Luna Appliance Software 7.8.1
Luna Appliance Software 7.8.1 was released in November 2022.
>Download Luna Appliance Software 7.8.1 (includes firmware update to Luna HSM Firmware 7.8.1)
>Download the Cluster 1.0.1 Package
This version also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).
New Features and Enhancements
Luna Appliance Software 7.8.1 includes the following new features and enhancements:
Partition Configuration Management in LunaSH
Luna Appliance Software 7.8.1 adds new LunaSH commands that can be used to configure an application partition entirely within LunaSH, with policies set and roles initialized and activated, before the partition is assigned to a client. The following new commands have been added:
| Argument(s) | Shortcut | Description |
|---|---|---|
| partition activate | par a | Activate a role on the partition. |
| partition changePolicy | par changepo | Change policies on the partition. |
| partition changePw | par changepw | Change the password for a role on the partition. |
| partition clear | par cl | Delete all objects on a partition. |
| partition createChallenge | par createc | Create a challenge secret password for the Crypto Officer or Crypto User on a multifactor quorum-authenticated partition. |
| partition deactivate | par d | De-cache a partition's PED key data. |
| partition init cu | par i cu | The Crypto Officer can use this command to create a Crypto User role on the partition. |
| partition showContents | par showc | Display a list of all objects on a partition. |
| partition showPolicies | par showp | Display the policy settings of the specified partition. |
See partition for the full list of partition commands in LunaSH.
Cluster Enhancements
CAUTION! TECHNICAL PREVIEW -- EVALUATION ENVIRONMENT ONLY
Clusters are presented as a technical preview, to give customers the opportunity to validate our new HSM management features, designed to reduce operation cost and maximize the return on investment of a fleet of HSMs. This release does not provide a migration path from standard Luna partitions or Luna Cloud HSM services to keyrings. Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2,
DO NOT INSTALL THE CLUSTER PACKAGE ON A LUNA NETWORK HSM IN PRODUCTION
When the cluster package is installed, access to any existing partitions on the HSM is disabled, and this can only be reversed by re-imaging the Luna Network HSM 7 appliance (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). Re-imaging is a destructive action; all roles, partitions, and keys are destroyed. The Luna Network HSM 7 must be completely reconfigured; all partitions must be recreated and their contents restored from backup. In particular, do not attempt to configure clustering on a Luna Network HSM 7 that already has V1 partitions created; either delete these partitions or re-image the appliance before configuring a cluster.
This release includes the following enhancements to the Clusters feature:
>Associate Luna Network HSM 7 monitor User With Luna HSM Client Registration
You can now specify a LunaSH username with monitor privileges to associate with a client. This can be the default monitor role, or a custom user with the monitor role assigned. The user account must already exist on the appliance (see Creating Custom Appliance User Accounts).
See Cluster-Client Connections.
This enhancement also requires Luna HSM Client 10.5.1 or newer.
>Cluster Certificate Provided Via Webserver 8443 Port
In previous releases, when the cluster was deleted and the cluster CA certificate was regenerated, a serial connection was required to retrieve the fingerprint for the new cluster certificate. In this release, a new resource allows you to retrieve the fingerprint using the established, trusted REST API webserver port (8443).
GET /api/lunasa/cluster/caCert
>Customize clusterlogs Severity Level
In this release, you can customize the severity of the messages to log for clusterlogs.
lunash:> syslog severity set
PUT /api/lunasa/syslog/logs/{logid}
Force Speed/Duplex Mode on Network Interfaces
It is now possible to force the speed and duplex mode on appliance network interfaces, rather than using auto-negotiation. These settings can be changed using new LunaSH commands.
List or Delete Available Files on the Appliance Using REST API
REST API 12.0.0 now allows you to retrieve a list of available files on the Luna Network HSM 7 appliance, get information about a specified file, or delete a specified file. The following new resources are provided for this purpose:
List the files owned by the currently logged-in user.
>GET /users/{userid}/files/{fileid}
Display information about the files owned by the currently logged-in user.
>DELETE /users/{userid}/files/{fileid}
Delete a specified file owned by the currently logged-in user.
Valid Update Paths
You can update the Luna Appliance Software to version 7.8.1 from the following previous versions:
>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1, 7.8.0
Advisory Notes
This section highlights important issues you should be aware of before deploying appliance software 7.8.1.
PED-Initiated Remote PED Connection with Self-signed Certificates only
Luna Appliance Software 7.8.1 or newer with Luna HSM Client 10.5.1 or newer uses self-signed certificates for PED-initiated Remote PED connections and does not support using 3rd-party (trusted Certificate Authority) certificates for that purpose at this time.
REST API Webserver Automatically Enabled
When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:
2022 Nov 22 16:39:29 10 daemon notice systemd: nginx.service: control process exited, code=exited status=1 2022 Nov 22 16:39:29 10 daemon err systemd: Failed to start nginx - high performance web server. 2022 Nov 22 16:39:29 10 daemon notice systemd: Unit nginx.service entered failed state. 2022 Nov 22 16:39:29 10 daemon warning systemd: nginx.service failed.
These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.
Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer
Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.
The following ciphers have been removed:
MACS
>umac-64-etm@openssh.com
>umac-128-etm@openssh.com
>umac-64@openssh.com
>umac-128@openssh.com
Host-Based Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Host Key Algorithms
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Public Key Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-dss
Change in Network Routing Default Requires Precaution Before Update
A change to network routing when updating to Luna Appliance Software 7.7.0 or newer, from any prior 7.x version, can cause your appliance to become unreachable via network connection. Older appliance versions permitted the existence of multiple default routes. Beginning with Luna Appliance Software 7.7.0, only one instance of the default route can exist.
Options for a successful update with minimal disruption are:
>Remove all but one instance of the ‘default route’, using the network route delete command, before upgrading from any appliance software version older than Luna Appliance Software 7.7.0.
>Connect locally via serial cable to perform the update, so your access to the network appliance is not lost when network connection becomes temporarily unavailable (pending proper network configuration).
Note also that if you re-image, going back to a version older than Luna Appliance Software 7.7.0, the routing table goes back to the old format and you must apply one of the above precautions again, to update.
If the above precautions are not taken and the appliance becomes unreachable, complete the following steps to restore connection to the appliance:
1.Connect locally via serial cable.
2.Delete all network interfaces. See network interface delete.
3.Configure a network interface to use a default route by doing one of the following:
•Configure the network interface to use a static IP configuration while specifying the -gateway option. See network interface static.
•Configure the network interface to use DHCP. See network interface dhcp.
After you complete the above steps, network connectivity to the appliance is restored and any remaining interfaces that are configured do not have a default route set.
Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances
The Luna Network HSM 7 Reboot Patch is a prerequisite for updating to Luna Appliance Software 7.7.0 and newer. Appliances currently shipped from the factory have this patch already installed, but if you have an older appliance, you must first install the patch or the appliance software update will not proceed.
If you already installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.
sysconf snmp trap set command now defaults to "inform"
Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.
