Luna Network HSM Appliance Software 7.8.0

Luna Network HSM 7.8.0 was released in July 2022.

New Features and Enhancements

Luna Network HSM 7.8.0 includes the following new features and enhancements:

Time Management by HSM SO

HSM administration is streamlined with the HSM SO now able to use hsm time commands, previously restricted to the Audit user.

See hsm time.

Clusters and Keyrings

CAUTION!   TECHNICAL PREVIEW -- EVALUATION ENVIRONMENT ONLY

Clusters and keyrings are presented as a technical preview, to give customers the opportunity to validate our new HSM management features, designed to reduce operation cost and maximize the return on investment of a fleet of HSMs. This release does not provide a migration path from standard Luna partitions or Luna Cloud HSM services to keyrings. This preview is currently available on password-authenticated Luna Network HSMs only.

DO NOT INSTALL THE CLUSTER PACKAGE ON A LUNA NETWORK HSM IN PRODUCTION

When the cluster package is installed, access to any existing partitions on the HSM is disabled, and this can only be reversed by re-imaging the Luna Network HSM appliance (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). Re-imaging is a destructive action; all roles, partitions, and keys are destroyed. The Luna Network HSM must be completely reconfigured; all partitions must be recreated and their contents restored from backup.

Luna Network HSM now allows you to store your cryptographic objects in an encrypted cluster within the appliance memory. This process uses Scalable Key Storage to encrypt the cluster and the SMK is shared with all member HSMs. The cluster contains keyrings, which are analogous to application partitions and can be accessed by a client in much the same way, by connecting to any member appliance. Keys are retrieved from the cluster, decrypted within the secure confines of the HSM, and used by the HSM for cryptographic operations. This configuration allows you to store many more keys than you can normally store within HSM partitions. The management of backup and restore operations is greatly simplified; the HSM administrator can back up the full content of a cluster, at scheduled intervals or on demand.

A cluster can consist of one Luna Network HSM member appliance, or up to 4 appliances that share the contents of the cluster. Adding multiple members to a cluster improves performance, and provides redundancy and failover for your client applications.

Up to 3000 keyrings can be created on the cluster, and each keyring can contain up to 256 objects.

This feature requires Luna Network HSM Appliance Software 7.8.0 or newer, Luna HSM Firmware 7.8.0 or newer, and each appliance in the cluster must have the cluster secure package installed. Luna HSM Client 10.5.0 or newer is required to access keyrings on a cluster. This feature is currently available on password-authenticated Luna Network HSMs only.

See About the Cluster Administration Guide.

Valid Update Paths

You can update the Luna Network HSM appliance software to version 7.8.0 from the following previous versions:

>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1

Advisory Notes

This section highlights important issues you should be aware of before deploying appliance software 7.8.0.

Insecure SSH Ciphers Removed From Luna Network HSM 7.8.0 and Newer

Thales has removed a number of less-secure SSH ciphers from Luna Network HSM Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.

The following ciphers have been removed:

MACS

>umac-64-etm@openssh.com

>umac-128-etm@openssh.com

>umac-64@openssh.com

>umac-128@openssh.com

Host-Based Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Host Key Algorithms

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Public Key Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-dss

Luna Network HSM Appliance BIOS and BMC Firmware Update Patch is a Prerequisite

The Luna Network HSM Appliance BIOS and BMC Firmware Update Patch is a prerequisite for upgrading to Luna Network HSM Appliance Software 7.7.1 and newer. If your appliance was already at version 7.7.0, then the patch is already installed. If you are updating from an appliance version earlier than 7.7.0, then the patch must be installed before upgrading to 7.7.1 or newer.

CAUTION!   The Luna Network HSM Appliance BIOS and BMC Firmware Update Patch must be installed over SSH only. Installation over a serial port connection will fail.

sysconf snmp trap set command now defaults to "inform"

Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Network HSM Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.