Home > |
---|
The following are features or highlights of SafeNet HSM release 6.2.1.
SHA1-based MACs are disabled when negotiating SSH sessions due to security concerns. The SafeNet Network HSM appliance negotiates the strongest available encryption supported for TLS by both the appliance and your administrative host computer.
After it is created and edited, a Partition Policy Template can be exported from the originating HSM host, to be imported and applied on an unlimited number of other HSMs. The ability to create and save Partition Policy Templates, and to export and import them to other HSMs, enables administrators to replicate configured application partitions, speeding the provisioning process and ensuring consistent policy assignments across partitions with similar security requirements. The Partition Policy Template feature, with the ability to export and import partition policy templates, enables scalable policy management across tens and hundreds of partitions while also simplifying future audit and compliance requirements. See Partition Creation with Policy Template Using LunaCM
SafeNet HSM complies with NIST Special Publication 800-38f, which describes cryptographic methods that are approved for key wrapping. The publication recommends AES Key Wrap mode (CKM_AES_KW) as more secure than CKM_AES_CBC. To use CKM_AES_KW update HSM firmware to version 6.24.2. See CKM_AES_KW
PEDServer now has the option to initiate Remote PED connection with an instance of PEDClient. This is useful when the HSM and PEDClient reside behind a firewall that does not permit outgoing initiation of connections. New commands and options are added to PEDServer. For SafeNet Network HSM, requires appliance software version 6.2.1. Traditional PEDClient-initiated Remote PED connections continue to be supported - the traditional and peer-to-peer modes are mutually exclusive.
Remote PED can now be initiated from either end of the link, allowing connection where local firewall rules forbid launching a connection from (for example) inside a server-farm firewall. See Server-initiated (Peer-to-Peer) Remote PED Connection
The SafeNet HSM can once again support the use of 4096-bit RSA Keys when in FIPS mode. The NIST transition of the Digital Signature Standard from FIPS 186-2 to FIPS 186-4 disallowed RSA 4096-bit keys, and a previous SafeNet HSM release imposed that restriction. NIST has reconsidered and allowed 4096-bit RSA keys. With release 6.2.1, and firmware 6.24.2, the SafeNet HSM's FIPS mode complies with the most current NIST guidance.
FindObjects call is optimized, improving HA performance. See Performance and section"HA and FindObjects" in page Using HA With Your Applications for more information.
HA Autoinsert capability improves recovery and enables hands-off introduction of new or replacement HSMs to HA groups. See Recovery.
Discover features that we have been developing, and that are almost ready for release. We are looking for some feedback and guidance. See TECHNOLOGY PREVIEW .