Luna HSM Client 10.1.0

Luna Backup HSM firmware 10.1.0 was released in October 2019.

>Download Luna HSM Client 10.1.0 for Windows

>Download Luna HSM Client 10.1.0 for Linux

>Download Minimal Luna HSM Client 10.1.0 for Linux

>Download Luna HSM Client 10.1.0 for Solaris SPARC

>Download Luna HSM Client 10.1.0 for Solaris x86

>Download Luna HSM Client 10.1.0 for AIX

New Features and Enhancements

Luna HSM Client 10.1.0 includes the following new features and enhancements:

Support for Luna B-series Backup HSM

Luna HSM Client includes the drivers and software updates required to use the new Luna Backup HSM. See also Luna Backup HSM Firmware 7.3.2.

Remote PED Support on Linux

You can now host Remote PED services on a Linux workstation.

See Remote PED Setup.

Client Certificates Signed by a Trusted Certificate Authority

Luna HSM Client 10.1 allows you to use client certificates signed by a trusted Certificate Authority (CA), which can be a commercial third-party CA or your organization's own signing station.

See Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority.

Windows Secure Boot Support

The drivers included with the Luna HSM Client software for Luna PCIe HSMs, Luna Backup HSMs, Luna USB HSMs, and Luna PEDs now support Windows Secure Boot.

Release 10.1.0 Advisory Notes

This section highlights important issues you should be aware of before deploying Luna HSM Client 10.1.0.

Luna HSM Client 7.5 is No Longer Available

Luna HSM Client 7.5 is no longer available for download from the Thales Customer Portal. Thales strongly recommends that all customers using version 7.5 update their client software to 10.1 or higher.

Older JAVA Versions Require Patch/Update

The .jar files included with Luna HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.

>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to Luna HSM Client 10.x (see APAR IJ25459 for details).

"CKR_MECHANISM_INVALID" Messages in Mixed Luna Cloud HSM Implementations

When using a DPoD Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a DPoD Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.

Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM

Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna 7.3 release.

As of release 7.3:

>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).

>JNI accepts and preserves values set by applications via the following Java calls:

LunaSlotManager.getInstance().setSecretKeysDerivable( true ); 
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );

NOTE   If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.

In cases where a derived key must be extractable, add the following line to the java.security file:

com.safenetinc.luna.provider.createExtractablePrivateKeys=true

Supported Luna HSM Client 10.1.0 Operating Systems

You can install the Luna HSM Client 10.1.0 on the following 64-bit operating systems:

Operating System Version Secure Boot Supported
Windows 10 Yes
Windows Server Standard 2019 Yes
2016 Yes
2012 R2 No
Red Hat Enterprise Linux (including variants like CentOS and Oracle Enterprise Linux) 7 No
6 No
SuSe Linux (minimal client only) 12.4 No
11.4 No
Ubuntu * 14.04 No
18 No
AIX ** 7.1 No
Solaris (SPARC/x86) ** 11
No

* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:

apt-get install build-essential alien

If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.

** Although the AIX and Solaris installers display the options, SafeNet Luna PCIe and USB HSMs are not supported in this release. Select only SafeNet Luna Network HSM during installation.

Supported Cryptographic APIs

Applications can perform cryptographic operations using the following APIs:

>PKCS#11 2.20

>JCA within Oracle Java 7*/8*/9/10/11

*Luna HSM Client 10.1 and newer requires the advanced version of Oracle Java 7/8.

>JCA within OpenJDK 7/8/9/10/11

>OpenSSL

>Microsoft CAPI

>Microsoft CNG