or IPv6 address. If there is no valid IP address to capture then the "clientip" field will remain blank.
This field will be populated by the use of a new pard environment variable called "ClientIPHTTPHeader". The default for this variable is "X-Real-IP". "The default field "X-Real-IP" can be modified using the pard environment variable (ClientIPHTTPHeader). The string from the header will be passed through boost::asio::ip::make_address, which will only return valid IPv4 and IPv6 addresses."
As we are changing utctime to "time" and changing the format to include microseconds, the time in the audit logs will be expressed as:
2022-03-16T08:10:12.737123-04:00
Advisory Notes
Luna Cloud HSM Partition Cloning Fails with the 10.5 Client
Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
-> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.
-> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.
You can make the request by following this link:
https://thalesdocs.com/dpod/resources/client_resources/client_connect_to_multiple_services/index.html
UC 10.5 Still Shows a Slot Number After its Luna Cloud HSM Service Has Been Deleted
Lunacm in UC 10.5 now shows a slot number of 3 even after the corresponding Luna Cloud HSM service has been deleted. Previous versions of the client would show no Slot ID once the service was deleted.
Failure to Register LunaClientEventProvider.dll Will Affect Logging in Windows
UCLogger is a statically linked logging library used by the plugin (currently) and in the future will be used by UC. There is currently no issue in Linux, however for Windows there is a LunaClientEventProvider.dll which is generated when UCLogger is built. This dll contains the definitions for the logging events such as event ids and log levels. The dll needs to be registered within the windows registry in order for the logging to work. If it is not registered and console logs are turned off, logging will fall back to the default console logging.
i.If dll is already registered, it will simply continue to use it. (admin or non-admin)
ii.If dll is not registered, it will try to register. If user is admin then it will register.
iii.If user is non-admin then it will not be registered and an admin will be required to add the dll to the registry.
iv.In case of any failure, code will fall back to the default console logging.
The following is the error received:
[WARN] RegisterEventProvider failed. Falling back to console logging
NOTE If you have the CurlLogsEnabled = true in your "crystoki.ini", the console could be flushed with a lot of information and you may not see this warning at the beginning
Steps required to add the dll to the registry:
-
Open windows registry (regedit.exe)
-
Add a new key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Eventlog\Application\LunaClientEventProvider -
Add the following values to the new key:
CategoryCount
Type : REG_DWORD
Data : 3
CategoryMessageFile
Type : REG_SZ
Data : <full path to dll, including the dll>
EventMessageFile
Type : REG_SZ
Data : < full path to dll, including the dll>
TypesSupported
Type : REG_DWORD
Data : 7
-
Log level (For example set via existing configuration parameter “AppLogLevel=info”)
info
warning
error
-
New Config parameters
AppConsoleLogsEnabled (Under REST section - false by default)
(Set to true will enable console logs)
WindowsEventProvider
Full path to LunaClientEventProvider.dll (under Misc section)
Logging
Application Error Logs
Additional logs are displayed by default in the application console output. If you wish to see more or less of these logs change the maximum severity level to be displayed by adding the environment variable AppLogLevel=<value>, or adding the following entry to the REST section of the Chyrstoki.conf/crystoki.ini configuration file:
The following are valid value settings for the AppLogLevel:
-
info
-
warning
-
error
If Application Error Logs are enabled, then the output of the LunaCM command will begin with the following:
lunacm.exe (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved.
2021-Jun-15 12:53:56.358949: trace: Thrd=8588, HTTP response code: 200
2021-Jun-15 12:53:56.372949: debug: Thrd=8588, Multipart=N/A, SessionId=N/A, ReqID=00218c-000002, COMMAND=LUNA_XTC_OPEN_REQ_V1
2021-Jun-15 12:53:56.415949: debug: Thrd=8588, Multipart=N/A, SessionId=N/A, ReqID=00218c-000003, COMMAND=LUNA_GEN_APPID
Curl Logs
Curl logs can be added to the console by adding the environment variable CurlLogsEnabled=True to the Rest section of the Chrystoki.conf/crystoki.ini configuration file:
If Curl Logs are enabled the output of the LunaCM command will begin with the following:
lunacm.exe (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved.
* Uses proxy env variable no_proxy == '<proxy_environment_variable>'
* Trying <IP_Address>...
* TCP_NODELAY set
* Connected to <tenant_URL> (<IP_Address>) port 443 (#0)
> POST /.well-known/openid-configuration HTTP/1.1
Host: <tenant_URL>
Content-Type: application/x-www-form-urlencoded
Accept: application/json
User-Agent: curl/7.35.0
Content-Length: 46
To disable Curl logs, update the environment variable or Chrystoki.conf/crystoki.ini configuration file to use CurlLogsEnabled=False.
Exceeding Partition Space Limits Impacts Performance
If the number of actively exercised partitions exceeds the total MaxPartitionCount limits of your pard instances, and pard is deleting and importing partitions frequently, cryptographic performance is severely degraded. As a general practice, make sure your data center has enough HSMs to service demand and to avoid pard deleting partitions.
PKCS#11 Cryptographic Limitations
The following limitations apply to clients accessing a Thales Cloud partition:
-
Enforcing restriction of 100 token objects (or 50 RSA-2048 key pairs) per partition.
-
100 session objects (or 50 RSA-2048 key pairs) per application.
-
Enforcing restriction of 100 simultaneous sessions per application.
Clients can no longer exceed the token object limits. The session limit is now enforced, and the client receives the error CKR_MAX_SESSION_COUNT when the application reaches the limit.
Usage Count Attribute is Not Supported for Universal Client
The usage count attribute present on private objects does not increment accurately and is therefore not supported.
Whitelist of Algorithms That are Not Supported
Whitelist of modified algorithms and the expected results:
| Modified alg | log message in pard |
|---|---|
| None | invalid alg 'none' |
| RS384 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| RS512 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| ES256 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| ES384 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| ES512 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| PS256 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| PS384 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
| PS512 | ClientAuthTokenValidator::validateSignature(): invalid algorithm |
If the algorithm is not part of the whitelist, the request will get rejected before the signature is validated. If the algorithm is part of the whitelist but not of the original token, it will fail in the validation process.
Password Recommendations
We recommend that you always use strong passwords when configuring Cloud HSMs and partitions, even if the passwords are temporary. A strong password has at least 16 random characters. Please see these guidelines from the National Institute of Standards and Technology (NIST).
Compatibility Information
Compatible Host Operating Systems
Thales Universal Client 10.4 Client is supported on Red Hat based Linux 64-bit, version 7 and above, including variants like CentOS. Tools and services rely on python 2 or 3.
Compatible Client Operating Systems
| Operating System | Version |
|---|---|
| Windows |
10 |
| Windows Server Standard |
2019 |
| 2016 | |
| Windows Server Core |
2019 |
| 2016 | |
| Redhat-based Linux (including variants like CentOS and Oracle Enterprise Linux) | 8.0, 8.1, 8.2, 8.3, 8.4 |
| 7 | |
| Ubuntu | 21.04 |
| 20.04.2 | |
| 18.05.5 |
HSM ClientReleases
The HSM Client software is installed on any computer that runs applications that use Luna HSM(s). It includes utilities for accessing and configuring HSM partitions, and for performing cryptographic operations. The client includes the Luna Software Development Kit for developing your applications, and the Luna FM Development Kit for developing Functionality Modules. Since the release of HSM Client 10.2.0 (Luna Universal Client), all versions of the client software allow you to manage and access Luna Cloud HSM services alongside your on-premises Luna HSMs. See Updating the HSM Client Software and HSM Client Software Installation for installation instructions, and refer to the OS compatibility for your desired client version below:
This section also provides information about HSM Client known and resolved issues:
Supported Cryptographic APIs
The following APIs are supported:
>PKCS#11 2.20
>JCA within Oracle Java 8, 9
>JCA within OpenJDK 7, 8, 9
>OpenSSL
>Microsoft CAPI
>Microsoft CNG
Known Issues
This section lists the issues known to exist in the product at the time of release. The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
List of Thales Luna Cloud HSM Service Client Known Issues
| Issue | Severity | Synopsis |
|---|---|---|
| SH-4194 | M | Problem: If you perform getpkc with CMU to confirm a public key, the operation can sometimes fail. Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's Display Object (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted. |
| LUNA-27183 | M |
Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu). Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server. |
| LUNA-13761 | M |
Problem: On Linux, when running cmu selfsigncertificate with no arguments specified, cmu fails to prompt the user for the relevant object handles/OUIDs, even if multiple valid keypairs exist on the partition. Workaround: Always specify the object handles/OUIDs of the desired keypair using -publichandle and -privatehandle or -publicouid and -privateouid. |
| LUNA-12471 | M | Problem: In LunaProvider, some operations prohibited in FIPS mode (insufficient key size, for example) fail with an unhelpful NULL error. Workaround: Consult the "SDK Reference Guide" for permitted FIPS mode operations. |
| LUNA-12822 | L |
Problem: CKDEMO option (39) Get OUID reports object OUIDs with extra zeroes appended. Workaround: Use option (24) Get Attribute to view the correct OUID. |
| LCH-399 | M |
Problem: UC 10.5 fails to retrieve UAA Configuration. The retry handling operation is required at least twice. Workaround: The problem is sporadic. Until a patch is merged it is suggested to repeat the retrieval process until a UAA configuration is retrieved. |
| DPS-10104 | H | Problem: Luna Cloud HSM Partition Cloning Fails with the 10.5 Client.
Workaround 1: If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device. Workaround 2: If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading. |
List of Server-Side Known Issues
| Issue | Severity | Synopsis |
|---|---|---|
| SH-3850 | M |
Problem: If pard restarts while there are concurrent partition creations and deletions on the HSM your clients may lose access to their partitions. Workaround: pard now logs the eviction failure and will still attempt the import. Only if the import fails then the request will also fail. |
| SH-1588 | L |
Problem: cvadmin sometimes displays the error code "(CV_PED_AUTH_ERROR)". Workaround: If you see this error, it means that the provided password was incorrect. Retry the command with the correct password. |
| SH-926 | L |
Problem: When a non-root user on a Luna Cloud HSM host attempts to run the cvadmin tool without the sudo prefix, there is an error, "Invalid slot number." Workaround: Grant the user full permissions to the /dev/k7pf* file(s). There is one file per HSM installed on the host. For example, the root user can run the following commands: groupadd group-name usermod -G group-name user chgrp group-name /dev/k7pf* chmod g+rwx /dev/k7pf* After a reboot, re-run the following commands, as a reboot causes the directory permissions to reset to the default of root only. chgrp group-name /dev/k7pf* chmod g+rwx /dev/k7pf* |
Resolved Issues
This section lists the issues fixed in the product at the time of release. The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
List of Resolved Issues
| Issue | Severity | Synopsis |
|---|---|---|
| SH-6081 | H |
Problem: Running "cmu verifyhsm" on DPoD slot will create a failure. Resolution:Verified fix on Windows 2016 and Centos7 by replacing plugin 2.1.0-553 packaged in UC 10.4.0-417 with plugin 2.1.1-582. |
| SH-5595 | H |
Problem: Deriving X9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID Resolution:Fixed Derive X9.42 DH with replacing an object handle with ouid in the mech |
| LUNA-13780 | H |
Problem: Importing a DSA public key to a partition using cmu import fails with "Certificate invalid" error. Resolution: Able to import successfully with UC 10.4 on 7.3.3 firmware. |
| SH-4987 | M | Problem: When creating a self-signed certificate with cmu selfsigncertificate, additional characters are added to the specified serial number. Resolution: Verified fix using UC 10.3.0-209 with pard 1.4.0-375 and pard 1.5.0-435; fw 1.4.1-305 |
| LUNA-10992 | M |
Problem: When using an HA group made up of Luna partitions and an HSMoD service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error. Resolution: Fix available in Luna builds: SA7 7.7.1-49 UC 10.4.0-49 |
| LCH-1 | M |
Problem:Mutex error message when using CKLog. Resolution:This has been tested with a UC 10.5.0-470 client and the issue can no longer be reproduced. |
| LUNA-14009 | L |
Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing". Resolution: Successfully verified with UC 10.4.0-415 |
| LUNA-11724 | L |
Problem: When setting up a DPoD Luna Cloud HSM service on Windows, running the setenv script by right-clicking and selecting "Run as Administrator", the operation fails. Resolution: Resolved by documentation. Users are no longer instructed to use the Windows GUI. |
Support Contacts
If you encounter a problem while installing, registering, or operating this product, please refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Thales Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access is governed by the support plan negotiated between Thales and your organization. Please consult this plan for details regarding your entitlements, including the hours when telephone support is available to you.
Customer Support Portal
The Customer Support Portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most common problems and create and manage support cases. It offers a comprehensive, fully searchable database of support resources, including software and firmware downloads, release notes listing known problems and workarounds, a knowledge base, FAQs, product documentation, technical notes, and more.
NOTE You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
Telephone
The support portal also lists telephone numbers for voice contact (Contact Us).
