Luna Appliance Software 7.9.1
Luna Appliance Software 7.9.1 was released in February 2026.
>Download Luna Appliance Software 7.9.1 (includes firmware update to Luna HSM Firmware 7.9.2)
NOTE This package requires that you update from Luna Appliance Software 7.9.0. Refer to Valid Update Paths.
This package also includes Luna Backup HSM 7 Firmware 7.7.3 ready to install (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).
CAUTION! Read the Advisory Notes before installing this update, to be aware of important changes that may require your attention.
New Features and Enhancements
Luna Appliance Software 7.9.1 includes the following new features and enhancements:
Configurable TLS Groups for NTLS Connections
LunaSH now includes commands for specifying cipher groups to be used for NTLS connections to the Luna HSM Client. For example, this allows you to ensure that only Post-Quantum Cryptography (PQC) ciphers are used to secure your connections. Refer to:
>New LunaSH commands:
•lunash:> sysconf tls groups reset
•lunash:> sysconf tls groups set
•lunash:> sysconf tls groups show
Extended Timeout for Long PED Operations
A new timeout option dfto for the command hsm ped timeout set allows Luna PED operations to extend beyond 10 minutes to accommodate quorum secrets with as many as 16 iKey secret splits.
Appliance SSH is Enhanced to Support PQC
Luna Network HSM 7 now supports PQC algorithms to ensure security of SSH traffic.
Luna REST API 17
This release includes Luna REST API 17.0.0, which has the following new features and enhancements:
CAUTION! Read the Advisory Notes before installing this update, to be aware of important changes that may require your attention.
Configurable TLS Groups for NTLS Connections
LunaSH now includes commands for specifying cipher groups to be used for NTLS connections to the Luna HSM Client. For example, this allows you to ensure that only Post-Quantum Cryptography (PQC) ciphers are used to secure your connections. Refer to:
>New REST response: GET /api/lunasa/ntls "groupList": "secp256r1:P-256:secp384r1:P-384:secp521r1:
P-521:x25519:x448:brainpoolP256r1tls13:brainpoolP384r1tls13:brainpoolP512r1tls13:ffdhe2048:ffdhe3072:ffdhe4096:
ffdhe6144:ffdhe8192:MLKEM512:MLKEM768:MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768:SecP384r1MLKEM1024"
>New REST request parameters:
•PUT /api/lunasa/ntls "groupList": <group_list>"
•PATCH /api/lunasa/ntls "groupList": <group_list>"
Configurable PQC Groups for Webserver Service
>Updated REST resources:
•POST /api/lunasa/webServer/actions/{actionid} (actionid: setDefaultGroupList)
SMK Rollover Using REST API
>New REST resources:
•GET /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/smk/{smkid}/actions
•POST /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/smk/{smkid}/actions/{actionid}
>Updated REST resources:
•GET /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/smk/{smkid}
Retrieve Complete Details of All Partition Objects
>Updated REST resources:
•GET /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/object/objects/{objectid}
Configure additional certificate properties for NTLS service, supporting both self-signed and third-party CA-signed certificates, with DC component
>Updated REST resources:
•PUT /api/lunasa/ntls/certificate
•PATCH /api/lunasa/ntls/certificate
View SHA 1 and SHA 256 fingerprint of webserver certificate using REST API
>Updated REST resources:
•GET /api/lunasa/webServer/certificate
Power Off Appliance Using REST API
>Updated REST resources:
•POST /api/lunasa/actions/{actionid} (actionid: powerOff)
Configure Client Distinguished Name Using REST API
>New REST resources:
•GET /api/lunasa/ntls/clients/{clientid}/dn
•PUT /api/lunasa/ntls/clients/{clientid}/dn
•DELETE /api/lunasa/ntls/clients/{clientid}/dn
End-to-end Support for SNMP
>New REST resources:
•DELETE /api/lunasa/snmp/traps
•GET /api/lunasa/snmp/traps/{trapid}
•DELETE /api/lunasa/snmp/traps/{trapid}
•GET /api/lunasa/snmp/traps/actions
•POST /api/lunasa/snmp/traps/actions/{actionid}
•POST /api/lunasa/snmp/traps/test
•PUT /api/lunasa/snmp/users/{userid}/notifications/{notificationid}
•PATCH /api/lunasa/snmp/users/{userid}/notifications/{notificationid}
Initialize HSM Using Policy Template Using REST API
>Updated REST resources:
User Account Password Management
>New REST resources:
•GET /api/lunasa/user/config/login
•PUT /api/lunasa/user/config/login
•PATCH /api/lunasa/user/config/login
•GET /api/lunasa/user/config/login/actions
•POST /api/lunasa/user/config/login/actions/{actionid}
•GET /api/lunasa/user/config/password
•PUT /api/lunasa/user/config/password
•PATCH /api/lunasa/user/config/password
•GET /api/lunasa/user/config/password/actions
•POST /api/lunasa/user/config/password/actions/{actionid}
Valid Update Paths
You can update the Luna Appliance Software to version 7.9.1 from the following previous versions:
>7.9.0
Advisory Notes
This section highlights important issues you should be aware of before deploying Luna Appliance Software 7.9.1.
Cluster Commands Not Available After Update to Luna Appliance Software 7.9.1
If you have Luna Clusters installed on the Luna Network HSM 7, the lunash:> cluster commands are not available after updating to Luna Appliance Software 7.9.1 (refer to known issue LUNA-36483). The cluster is not affected; re-install the lnh_cluster-1.0.5 package to recover access to the commands.
Strict Validation Policy Enforced On REST API Input Parameters
Changes have been made to the validation requirements for many REST API input parameters in Luna REST API 17.0.0 and newer. These changes may affect the backwards compatibility of existing applications using previous versions of the Luna REST API. Refer to Validation Schema for a full accounting of the new requirements.
Algorithms Removed from Appliance SSH Support
The following RFC9142 non-compliant key exchange algorithms are no longer supported in Luna Appliance Software 7.9.1 and newer:
>diffie-hellman-group1-sha1
>diffie-hellman-group14-sha1
>diffie-hellman-group-exchange-sha256
>diffie-hellman-group-exchange-sha1
Luna Appliance Software Update Takes Longer Than Previous Updates
The update process for Luna Appliance Software 7.9.0 and newer may take longer than previous updates, and includes two automatic appliance reboots. The entire process could take up to 15 minutes after the first reboot. Do not interrupt the update process. This longer process applies when updating from versions older than Luna Appliance Software 7.9.0.
Client Host-IP Mapping Must Be Reconfigured After Update
If client host-IP mapping is configured, this mapping is lost when updating to Luna Appliance Software 7.9.1. You must reconfigure host-IP mapping after the update, using lunash:> client hostip map.
Appliance Re-Image Now Deletes Bonded Interfaces
Using Luna Appliance Software 7.9.0 or newer, the appliance re-image operation deletes all bonded interfaces and supporting network configurations. Those must be reconfigured, if they are needed, after the re-image operation is complete. If you are using bonded interfaces, run lunash:> sysconf reimage start via a serial connection or a physical network interface (eth0/eth1/eth2/eth3) to avoid losing contact with the Luna Network HSM 7.
Refer to Re-Imaging the Appliance to Baseline Software/Firmware Versions.
Disallowed filepaths for SFTP
Using Luna Appliance Software 7.9.0 or newer, the following criteria apply to file transfers to the Luna Network HSM 7:
| Filepath | Allowed/Disallowed |
|---|---|
| Any file path with "../" in it | Disallowed |
| server.pem | Only allowed to get. Cannot replace server.pem on the Luna Network HSM 7 appliance. |
| client_syslog.pem | Only allowed to get. Cannot replace client_syslog.pem on the Luna Network HSM 7 appliance. |
| File name with a length less than 1 or greater than 64 | Disallowed |
| Any file name with "/" in it | Disallowed |
| File name that ends with a space | Disallowed |
| File name with "-" (dash) | Allowed |
| File name that starts with a space | Disallowed |
| File name with special characters other than letters, digits, underscores, periods, spaces, or hyphens. Such as @,#,$,%,^,&,* | Disallowed |
| Empty file names | Disallowed |
Files can be sent to/from only the current user's "my files".
Hostname requirements are tightened
Requirements for hostnames are tightened using Luna Appliance Software 7.9.0 or newer, to be more compliant with internet standards. If you have hostnames with embedded underscore characters "_", those will have that disallowed character removed during upgrade; so, for example, my_hostname becomes myhostname. Additionally, you may not start or end a hostname with a period "." character or a dash "-" character, but they are suitable to use within a hostname if you wish (example "host-name" or "my.host.name" are acceptable, but not ".hostname" or "hostname-"). Be sure to update scripts and any working notes or instructions.
Appliance system-level user password policy is changed
Using Luna Appliance Software 7.9.1 or newer, the password policy mandates that passwords must contain characters from all four categories, in accordance with updated Linux standards. Previous releases required characters from only three of the four categories. Existing passwords continue to work until a password change is requested.
Package List Output Revised
The output of the command to list software packages installed on the Luna Network HSM 7 has been trimmed from the previous "everything" list, to a more useful list of product-level packages that include all installed product options in which you would have an interest, as well as external interface packages and application packages needed by our support and engineering teams to perform troubleshooting analysis. Requires Luna Appliance Software 7.8.4 or newer.
See package list.
One-Step NTLS Connections Require Update to Luna HSM Client 10.7.0 Components
Luna Appliance Software 7.9.1 and newer includes changes that require an update to the pscp and plink utilities. If you plan to use the One-Step NTLS Connection Procedure to establish client connections to your appliance, either update the client software to Luna HSM Client 10.7.0 or newer, or replace the pscp and plink utilities in your older client installation with the versions included with Luna HSM Client 10.7.0 or newer.
Appliance System Clock Must Be Set Before Starting the Cluster Service
If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.
REST API Webserver Automatically Enabled
When upgrading to Luna Appliance Software 7.8.1 or newer, the REST API webserver is automatically enabled. If you have not already configured the webserver to accept REST API calls, this can cause a large volume of error messages to appear in logs. For example:
2022 Nov 22 16:39:29 10 daemon notice systemd: nginx.service: control process exited, code=exited status=1 2022 Nov 22 16:39:29 10 daemon err systemd: Failed to start nginx - high performance web server. 2022 Nov 22 16:39:29 10 daemon notice systemd: Unit nginx.service entered failed state. 2022 Nov 22 16:39:29 10 daemon warning systemd: nginx.service failed.
These error logs can be safely ignored, but you must explicitly disable the webserver service to stop them from accumulating (lunash:> webserver disable). If you plan to configure the webserver to accept REST API calls, you must regenerate the webserver certificate (lunash:> webserver certificate generate) and restart the webserver service (lunash:> service start webserver) to stop the error logs.
Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer
Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.
The following ciphers have been removed:
MACS
>umac-64-etm@openssh.com
>umac-128-etm@openssh.com
>umac-64@openssh.com
>umac-128@openssh.com
Host-Based Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Host Key Algorithms
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-rsa
>ssh-dss
Public Key Accepted Key Types
>ssh-rsa-cert-v01@openssh.com
>ssh-dss-cert-v01@openssh.com
>ssh-dss
Luna Network HSM 7 Reboot Patch is a Prerequisite For Older Appliances
If your Luna Network HSM 7 was shipped to you before December 2019, and you currently have software older than Luna Appliance Software 7.7.0 installed, the software update will not proceed unless you first install the Luna Network HSM 7 Reboot Patch. Appliances shipped from the factory since December 2019 have this patch already installed. If you installed the patch to enable an earlier update (7.7.0 or newer), you do not need to install it again.
sysconf snmp trap set command now defaults to "inform"
Previously, sysconf snmp trap set -traptype command would default to "trap". This has changed with Luna Appliance Software 7.7.0; which adds the option "inform", the new default. If you had any scripts that relied on the default setting, they should now be adjusted to explicitly set the -traptype.
