Luna Appliance Software 7.8.5
Luna Appliance Software 7.8.5 was released in July 2024.
>Download Luna Appliance Software 7.8.5
This version also includes Luna Backup HSM 7 Firmware 7.7.2 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).
New Features and Enhancements
Luna Appliance Software 7.8.5 includes the following new features and enhancements:
Back up Configuration Data for Individual Services
The configuration data for a single service, or for all services (network,ssh,ntls,syslog,ntp,snmp,users,system,webserver,ctc), can be backed up to file, and can be restored singly from individual-service backups, or can be individually called out to restore from an all-services backup file.
Configuration Data Backup File Size is Expanded
From Luna Network HSM 7 appliance software version 7.8.5 onward, appliance configuration backups greater than 64 KB in size are handled by spreading the configuration data over multiple files that reassemble to restore from backup. See Configuration file size for Backup and Restore.
Encrypted Remote Audit Logging
You can now encrypt audit log messages (managed by the audit user, to track crypto-module events separately from host appliance events) sent to a remote server, improving the security of your cryptographic module audit logs by preventing their interception during transit.
NTLS Connection Limit Increased
The number of concurrent NTLS connections is increased from 800 to 4000, for improved integration with applications that need large numbers of client connections.
Added LACP (IEEE 802.3ad) mode option to network interface bonding
LACP mode, bonding channels on the appliance, in conjunction with suitably configured switch(es), creates aggregation groups that share speed and duplex settings, providing symmetry in traffic sharing, and predictable response to a downed link. See network interface bonding.
Default Route Preserved on Disabled Bonded Interface
If a bonded network interface (bond0 or bond1) is configured with the default network route for the appliance, disabling the bond using lunash:> network interface bonding disable or POST /api/lunasa/network/devices/{deviceid}/actions/{actionid}, the default route field is preserved on the disabled bond, and returns to the secondary interface (eth0 or eth1 for bond0, eth2 or eth3 for bond1) that had it before you first enabled the bond. This prevents a loss of connectivity to the appliance, and means that it is no longer necessary to configure static routes on one or more secondary interfaces before enabling the bond.
Luna Cluster Package 1.0.4
lnh_cluster-1.0.4
With the latest release, Thales is pleased to announce that Clusters are fully supported for new production deployments, designed to reduce operation cost and maximize the return on investment of a fleet of HSMs. This release does not provide a migration path from standard Luna partitions or Luna Cloud HSM services to keyrings. Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
NOTE Unlike the PSO and CO roles on standard Luna partitions, the KRSO and KRCO roles on each keyring are intended to be held by the same individual, and use the same password. When the password for one role is changed, the change is applied to the other role as well. Consider this distinction when planning your cluster deployment and setting your KRSO passwords.
CAUTION! DO NOT INSTALL THE CLUSTER PACKAGE ON A LUNA NETWORK HSM WITH PARTITIONS ALREADY IN PRODUCTION
When the lnh_cluster package is installed, access to any existing partitions on the HSM is disabled, and this can only be reversed by re-imaging the Luna Network HSM 7 appliance (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). Re-imaging is a destructive action; all roles, partitions, and keys are destroyed. The Luna Network HSM 7 must be completely reconfigured; all partitions must be recreated and their contents restored from backup. In particular, do not attempt to configure clustering on a Luna Network HSM 7 that already has V1 partitions created; either delete these partitions or re-image the appliance before configuring a cluster.
This release includes the following enhancements to the Clusters feature:
>New clusteradmin service manages the cluster REST API webserver
The cluster REST API functions are now managed by the clusteradmin service. This service is enabled by default and automatically started when the lnh_cluster-1.0.4 package is installed. The clusteradmin service has no dependency on the cluster service; it operates independently to allow REST calls to the cluster API even during a cluster service restart. If you plan to use LunaSH exclusively to manage your cluster, you can stop and disable this service to close the cluster webserver ports on the appliance.
See cluster admin.
>Cluster restore operation overwrites keyrings and objects with the same UUID
Restoring a cluster from backup now overwrites duplicate objects with the backup version. Keyring configurations (roles, passwords, lock status) are also restored to their backup state.
See Restoring a Cluster from Backup.
>Cluster Members That Become Disconnected Restart Automatically After Network Recovery
When a member becomes disconnected from the cluster due to a network issue, re-establishing the network connection will trigger an automatic recovery of the affected member's cluster. In previous versions, this required a manual restart of the cluster service on the affected member, as determined by the R flag returned by lunash:> cluster member list or restartService: true
as returned by GET /api/clusters/{clusterID}/members. This flag now indicates that internal microservices on the member will restart automatically, without impacting the cluster service status. It may take 30-180 seconds for an automatic recovery to begin, and during the recovery operation, requests to retrieve information from this member may time out. Cryptographic traffic fails over to active members and continues without interruption during the recovery process.
In some unusual cases, if automatic recovery has not begun within 10 minutes of network recovery, it may still be necessary to manually restart the member's cluster service using lunash:> service restart cluster or POST /api/lunasa/services/{serviceid}/actions/{actionid} (serviceid: cluster, actionid: restart).
>Cluster Logging Improvements
The following events are now logged by lnh_slots.plugin on Luna HSM Client 10.7.2:
•Initial client connection to cluster member IP and port number
•Change to connected cluster member IP when failover takes place
•Failover from the assigned affinity group to a standby group
•Assigned affinity group comes back online
•All changes to the cluster topology: e.g. new member added to or removed from assigned affinity group or a standby group
•All failed cluster requests: e.g. open/close session, login, sign, verify, encrypt, decrypt, create/delete/find object, etc.
Valid Update Paths
You can update the Luna Network HSM 7 appliance software to version 7.8.5 from the following previous versions:
>7.0.0, 7.1.0, 7.2.0, 7.2.2, 7.3.0, 7.3.1, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.3, 7.8.4
CAUTION! If the audit and/or operator users were enabled using Luna REST API on Luna Appliance Software 7.7.1 or older, Thales recommends updating to Luna Appliance Software 7.8.3 before updating to 7.8.5. See known issue RAPI-3924.
Advisory Notes
This section highlights important issues you should be aware of before deploying appliance software 7.8.5.
REST API Webserver Has TLS 1.3 Ciphers Disabled by Default
Using Luna Appliance Software 7.8.5, TLS 1.3 ciphers are disabled by default. If you had TLS 1.3 ciphers enabled, and updated from Luna Appliance Software 7.8.3, you must re-enable them after the update. Otherwise, your webserver traffic could default to less-secure TLS 1.2 ciphers (if you had all ciphers enabled), or stop entirely (if you had TLS 1.2 disabled).
lunash:> webserver ciphers set -list all -tls1_3
REST API Patch Fixes Performance and Update Issues in This Version
Luna REST API 15.0.0, included with Luna Appliance Software 7.8.5, has issues affecting performance and the ability to update the appliance software from this version using REST API (refer to fixed issue RAPI-4135). A patch was released to address these issues, and Thales recommends that you install it if you are using Crypto Command Center or the Luna REST API:
>Luna Network HSM 7.8.5-20 Appliance REST API Patch
LACP Bonding mode requires managed switches
Network Bonding Mode 4 - LACP ( IEEE 802.3ad ) is used in conjunction with properly configured (LACP-aware) switches in your network.
Errors caused by switch misconfiguration cannot be caught by the LNH appliance
Package List Output Revised
The output of the command to list software packages installed on the Luna Network HSM 7 has been trimmed from the previous "everything" list, to a more useful list of product-level packages that include all installed product options in which you would have an interest, as well as external interface packages and application packages needed by our support and engineering teams to perform troubleshooting analysis. Requires Luna Appliance Software 7.8.4 or newer.
See package list.
TLS 1.3 Ciphers Automatically Added to Approved List
When the Luna Network HSM 7 is updated to Luna Appliance Software 7.8.5 or newer from a version older than 7.8.3, the TLS 1.3 ciphers are automatically added to the top of the approved ciphers list, meaning they will be prioritized for use ahead of TLS 1.2 ciphers. Use lunash:> sysconf tls ciphers show to check the configuration.
Appliance System Clock Must Be Set Before Starting the Cluster Service
If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.
REST API Webserver Automatically Enabled
When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:
2022 Nov 22 16:39:29 10 daemon notice systemd: nginx.service: control process exited, code=exited status=1 2022 Nov 22 16:39:29 10 daemon err systemd: Failed to start nginx - high performance web server. 2022 Nov 22 16:39:29 10 daemon notice systemd: Unit nginx.service entered failed state. 2022 Nov 22 16:39:29 10 daemon warning systemd: nginx.service failed.
These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.
Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer
Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.
The following ciphers have been removed:
MACS
>umac-64-etm@openssh.com
>umac-128-etm@openssh.com
>umac-64@openssh.com
>umac-128@openssh.com
Host-Based Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Host Key Algorithms
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Public Key Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-dss
Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances
If your Luna Network HSM 7 was shipped to you before December 2019, and you currently have software older than Luna Appliance Software 7.7.0 installed, the software update will not proceed unless you first install the Luna Network HSM 7 Reboot Patch. Appliances shipped from the factory since December 2019 have this patch already installed. If you installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.
sysconf snmp trap set command now defaults to "inform"
Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.