Luna Appliance Software 7.8.4

Luna Appliance Software 7.8.4 was released in December 2023.

This version also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).

New Features and Enhancements

Luna Appliance Software 7.8.4 includes the following new features and enhancements:

HSM communication CIA (confidentiality integrity and availability) updates

Configurable Key Size and Type Support for NTLS and SSH

The Luna Network HSM 7 adds a -keysize option to support RSA key sizes of 2048, 3072, and 4096, along with a -keytype option to support Ed25519 and select ECC curves, as well as a -curve option to specify which of the supported ECC curves you wish to use. At the same time, the vtl createCert command in the vtl utility on the client is updated to match. Requires Luna Network HSM 7 software version 7.8.4 or newer, and Luna HSM Client version 10.7.0 or newer.

See Configure NTLS and SSH Key Size and Type.

Added Broadcast mode option to network interface bonding

Adding load balancing to the fault tolerance of the previous "active-only" bonding mode, network configuration now includes the option to specify "broadcast" bonding mode. Requires Luna Network HSM 7 software version 7.8.4 or newer.

Enhanced Access Control of Clients, using Extended DN Attribute Validation

The ability to select/restrict PKI client certificates is enhanced -- the Luna Network HSM 7 can now use a DN attribute filter to inspect and verify against X509 RDN OIDs of a client certificate, where previously only the Common Name (CN) was verified. Requires Luna Network HSM 7 software version 7.8.4 or newer.

See Client certificates.

Appliance-Connected Luna Backup HSM 7 v2 Local Multifactor Quorum Authentication Support

When a Luna Backup HSM 7 is connected directly to the Luna Network HSM 7 with Luna Appliance Software 7.8.4, PED keys can now be connected directly to the Luna Backup HSM 7 for authentication. It is no longer necessary to set up a Remote PED server.

See Backup/Restore Using Appliance-Connected Luna Backup HSM 7 v2.

Valid Update Paths

You can update the Luna Network HSM 7 appliance software to version 7.8.4 from the following previous versions:

>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.3

Advisory Notes

This section highlights important issues you should be aware of before deploying appliance software 7.8.4.

Package List Output Revised

The output of the command to list software packages installed on the Luna Network HSM 7 has been trimmed from the previous "everything" list, to a more useful list of product-level packages that include all installed product options in which you would have an interest, as well as external interface packages and application packages needed by our support and engineering teams to perform troubleshooting analysis. Requires Luna Appliance Software 7.8.4 or newer.

See package list.

One-Step NTLS Connections Require Update to Luna HSM Client 10.7.0 Components

Luna Appliance Software 7.8.4 and newer includes changes that require an update to the pscp and plink utilities. If you plan to use the One-Step NTLS Connection Procedure to establish client connections to your appliance, either update the client software to Luna HSM Client 10.7.0 or newer, or replace the pscp and plink utilities in your older client installation with the versions included with Luna HSM Client 10.7.0 or newer.

PED-Initiated Remote PED Connection with Self-signed Certificates only

Luna Appliance Software 7.8.1 or newer with Luna HSM Client 10.5.1 or newer uses self-signed certificates for PED-initiated Remote PED connections and does not support using 3rd-party (trusted Certificate Authority) certificates for that purpose at this time.

Appliance System Clock Must Be Set Before Starting the Cluster Service

If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start. Refer to known issue Known and Resolved Issues.

REST API Webserver Automatically Enabled

When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:

2022 Nov 22 16:39:29 10  daemon notice  systemd: nginx.service: control process exited, code=exited status=1
2022 Nov 22 16:39:29 10  daemon err  systemd: Failed to start nginx - high performance web server.
2022 Nov 22 16:39:29 10  daemon notice  systemd: Unit nginx.service entered failed state.
2022 Nov 22 16:39:29 10  daemon warning  systemd: nginx.service failed.

These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.

Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer

Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.

The following ciphers have been removed:

MACS

>umac-64-etm@openssh.com

>umac-128-etm@openssh.com

>umac-64@openssh.com

>umac-128@openssh.com

Host-Based Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Host Key Algorithms

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Public Key Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-dss

Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances

The Luna Network HSM 7 Reboot Patch is a prerequisite for updating to Luna Appliance Software 7.7.0 and newer. Appliances currently shipped from the factory have this patch already installed, but if you have an older appliance, you must first install the patch or the appliance software update will not proceed.

If you already installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.

sysconf snmp trap set command now defaults to "inform"

Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-04-26 12:02:08 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information