Luna HSM Client 7.4.0

Luna Backup HSM firmware 7.4.0 was released in January 2019.

>Download Luna HSM Client 7.4.0 for Windows

>Download Luna HSM Client 7.4.0 for Linux

>Download Minimal Luna HSM Client 7.4.0 for Linux

>Download Luna HSM Client 7.4.0 for Solaris SPARC

>Download Luna HSM Client 7.4.0 for Solaris x86

>Download Luna HSM Client 7.4.0 for AIX

CAUTION!   Versions of the user documentation found on the Customer Portal are no longer updated and may contain errors and omissions. For the most accurate and up-to-date documentation of all major Luna 7 releases, always refer to the latest set of online documentation at https://www.thalesdocs.com.

New Features and Enhancements

Luna HSM Client 7.4.0 includes the following new features and enhancements:

Functionality Modules

Luna Network HSM 7.4 introduces Functionality Modules (FMs). FMs consist of your own custom-developed code, loaded and operating within the logical and physical security of a Luna Network HSM as part of the HSM firmware. FMs allow you to customize your Luna Network HSM's functionality to suit the needs of your organization. Custom functionality provided by your own FMs can include:

>new cryptographic algorithms, including Quantum algorithms

>security-sensitive code, isolated from the rest of the HSM environment

>keys and critical parameters managed by the FM, independent from standard PKCS#11 objects, held in tamper-protected persistent storage

To create FMs, you will need the Functionality Module Software Development Kit (SDK), which is included with the Luna HSM Client 7.4.0 software. Applications that use FM functions are supported on Windows and Linux.

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset. Refer to FM Deployment Constraints for details before enabling.

See About the FM SDK Programming Guide and Functionality Modules for details and procedures.

This feature also requires Luna HSM Firmware 7.4.0 or newer, and Luna Network HSM Appliance Software 7.4.0 or newer.

View Utilization Metrics by Partition

View utilization metrics for an individual partition or a specified list of partitions.

See Partition Utilization Metrics for details.

This feature also requires Luna HSM Firmware 7.4.0 or newer, and Luna Network HSM Appliance Software 7.4.0 or newer.

Release 7.4.0 Advisory Notes

This section highlights important issues you should be aware of before deploying Luna HSM Client 7.4.0.

Resolved Issue LUNA-7585: Java DERIVE and EXTRACT flag settings for keys injected into the HSM

Formerly, the DERIVE and EXTRACT flags were forced to "true" in the JNI, which overrode any values passed by applications via Java. This was resolved in Luna 7.3 release.

As of release 7.3:

>The default values for the DERIVE and EXTRACT flags are set to "false" (were set to “true” in previous releases).

>JNI accepts and preserves values set by applications via the following Java calls:

LunaSlotManager.getInstance().setSecretKeysDerivable( true ); 
LunaSlotManager.getInstance().setPrivateKeysDerivable( true );
LunaSlotManager.getInstance().setSecretKeysExtractable( true );
LunaSlotManager.getInstance().setPrivateKeysExtractable( true );

NOTE   If you have existing code that relies on the DERIVE and EXTRACT flags being automatically defined by the JNI for new keys, you will need to modify your application code to set the flag values correctly.

In cases where a derived key must be extractable, add the following line to the java.security file:

com.safenetinc.luna.provider.createExtractablePrivateKeys=true

STC over IPv6 is Unavailable

STC client-partition links are not available over an IPv6 network.

Supported Luna HSM Client 7.4.0 Operating Systems

You can install the Luna HSM Client 7.4.0 on the following operating systems:

Operating System Version 64-bit applications on 64-bit OS 32-bit applications on 64-bit OS 32-bit applications on 32-bit OS
Windows 10 Yes Yes No
Windows Server 2016 Yes Yes No
2012 R2 Yes Yes No
Redhat-based Linux (including variants like CentOS and Oracle Enterprise Linux) 7 Yes Yes Yes
6 Yes Yes Yes
Ubuntu * 14.04 Yes No Yes
AIX ** 7.1 Yes No No
Solaris (SPARC/x86) ** 11

Yes No No

* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:

apt-get install build-essential alien

If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.

** Although the AIX and Solaris installers display the options, SafeNet Luna PCIe and USB HSMs are not supported in this release. Select only SafeNet Luna Network HSM during installation.

Supported Cryptographic APIs

Applications can perform cryptographic operations using the following APIs:

>PKCS#11 2.20

>JCA within Oracle Java 7/8/9/10/11

>JCA within OpenJDK 7/8/9/10/11

>JCA within IBM Java 7/8

>OpenSSL

>Microsoft CAPI

>Microsoft CNG