Luna HSM Client 10.5.0

Luna HSM Client 10.5.0 was released in July 2022. It includes bug fixes and security updates.

>Download Luna HSM Client 10.5.0 for Windows

>Download Luna HSM Client 10.5.0 for Linux

>Download Minimal Luna HSM Client 10.5.0 for Linux

NOTE   This version of Luna HSM Client is compatible with Luna HSMs with firmware 6.2.1 and newer. Features that do not have client version dependencies will function without issue. However, Thales has some recommendations when using certain firmware versions. See General Version Compatibility Recommendations.

New Features and Enhancements

Luna HSM Client 10.5.0 includes the following new features and enhancements:

Universal Cloning

Cloning (or migration) of keys and objects between Thales HSMs, has been enhanced as follows.

Updated encryption

Cloning encryption is now ECC-based (formerly RSA) and separates session-key negotiation from the use of session keys for migrating/transfering keys and objects within the security perimeter of the cryptographic module with the following advantages:

>Consolidate HSM resources with secure and transparent exchanges of cryptographic material among mixed authentication modes:

multifactor quorum-authenticated and

password-authenticated partitions.

>Transfer keys to an entirely new domain, providing full interoperability between on-premises Luna Network HSM 7 partitions and Luna Cloud HSM services.

Enhanced cipher suite options

Multiple cipher suites are available for cloning.

>Ciphers can be individually enabled or disabled by command.

>The protocol negotiates the strongest common suite enabled on source and target.

Multiple domains

Extended Domain Management widens the scope of key-migration/key-cloning operations, while maintaining the cryptographic module's security perimeter.

>Up to three domains can be associated with a partition.

>Domains can be labeled for ease of management, and the labels can be changed for convenience.

>Password-authenticated cloning domains (text string) and multifactor quorum-authenticated domains (PED key secret) can be mixed on a single partition.

>Keys and objects can be shifted from one domain (that you control) to another (that you control).

Session Key Lifetime Management

>Negotiated sessions have a finite lifetime (minimizing possibility of abuse), while being renegotiated with no burden to your applications.

>Multiple keys/objects can be transferred at one time, from one partition to another without requiring key-negotiation for each transfer (compare with prior behavior).

See Universal Cloning.

Clusters and Keyrings

CAUTION!   TECHNICAL PREVIEW -- EVALUATION ENVIRONMENT ONLY

Clusters are presented as a technical preview, to give customers the opportunity to validate our new HSM management features, designed to reduce operation cost and maximize the return on investment of a fleet of HSMs. This release does not provide a migration path from standard Luna partitions or Luna Cloud HSM services to keyrings. Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2, and Luna HSM Client 10.6.0 to use clusters.

DO NOT INSTALL THE CLUSTER PACKAGE ON A LUNA NETWORK HSM IN PRODUCTION

When the cluster package is installed, access to any existing partitions on the HSM is disabled, and this can only be reversed by re-imaging the Luna Network HSM 7 appliance (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). Re-imaging is a destructive action; all roles, partitions, and keys are destroyed. The Luna Network HSM 7 must be completely reconfigured; all partitions must be recreated and their contents restored from backup. In particular, do not attempt to configure clustering on a Luna Network HSM 7 that already has V1 partitions created; either delete these partitions or re-image the appliance before configuring a cluster.

Luna Network HSM 7 now allows you to store your cryptographic objects in an encrypted cluster within the appliance memory. This process uses Scalable Key Storage to encrypt the cluster and the SMK is shared with all member HSMs. The cluster contains keyrings, which are analogous to application partitions and can be accessed by a client in much the same way, by connecting to any member appliance. Keys are retrieved from the cluster, decrypted within the secure confines of the HSM, and used by the HSM for cryptographic operations. This configuration allows you to store many more keys than you can normally store within HSM partitions. The management of backup and restore operations is greatly simplified; the HSM administrator can back up the full content of a cluster, at scheduled intervals or on demand.

A cluster can consist of one Luna Network HSM 7 member appliance, or multiple appliances that share the contents of the cluster. Adding multiple members to a cluster improves performance, and provides redundancy and failover for your client applications. Thales recommends a maximum of 4 members per cluster.

Up to 3500 keyrings can be created on the cluster, and each keyring can contain up to 256 objects. Each Luna HSM Client can manage up to 3500 keyrings, which can be spread across multiple clusters.

Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2, and Luna HSM Client 10.6.0 to use clusters.

See About the Cluster Administration Guide.

Configurable Mutex Folder on Linux

The Linux version of Luna HSM Client 10.5.0 allows the administrator to set a custom folder for temporary files. Previously these files were written to /tmp, but some services could be disrupted when the /tmp folder was cleared. The new default folder is <install_dir>/lock, but if access rights to this directory are restricted, you can set a custom location by editing the MutexFolder entry of the Misc section of Chrystoki.conf.

See Configuration File Summary.

Supported Operating Systems

You can install Luna HSM Client 10.5.0 on the following operating systems:

Operating System Version Secure Boot Supported
Windows 10 Yes
Windows Server Standard 2022 Yes
2019 Yes
2016 Yes
Windows Server Core 2022 Yes
2019 Yes
2016 Yes
Red Hat-based Linux (including variants like CentOS and Oracle Enterprise Linux)

8.0, 8.1, 8.2, 8.3, 8.4, 8.5 (†)

No
7 No
Red Hat Universal Base Image (UBI) 8.8 No
SUSE Linux Enterprise Server (minimal client only) 15 No
12.4 No
11.4 No
Ubuntu * 21.04 No
20.04 No
18.04 No
14.04 No
Debian 11 No
10 No
9 No
8 No

* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:

apt-get install build-essential alien

If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.

RHEL and CentOS 8.0-8.5 with their original kernels. See also Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal Luna HSM Client.

Supported Cryptographic APIs

Applications can perform cryptographic operations using the following APIs:

>PKCS#11 2.20

>OpenSSL

>Microsoft CAPI

>Microsoft CNG

>Supported Java versions:

Open JDK 7 up to Open JDK 17

Oracle Java 7 up to JDK 17

IBM Java 7, 8 and 11

Advisory Notes

This section highlights important issues you should be aware of before deploying Luna HSM Client 10.5.0.

Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected

Due to changes in Windows 10 and Server 2022, device drivers are not installed unless the USB or PCIe device is connected to the client workstation. If you plan to use a Luna Backup HSM 7, Luna Backup HSM G5, Luna USB HSM 7, or Luna PCIe HSM 7 with these operating systems, use one of the following workarounds:

>Connect the Luna device to the workstation (or install the Luna PCIe HSM 7 card) before installing the Luna HSM Client software

>After installing the Luna HSM Client software:

a.Connect the Luna device(s) to the workstation (or install the Luna PCIe HSM 7 card)

b.Run LunaHSMClient.exe.

c.Select the devices you want to install drivers for.

d.Click Modify.

Insecure SSH Ciphers Removed From Luna Appliance Software 7.8.0 and Newer

Thales has removed a number of less-secure SSH ciphers from Luna Appliance Software 7.8.0. As a consequence, older client versions may not be able to use SSH to access LunaSH. This affects SSH connections, pscp/scp file transfers, plink, and certain procedures that rely on these tools such as the One-Step NTLS Connection Procedure. To avoid connection problems, you must use the versions of pscp and plink from Luna HSM Client 10.4.0 or newer. If you use Linux-standard applications like scp or ssh, ensure that they are updated to the latest version.

The following ciphers have been removed:

MACS

>umac-64-etm@openssh.com

>umac-128-etm@openssh.com

>umac-64@openssh.com

>umac-128@openssh.com

Host-Based Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Host Key Algorithms

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-rsa

>ssh-dss

Public Key Accepted Key Types

>ssh-rsa-cert-v01@openssh.com

>ssh-dss-cert-v01@openssh.com

>ssh-dss

CentOS 8.4 Missing Dependency

Due to a missing dependency on CentOS 8.4 [specifically the symlink (libnsl.so.1) to libnsl was removed], when installing Luna HSM Client 10.5.0 or newer, you must install an additional rpm package first:

Run yum install libnsl before invoking the install.sh script.

CSP/KSP Registrations Can Fail if Windows Update Missing

CSP or KSP registration includes a step that verifies the DLLs are signed by our certificate that chains back to the DigiCert root of trust G4 (in compliance with industry security standards).

This step can fail if your Windows operating system does not have the required certificate. If you have been keeping your Windows OS updated, you should already have that certificate.

If your Luna HSM Client host is connected to the internet, use the following commands to update the certificate manually:

certutil -urlcache -f http://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt

certutil -addstore -f root DigiCertTrustedRootG4.crt

To manually update a non-connected host

1. Download the DigiCert Trusted Root G4 ( http://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt ) to a separate internet-connected computer.

2.Transport the certificate , using your approved means, to the Luna Client host into a <downloaded cert path> location of your choice

3.Add the certificate to the certificate store using the command:

certutil -addstore -f root <downloaded cert path>

Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal Luna HSM Client

RHEL 8.x introduced system-wide cryptographic modes. The full Luna HSM Client installer is supported only when RHEL 8.x is in DEFAULT mode. If your RHEL 8.x OS is in FIPS mode, use the minimal Luna HSM Client.

One-Step NTLS Fails on SUSE 11 Linux

Incompatibility of new Luna HSM Client components with older ones on SUSE 11 cause the one-step NTLS procedure to fail. Instead, use the multi-step procedure to establish an NTLS connection manually.

Refer to Multi-Step NTLS Connection Procedure.

Luna HSM Client No Longer Supports Luna PCIe HSM 6 on any platform

Luna HSM Client 10.5.0 and newer cannot be used with a Luna PCIe HSM 6 that might be present in the host. If you need to use a version 6.x HSM card with your application, install Luna HSM Client 10.3.0 or older for Windows, or Luna HSM Client 10.4.1 or older for Linux.

Luna HSM Client No Longer Supports Luna PCIe HSM 6 on Windows

Luna HSM Client 10.4.0 and newer cannot be used with an installed Luna PCIe HSM 6.

Support for Windows Server 2012 R2 is Ended

Luna HSM Client 10.3.0 is the last version that will support Windows Server 2012 R2.

Red Hat Enterprise Linux / CentOS 6 Support is Ended

Luna HSM Client 10.2.0 is the last version that will support RHEL 6 and related operating systems. If you plan to install future client updates, consider updating your clients to RHEL 7 or 8.

Support for 32-bit OS Platforms is Ended

Starting with Luna HSM Client 10.2.0, 32-bit libraries are no longer provided. If you have a 32-bit application or integration, remain with a previous client release (such as 7.2, 7.3, or 7.4), or migrate to 64-bit platform.

Older JAVA Versions Require Patch/Update

The .jar files included with Luna HSM Client 10.x have been updated with a new certificate, signed by the Oracle JCE root certificate. This certificate validation requires a minimum Oracle JDK/JRE version.

>If your application relies on Oracle Java 7 or 8, you must update to the advanced version provided by Oracle. You require (at minimum) version 7u131 or 8u121. Please refer to Oracle's website for more information: https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

>If your application relies on IBM Java 7 or 8, you must install a patch from IBM before updating to Luna HSM Client 10.x (see APAR IJ25459 for details).

CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations

When using a Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.

Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM

Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna HSM Client 7.3.0.

As of Luna HSM Client 7.3.0:

>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).

>JNI accepts and preserves values set by applications via the following Java calls:

LunaSlotManager.getInstance().setSecretKeysDerivable( true ); 
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );

NOTE   If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.

In cases where a derived key must be extractable, add the following line to the java.security file:

com.safenetinc.luna.provider.createExtractablePrivateKeys=true