Luna Appliance Software 7.2.0

Luna Appliance Software 7.2.0 was released in May 2018. It comes pre-installed on Luna Network HSMs sold after August 2018.

>Download Luna Appliance Software 7.2.0 (includes Luna HSM Firmware 7.2.0 update)

>Download Luna Appliance Software 7.2.0 (includes Luna HSM Firmware 7.0.3 update)

CAUTION!   Versions of the user documentation found on the Customer Portal are no longer updated and may contain errors and omissions. For the most accurate and up-to-date documentation of all major Luna 7 releases, always refer to the latest set of online documentation at https://www.thalesdocs.com.

New Features and Enhancements

Luna Appliance Software 7.2.0 includes the following new features and enhancements:

10 Gbps Optical NIC Luna Network HSM 7 Support

Thales is pleased to announce the availability of the 10 Gbps optical NIC Luna Network HSM 7. This product variant provides two 10G optical network interfaces and two 1G copper network interfaces, as opposed to the standard 1G model which provides four 1G copper network interfaces.

The 10G Luna Network HSM 7 provides two 10G SFP optical Ethernet network interfaces (labeled 0 and 1), and two 1G copper RJ45 network interfaces (labeled 2 and 3), as illustrated below. You can optionally bond eth0 and eth1 to bond0, or eth2 and eth3 to bond1, to provide a redundant active/standby virtual interface.

Configurable Cipher Suites

You can now configure the TLS cipher suites used by NTLS, STC, and PEDserver on the Luna Network HSM 7. This new capability allows administrators to select and configure cipher strength to meet their internal security objectives and compliance requirements.

The cipher suites are configured using the new sysconf tls cipher LunaSH commands. The available set of ciphers is displayed in default order. Users can choose which ciphers from the set to use, as well as the order of preference for TLS cipher-suite negotiation. The modified cipher list and order can also be exported as a template; the template can then be used to configure TLS cipher suites on multiple HSMs.

Customizable System Logging

You can now customize local and remote system logging according to message severity. There is no limit on the number of remote logging servers you can add, and you can configure the severity level for each server and log type independently. For example, you could send all log entries produced by the appliance to one remote server, and only entries marked critical or higher to another. Storing only the most severe (infrequent) entries locally on the appliance can prevent the syslog directory from filling up over time.

Rename/Relabel Partitions

The HSM SO can now change the name assigned to a partition on creation. This does not affect the label set by the Partition SO during initialization and is only visible in LunaSH. This allows partitions to be created ahead of time and renamed to something more suitable later, when they are allocated for a particular purpose.

The Partition SO can now change the label of an initialized partition.

This feature also requires Luna HSM Firmware 7.2.0.

Initialize the Orange RPV Key Remotely

You can now initialize the Luna Network HSM 7's Remote PED Vector (orange key) using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO only has remote SSH access to the appliance. The HSM must be in a zeroized state (uninitialized), for security. Your firewall settings must allow an HSM-initiated Remote PED connection.

See Initializing the Remote PED Vector and Creating an Orange Remote PED key.

This feature also requires Luna HSM Client 7.2.0.

REST API 6.0

REST API 6.0 is included with the Luna Appliance Software 7.2 release. Customers who update their appliance software to version 7.2.0 will automatically receive the REST API 6.0 update. REST API 6.0 contains the following new features:

>Appliance Upgrade Management — Manage Thales Licensing Portal partition upgrade packs using REST API.

>Package and Firmware Update Management — Update, verify, list, and delete secure packages with REST API, including firmware updates.

>Multi-Part Upload Requests — Upgrade your HSMs via a single REST API call, improving performance and efficiency.

>Configurable REST API Users and Roles — Manage REST API users and roles (add, remove, modify, show, list) using REST API.

>Configurable REST API Access Control List -- Modify role access using REST API, by importing and exporting lists of available resources.

Valid Update Paths

You can update the Luna Appliance Software to version 7.2.0 from the following previous versions:

>7.0.0, 7.1.0

Advisory Notes

This section highlights important issues you should be aware of before deploying Luna Appliance Software 7.2.0.

Re-apply the Luna Network HSM 7 Reboot Patch to Older Luna Appliance Software Versions

The Luna Network HSM 7 Reboot Patch is recommended for all Luna Network HSM 7s. Appliances currently shipped from the factory have this patch already installed, but if you use Luna Appliance Software 7.4.0 or older in your production environment, you must re-apply the patch after performing one or both of the following actions:

>Re-imaging the appliance to Luna Appliance Software 7.2.0 and Luna HSM Firmware 7.0.3

>Updating to Luna Appliance Software 7.4.0 or older