Known and Resolved Issues

Problem: If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. if the current system time does not fall within the certificate's range of validity, the cluster service fails to start.

Workaround: None. Ensure that the system time is correct on the Luna Network HSM before setting up clustering or factory resetting the cluster service. Refer to the prerequisites for Configuring the Luna Network HSM for Clustering.

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Problem: After an appliance reboot, webserver show indicates that the webserver is enabled and running, but the webserver certificate cannot be retrieved.

Workaround: Enable the webserver again in LunaSH with webserver enable.

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist

Error in execution: host memory error.

Command Result : 0x6 (Internal Error)

Workaround: None.

Problem: After adding a network route, a failure message is returned (Failed to apply new route information to bond0.) but the route is added successfully.

Workaround: This message can be safely ignored.

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.

Problem: When a default route is configured on a network interface, another newly-configured DHCP interface is not assigned a gateway.

Workaround: Add a manual network route to the affected interface using network route add.

Problem: When a default route is configured on a network interface, another newly-configured static interface is not assigned a gateway.

Workaround: Add a manual network route to the affected interface using network route add.

Problem:Changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members.

Workaround: In this release, do not customize the crypto port number.

Problem: When the network service on Luna Network HSM appliance software 7.8.x is reset to factory conditions (lunash:> sysconf config factoryreset -service network), the DHCP interface is not automatically assigned a gateway.

Workaround: Configure the interface manually by assigning a static IP address and gateway, or reconfiguring DHCP on the interface.

Problem: In LunaSH, after deleting a network interface, the information about that interface is still displayed in the output for network show.

Workaround: The interface is deleted; this information can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: When bonding is configured, the gateway is not set on the bond interface.

Workaround: None. Do not configure network bonding on Luna Network HSM 7.8.0.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: After resetting a keyring, role show incorrectly indicates that there are 15 failed login attempts/password change attempts remaining until keyring lockout.

Workaround: This can be safely ignored. The correct value (10) is reported by role show after logging in to the keyring using the reset credentials.

Problem: If a RADIUS-authenticated user is created on Luna Network HSM, the cluster service will not start.

Workaround: RADIUS is not supported for use with clusters; if you have RADIUS-authenticated users on the appliance, the cluster service will start once they are deleted.

Resolved: Fixed in Luna Network HSM 7.8.1 clusters package.

Problem: When a custom user account is created on cluster member A, the user is required to change the initial password upon first login to cluster member A. If the user's first login is on cluster member B, however, the password change is not enforced. If the password is changed manually on member B, logging in to member A will still require another password change.

Workaround: Ensure that the user logs in for the first time to the member where the user account was created.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: After resetting a keyring to its initial conditions, LunaCM does not allow you to log in as KRSO (po), saying that the role is not initialized.

Workaround: Use ckdemo to log in as KRSO (pso) and re-initialize the KRCO role.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: When a KRCO password is longer than 16 characters, no failed login counter is incremented. However, LunaCM still produces a misleading message:

Caution: You have only 10 co login attempts left. If you fail 10

more consecutive login attempts (i.e. with no successful

logins in between) the co will be locked.

Workaround: The lockout counter is not incremented as expected; this message can be safely ignored.

Problem: Setting the core service IP using REST API appears to fail with Error: socket hang up.

Workaround: The operation has not failed, although the socket closed prematurely before receiving the successful status. The cluster service must automatically restart before the operation can be reported as a success; wait approximately 3 minutes for the service to finish restarting and then confirm. Alternatively, use LunaSH to set the service IP.

Resolved:Fixed in Luna Network HSM 7.8.1 clusters package.

Problem: If any change is made to the cluster membership (member leaves or is deleted from the cluster) while one or more other members are offline, the offline members are not updated with the new cluster configuration, and they are unable to reconnect to the cluster when they come back online.

Workaround:None. Do not remove or delete members from the cluster if one or more members are currently offline.

Recovery: If you encounter this issue, use the following procedure to recover all cluster members:

1.Stop the cluster service on all members.

2.Start the cluster service on the primary member, using the -force option.

3.Restart the cluster service on the primary member.

4.Factory reset the cluster service on all other members.

5.Rejoin each other member to the cluster.

Problem: Client operations on a cluster member can be disrupted briefly while a new cluster member is added.

Workaround: Configure all your cluster members before launching your client applications.

Problem: When the cluster service is stopped on all members and then started on all members, authorizing one member manually does not trigger auto-authorization of the other members as expected.

Workaround: You must manually authorize each member individually.

Resolved: Fixed in Luna Network HSM 7.8.1 cluster package.

Problem: After changing the time zone setting on the appliance, or when there is a time change due to Daylight Saving Time, scheduled cluster backups do not account for the time change.

Workaround: Restart the cluster service to resync the time.

Problem: In LunaSH, keyring show using the -detail option displays a confusing Error: Response rendering failed.

Workaround: This error can be safely ignored.

Problem: The Luna Network HSM incorrectly enforces that the HSM SO must be logged in before the Partition SO can initialize the Crypto Officer role in LunaSH.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: The REST server healthcheck creates many REST log entries:

2022 Apr 26 09:39:15 [localhost]  local5 info  LNHREST[1]: 127.0.0.1:50620 - GET /

2022 Apr 26 09:39:15 [localhost]  local5 err  LNHREST[1]: Misssing Authorization Header

Workaround: None. These logs can be ignored.

Resolved: Fixed in Luna Network HSM 7.8.1 Technical Preview.

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem:When the Luna Network HSM is configured to use RADIUS authentication, requests are sent to the RADIUS server even for local roles that are not configured for RADIUS authentication.

Workaround:None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2.

Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM.

Problem: When an incorrect partition label or password is specified when running cluster join, cluster delete, or cluster leave, the command fails as expected, but Command Result : 0 (Success) is returned.

Workaround: This message can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: In ckdemo, the number of sessions reported open on a keyring by Option (12) Token Info is not reset when the keyring is reset.

Workaround: None.

Problem: The output for cluster leave in LunaSH includes some debug information under the 4th step (example):

Step 4/5: Recreate cluster certificates...

Generating a 384 bit EC private key

writing new private key to '/home/luna-local/certificate/keyStore/luna-local_key.pem'

-----

Workaround: This information can be safely ignored.

Problem: In LunaSH, the following commands are not available to the operator user:

>hsm ped server register

>hsm ped server delete

>network interface slaac

>client addCA

>client listCAs

>client deleteCAs

Workaround: The admin user must be logged in to use these commands.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When a Luna Cloud HSM service is configured as an HA group member with PED-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: After re-initializing a keyring with a different label, the keyring info cannot be found using keyring show (fails with Error: Requested resource is not found. [UI] Keyring "new_label" does not exist.).

Workaround: None.

Problem: When an HSM with an HA member partition remains in a bad state for a period of time (several hours or more), the HA group may receive a CKR_DEVICE_ERROR.

Workaround: If the HA group receives this error, the client application must be restarted. Monitor HA member HSMs to ensure they are recovered quickly.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: On Ubuntu 21.04, standard Luna HSM Client uninstallation operation fails the first time.

Workaround: Run the uninstallation again; the second attempt succeeds.

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.

Problem: The user is unable to create a data object on a keyring without first logging in as KRCO. This should not be necessary to create data objects.

Workaround: Log in as KRCO first.

Resolved: Fixed in Luna HSM firmware 7.8.1.

Problem: A cluster can be deleted even if it has not first been authorized. This should not be possible.

Workaround: None.

Problem: Luna 6 partitions cannot be assigned to specific slots using the Presentation > ShowUserSlots entry in the configuration file. When this is done with a combination of Luna 6 and 7 partitions, the assigned slots are ignored and the Luna 6 partitions are always assigned to the lowest-numbered slots, sometimes taking the place of Luna 7 partitions.

Workaround: None. Do not use this setting with a mix of Luna 6 and 7 partitions; only Luna 7 partitions can be assigned to specific slots this way.

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Failed attempts to change the password for a role (where an incorrect current password is specified) do not increment towards role lockout.

Workaround: None.

Problem: The Milenage mechanism generates an incorrect authentication verification quintet.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.2.

Problem: Changing a destructive partition policy erases the partition, but keyrings created by that partition are not erased. After changing any partition policy, keyrings created by the partition do not function as expected, producing errors such as CKR_OH_AUTH_DATA_NOT_PROVIDED.

Workaround: If this occurs, you must clear the cluster using lunash:> sysconf config factoryreset -service cluster. To prevent this from happening, ensure that you have configured your partition policies as desired before creating any keyrings.

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key

Enter Import Password:

>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key

>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Re-imaging the Luna Network HSM appliance from software version 7.7.1 fails if performed by a custom admin user.

Workaround: Re-image the appliance using the default admin LunaSH account.

Resolved: Fixed in the Re-Image Software 7.7.1 and Firmware 7.7.0 Patch.

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When updating the appliance software package using REST API, the operation fails with PACKAGE_MANAGEMENT_OPERATION_FAILED.

Workaround: Use LunaSH to update the appliance software package.

Resolved: Fixed in Luna REST API 11.0.0, included with Luna Network HSM 7.8.0 appliance software.

Problem: When auto-activation is enabled on PED-authenticated HSM partitions using firmware 7.7.0 or 7.7.1, the verification string generated by entering Secure Transport Mode will differ from the one received during STM recovery.

Workaround: Deactivate all roles on all partitions before entering STM on the HSM.

Resolved: Fixed in Luna HSM firmware 7.7.2.

Problem: In LunaSH, the cluster enable and cluster disable commands also start and stop the cluster service. This behavior differs from the corresponding REST API resources, which require a separate action to start or stop the cluster service.

Workaround: None.

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When the wrong HSM SO password is presented with lunash:> cluster create three consecutive times, no warning is displayed that the HSM will be zeroized, and the error message is generic:

Generic error by the receiver of the request.

Command Result : 65535 (Luna Shell execution)

Workaround: Ensure that you present the correct HSM SO password.

Problem: PED-auth HSM - partition init with cloning and off board storage disabled still asking for cloning domain

Workaround: Insert the red key, follow the screen prompts to complete the task but the red Cloning Domain key will not be used in future.

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna B700 Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna B700 Backup HSM firmware 7.7.2.

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Update from appliance software 7.2 to 7.7.1 has warning during software update:

warning: file /etc/systemd/system/lcdController-halt.service: remove failed: No such file or directory

Workaround: As part of upgrading to version 7.7.0 onward from earlier versions, the reboot patch is required, the error message appears one time. Can be ignored.

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Luna HSM Client fails to re-init partition with partition policy template on FW7.7

Resolved: Fixed in Luna HSM Client 10.3.0 and newer.

Problem: CKR_PED_ERROR when switching the PED between different HSMs

Workaround: The error occurs on first login after switching to different HSM; redo the login to clear the error.

Problem: Configuring a default route when no gateway is present is allowed.

Workaround: To re-configure default route, when a gateway is present, delete the interface and reconfigure it.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: Upgrading Luna G5 Backup HSM containing a large number of objects to firmware 6.28.0, fails at driver timeout.

Workaround: Power cycle the Luna G5 Backup HSM.

Problem: The file produced by lunash:> hsm supportinfo does not include any information about an attached Luna B700 Backup HSM.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: Memory leak issue in Luna HSM Client 10.1 with SUSE Linux.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: User Interface issue: After factory reset of Luna G5 Backup HSM, -iped prompt is missing from LunaCM hsm init command.

Workaround: Restart LunaCM; the -iped parameter reappears.

Problem: After initializing a client-connected Luna G5 Backup HSM to use PED authentication, the HSM erroneously requests a password to log in with any role. This issue occurs when Luna HSM Client 10.3 or newer is used with HSM firmware 6.10.9 or older on G5 Backup, G5 USB, or Luna HSM 6.

Workaround: Press ENTER to bypass the password prompt, and present the PED key as usual. Alternatively, use Luna HSM Client 10.2.0 or upgrade the Luna Backup HSM firmware to 6.24.7 or newer to avoid this.

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When partition policy 34: Allow CBC-PAD (un)wrap keys of any size is set to 0, the AES_KWP mechanism is blocked, although it does not have the same vulnerabilities as the other blocked mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0.

Problem: Importing a DSA public key to a partition using cmu import fails with "Certificate invalid" error.

Workaround: None.

Problem: On Linux clients, when running cmu selfsigncertificate with no arguments specified, cmu fails to prompt the user for the relevant object handles/OUIDs, even if multiple valid keypairs exist on the partition.

Workaround: Always specify the object handles/OUIDs of the desired keypair using -publichandle and -privatehandle or -publicouid and -privateouid.

Problem: Using Luna HSM Client 10.2.0, some of the new mechanisms available in Luna firmware 7.4.2 appear in LunaCM and ckdemo as "Unknown Mechanism Type". They are listed correctly in multitoken.

Workaround: In the Luna API, you can always call mechanisms by name or by vendor code. The unknown mechanisms are listed by vendor code below:

>CKM_SM2DSA -- 0x80000b21

>CKM_SM3_SM2DSA -- 0x80000b22

>CKM_SHA1_SM2DSA -- 0x80000b23

>CKM_SHA224_SM2DSA -- 0x80000b24

>CKM_SHA256_SM2DSA -- 0x80000b25

>CKM_SHA384_SM2DSA -- 0x80000b26

>CKM_SHA512_SM2DSA -- 0x80000b27

Problem: CKDEMO option (39) Get OUID reports object OUIDs with extra zeroes appended.

Workaround: Use option (24) Get Attribute to view the correct OUID.

Problem: In LunaProvider, some operations prohibited in FIPS mode (insufficient key size, for example) fail with an unhelpful NULL error.

Workaround: Consult documentation for permitted FIPS mode operations.

Problem: If the client fails to resolve the Luna Cloud service's DNS hostname, other client slots fail to load in LunaCM.

Workaround: Ensure that your DNS network is stable before deploying a Luna Cloud HSM in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: If an application running against an HA group fails over to the Luna Cloud HSM member and the DNS hostname does not resolve, a segmentation fault can occur.

Workaround: Ensure that your DNS network is stable before deploying the Luna Cloud HSM service in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Occasionally, after uninstalling the client software, client binaries remain in the installation directory.

Workaround: These can be safely deleted. To keep your configuration when updating to a new client version, do not delete the following files/directories:

>/cert

>/PedClient_service

>/softtoken

>crystoki.ini/Chrystoki.conf

Problem: On Solaris, attempting to perform operations on an HSM in Secure Transport Mode returns an unhelpful error (CKR_UNKNOWN) instead of the correct CKR_CMD_NOT_ALLOWED_HSM_IN_TRANSPORT.

Workaround: Refer to the documentation for instructions on recovering the HSM from STM.

Problem: Luna B700 Backup HSM does not appear as a slot in LunaCM if ShowAdminTokens = no in the Luna HSM Client configuration file (Chrystoki.conf/crystoki.ini).

Workaround: Edit the configuration file to set ShowAdminTokens = yes.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: Occasionally, changing the active slot in LunaCM results in objects not being correctly displayed by partition contents, even though the Crypto Officer remains logged in on that slot.

The 'Crypto Officer' is currently logged in. Looking for objects


accessible to the 'Crypto Officer'.


No objects viewable to 'Crypto Officer' are currently stored in the partition

Workaround: Log in as Crypto Officer again and retry partition contents.

Problem: On Linux, selecting only the PEDserver component during client installation installs all available client components.

Workaround: Uninstall the undesired components.

Problem: When using a Luna Cloud HSM service with an Entrust integration on Windows, the entsh session times out after 4 minutes (this does not occur on Linux).

Workaround: Log in to the Entrust session again and rerun the command.

Problem: Code comment mistakenly appears in the output for some vtl commands:

Note: Aux cert printing function deprecated in OpenSSL 1.1.0 - reimplement

Workaround: Message can be safely ignored.

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, ms2luna fails to migrate keys from the Microsoft CA to the HA slot.

Workaround: Ensure that all HA group members are available before you run ms2luna.

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail.

Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.

Problem: Luna Network HSM LCD can freeze on reboot - periodic update of displayed messages ceases (i.e., stuck on a single message), and lcdController messages appear in system log messages. Software-initiated restart/reboot does not fix the problem. Attempting to stop/start the LCD service does not fix the problem. This is a rare, intermittent issue, and does not affect other HSM appliance functions.

Workaround: If the LCD freezes, perform a hard shutdown and restart using the appliance's power switch, or disconnecting and reconnecting the power cable (both power cables on dual-power-supply models). Wait about 30 seconds between power off and power on.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: Multiple issues related to network default gateway.

Resolved: Fixed in Luna Network HSM appliance software 7.3.3. Doesn't occur in 7.7.0 onward.

Problem: When using a one-time password to initialize the Luna B700 Backup HSM's RPV (orange PED key), including the -pwd option before -ip or -hostname causes the command to fail.

Workaround: Specify the -ip or hostname before the -pwd option in the command:

lunacm:>ped connect -ip <IP_address> -pwd

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: With bonding interface configured, unable to reach through SSH after reboots. Bonding interface MAC address changing randomly after reboots.

Resolved: Fixed in Luna Network HSM appliance software 7.3.3. Problem does not exist in 7.4.2 and 7.7.0 onward.

NOTE   Resolution not confirmed but bonding interface MAC address no longer changes after reboots.

Problem:Running slot list after disconnecting and reconnecting the Luna B700 Backup HSM may cause LunaCM to exit. For example:

1.Connect the Luna B700 Backup HSM and let it complete the boot sequence.

2.Disconnect it after it has completed the boot sequence and run slot list. The backup HSM is not listed.

3.Reconnect the backup HSM and let it complete the boot sequence.

4.Run slot list. LunaCM exits.

Workaround: Do not disconnect the Luna B700 Backup HSM during a LunaCM session, unless you are finished using it.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Application cannot change CKA_EXTRACTABLE default value via JSP.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Minimal Luna HSM Client 7.4.0 tar file has an additional character that could affect customer scripts.

Workaround: Change filename from LunaClient-Minimal-v7.4.0-226.x86_64.tar to LunaClient-Minimal-7.4.0-226.x86_64.tar before running scripts.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Restricting SSH traffic to an IPv6-configured ethernet port in LunaSH with sysconf ssh device eth# still allows SSH connection via IPv4.

Workaround: None.

Problem: Attempting to change a destructive HSM policy to an already-existing setting (0 to 0 or 1 to 1) results in partitions being renamed to unknown1, unknown2, etc. The partitions remain intact and are usable by clients.

Workaround: Ensure that your policy change commands are correct. If you did not mean to change the destructive policy and want to keep your existing partitions, you can rename them in LunaSH with partition rename.

Problem: One-step NTLS fails when the appliance's SSH host key changes or when connecting for the first time.

Workaround: In LunaCM, run clientconfig deploy with the -verbose option, and manually enter y when PuTTY prompts you to update the cached SSH key.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Registering an IPv6 NTLS client with REST API by POSTing to /api/lunasa/ntls/clients fails with an HTTP 400 error.

Workaround: None. Register NTLS clients with LunaSH to avoid this issue.

Resolved: Fixed in REST API 9.0.0, included with Luna Network HSM appliance software 7.7.0.

Problem: Command output of vtl examineCert and vtl fingerprint are reversed.

Workaround: None. Use each command to view the other's output.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: An FM-ready Luna Network HSM with appliance software version 7.4.0 and HSM firmware 7.0.3 incorrectly displays "Non-FM" in the output from hsm show in LunaSH. LunaCM slot information for a partition on this HSM correctly displays "FM Ready".

Workaround: Ignore the incorrect output. You must upgrade the HSM firmware to 7.4.0 to use FMs.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem: On a 10G-capable appliance, when a 1G ethernet bond is active, sysconf config factoryreset produces an incorrect error in LunaSH:

Error: bond1 is still active.

Workaround: The bond is actually reset and this error can be safely ignored.

Problem: When a Remote PED connection times out, the LunaCM commands ped connect and ped get indicate that there is an active PED connection, but operations requiring PED authentication produce an error (CKR_CALLBACK_ERROR).

Workaround: In LunaCM, run ped disconnect before ped connect or ped get.

Problem: NTLS failover on 10G optical ports (bond0) sometimes fails.

Workaround: None.

Troubleshooting: Luna Network HSM supports active-backup bonding mode only. This mode does not require any specific configuration of the switch. If this problem (Bond0 failover unsuccessful) is encountered, we recommend to:

1.Trace the packet in the network to ensure that the network interface in the Luna Network HSM is discovered properly.

2.Ensure that ARP entry is not incorrectly cached in the network.
Such a problem could be resolved through manual ping-out from the appliance (network ping command). To execute such command, the operator must directly connect to the Luna Network HSM through the serial port.

Problem: When simultaneously running a combination of FM and non-FM applications with the HSM, an error: Unable to communicate with HSM can occasionally occur under very high operation loads.

Workaround: Restart the HSM to clear the error (hsm restart).

Problem: When backing up objects to a Luna B700 Backup HSM from user partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up: CKR_CONTAINER_OBJECT_STORAGE_FULL

Workaround: If you receive this message when backing up a user partition to a Luna B700 Backup HSM, use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: If a tamper state exists on the HSM, the appliance re-image procedure fails without providing a reason.

Workaround: Clear any tamper state before executing sysconf reimage start in LunaSH.

Problem: During HSM initialization, if the PED operation to create the red domain key fails or times out, subsequent attempts to re-initialize the HSM will not prompt you to create the red domain key.

Workaround: Zeroize the HSM in LunaSH with hsm zeroize before re-initializing.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem: When a client is connected to multiple FM-enabled HSMs, and one HSM goes down for maintenance, is rebooted, or is busy with a long FM process, new FM processes on other HSMs experience a performance slowdown. Existing processes are unaffected.

Workaround: None. The slowdown only lasts as long as the HSM is down, rebooting, or busy.

Problem: When creating an RSA key using CKDEMO, the user is mistakenly prompted for the Derive attribute (RSA key derivation is not allowed).

Workaround: None. The value entered is dropped and can be safely ignored.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: When adding a DNS server using REST API, configured port bonds are broken. If there is no other ethernet interface configured, you must use a serial connection to reconfigure the port bond.

Workaround: None. Use LunaSH to configure the DNS servers.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem: On rare occasions, the appliance fails to load the K7 card driver and the HSM appears unavailable.

Workaround: Reboot the appliance.

Resolved: Fixed in Luna Network HSM appliance software version 7.3.0.

Problem: When a Remote PED connection times out, role login in LunaCM fails with a confusing error (CKR_FUNCTION_FAILED).

Workaround: In LunaCM, run ped disconnect before ped connect.

Problem: When partition policy 29: Perform RSA signing without confirmation is set to 0 (OFF), all RSA sign operations fail with an error (CKR_DATE_LEN_RANGE).

Workaround: If you use RSA signing, do not turn off partition policy 29.

Resolved: Fixed in Luna HSM firmware 7.7.0.

Problem: When audit logs fill up the HSM memory, HSM functions continue when they should be halted until audit logging is properly configured. Affects FM log entries only.

Workaround: Configure audit logging on the HSM as described in documentation to prevent HSM memory from filling up.

Problem: FM Capability license can be applied on non-FM-ready hardware.

Workaround: Ensure your hardware is FM-ready before applying an FM license to the HSM.

Problem: Updating the appliance software resets SSH port info to default value 22, causing loss of SSH connection.

Workaround: Reconnect SSH by specifying port 22, or connect to appliance via serial port to reset SSH settings.

Resolved: Fixed in Luna Network HSM appliance software version 7.4.0.

Problem: REST API DELETE /api/lunasa/ntp/servers or DELETE /api/lunasa/ntp/servers/[default local ntp server addr] deletes default NTP server.

Resolved: Fixed in Luna Network HSM appliance software 7.3.1. Default NTP server can no longer be deleted.

Problem: Java DERIVE and EXTRACT flag settings for keys injected into the HSM were forced to "true" in the JNI, which overrode any values passed by applications via Java.

Workaround: Refer to the CRN Advisory Notes.

Resolved: Fixed in Luna HSM firmware 7.3.0 and Luna HSM Client 7.3.0.

Problem: When the HSM is in a tampered state, the ctfm utility produces a confusing error (CKM_INVALID_ENTRY_TYPE).

Workaround: Check for and clear any tamper state before using ctfm.

Problem: Private BIP32 Key Injection (combination of private key encryption and unwrapping operations) was not implemented in Luna 7.3.

Resolved: The call has been included; requires Luna HSM firmware 7.4.0 and Luna HSM Client 7.4.0.

Problem: On a 64-bit client operating system, running multitoken with different BIP32 modes against an STC HA virtual slot causes multitoken to fail with an error (CKR_TOKEN_NOT_PRESENT).

Workaround: Do not use BIP32 modes with STC HA groups; use NTLS instead.

Problem: Reset timestamp displayed when reporting metrics via LunaSH or REST can vary, each time the commands are used, by approximately 6s.

Workaround: Reset the timers. This causes the value to be written to a file, so that the reported reset time remains constant until the next reset.

Problem: FM sample applications built on a Windows platform do not automatically locate the Cryptoki library.

Workaround: Move or copy the sample .exe to the main Luna HSM Client directory where the library is located.

Problem: When using CKdemo to perform a multipart sign/verify operation with a key that has exceeded its specified usage count, an expected error is returned (CKR_KEY_NOT_ACTIVE). The next sign/verify operation with an active key fails with an unexpected error (CKR_OPERATION_ACTIVE).

Workaround: Restart CKdemo and attempt the operation again.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When running a combination of high-traffic FM and standard Luna applications, a rare SMFS failure can occur. Standard Luna processes are unaffected.

Workaround: Erase the SMFS using hsm fm recover -erase smfs in LunaSH, or the fmrecover utility for a Luna PCIe HSM, and restart the FM application if necessary.

Problem: Encrypt operations using DES3_CBC_PAD and specifying a NULL buffer fail (CKR_BUFFER_TOO_SMALL).

Workaround: Manually specify a buffer size for these operations.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When running commands in some Luna utilities on Windows 10, password characters are duplicated.

Workaround: Contact Thales Customer Support.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: When logged in to LunaSH as a custom user, resetting the appliance users to factory condition (sysconf config factoryreset -service users) does not delete the currently logged-in user.

Workaround: Log in to LunaSH as admin to reset the appliance user configuration.

Problem: The wrapcomptest sample application hangs if it is used to query a non-FM slot or an invalid slot number.

Workaround: Interrupt the hanging application with CTRL+C. Use the correct slot for the FM partition.

Problem: When you delete a key from a Luna Cloud HSM service, CKlog displays an incorrect object handle.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: After a firmware update, duplicate entries are produced in the audit logs. These duplicate entries cause log verification to fail with an error (CKR_LOG_BAD_RECORD_HMAC).

Workaround: There is no way to avoid the duplicate entries. However, the other entries in the log file can be verified without error. When verifying the logs, specify a range that excludes the duplicate entries:

LunaSH: audit log verify -file [log_file] -start [first_entry] -end [last_entry]

LunaCM: audit verify file <log_file> start [first_entry] end [last_entry]

Resolved: Fixed in Luna HSM firmware 7.4.0.

Problem: When running cmu commands on Windows 10, password characters are duplicated.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When a bad remote logging host is added, existing hosts that were functioning correctly stop receiving logs.

Workaround: Ensure that all remote logging hosts are reachable and configured correctly before adding them.

Resolved: Fixed in Luna Network HSM appliance software 7.4.0.

Problem: In LunaCM, when switching the active slot between partitions on different HSMs, ped connect and ped get sometimes report an active Remote PED connection, even though the connection is broken. Authentication commands fail.

Workaround: Use ped disconnect on the active slot before switching to a different slot and running ped connect.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: Using REST API, open application IDs sometimes cause the HSM to stop responding.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.3.0.

Problem: LunaCM incorrectly allows the user to add FM-enabled partitions to the same HA group as non-FM partitions.

Workaround: HA groups with a combination of FM and non-FM members are not supported.

Problem: When the Luna Network HSM is configured for IPv6 connections, a missing file error is displayed in the LunaSH output from network show (/usr/lunasa/lush/Lroot/Cnetwork/network_utility_common: line 63: /usr/lunasa/bin/getIPv6Prefix: No such file or directory).

Workaround: This error can be safely ignored.

Problem: CA_DeriveKeyAndWrap does not handle AES_KW, AES_KWP, or AES_CTR mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0 and Luna HSM Client 10.3.0.

Problem: On Linux clients, when a non-root user attempts to uninstall the Luna HSM Client software, the process fails and the client software remains installed, but Uninstall of the Luna HSM Client 7.3.0-165 completed is displayed in the command output.

Workaround: Ignore this message and log in as the root user to uninstall the Luna HSM Client software.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: After performing a factory reset, the Audit configuration is reset, and the subsequent HSM zeroization event is not logged.

Workaround: None.

Problem: A failed C_WrapKey call on an STC partition configured for Cloning returns the error CKR_BUFFER_TOO_SMALL, while the same failure on an NTLS Cloning partition returns the error CKR_KEY_NOT_WRAPPABLE.

Workaround: If you are checking logs for one of these exact errors, ensure that you search for the error associated with your connection type.

Problem: A failed C_WrapKey call on an STC partition configured for Key Export returns the error CKR_BUFFER_TOO_SMALL, while the same failure on an NTLS Cloning partition returns the error CKR_MECHANISM_INVALID.

Workaround: If you are checking logs for one of these exact errors, ensure that you search for the error associated with your connection type.

Problem: A C_CloseAllSessions call on an STC partition configured for Key Export returns CKR_UNKNOWN, while the same call on an NTLS Key Export partition returns CKR_OK.

Workaround: None.

Problem: When performing AES encryption on an HA group using AIX and SPARC clients, failover occasionally fails with an error (CKR_TOKEN_NOT_PRESENT).

Workaround: None.

Problem: One-step Network Trust Link (NTLS) setup fails on Windows with error code CKR_CANCEL when SO Login Enforcement is enabled.

Workaround: Use the multi-step NTLS setup procedure to create a connection to the Luna Network HSM appliance.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem:After running sysconf appliance reboot from LunaSH, the appliance occasionally gets stuck with a Rebooting message on the LCD screen.

Workaround: Remove all power from the appliance (by removing the cable from the power supply units), wait at least 30 seconds, then reconnect power and restart the appliance.

Resolved: Download and install Luna 7 Appliance Reboot Patch 1.0.0 from the Thales Customer Support Portal. The content of this patch is included in Luna Network HSM appliance software 7.7.0.

Problem: When using STC in a high traffic or high multi-threaded application scenario, the error CKR_STC_RESPONSE_REPLAYED is occasionally generated and causes subsequent commands to fail.

Workaround: Restart the client application, and the error will clear.

Problem: In LunaCM, clientconfig deploy (one-step NTLS) fails if the partition name contains spaces.

Workaround: Use the multi-step NTLS connection procedure to assign the partition to the client.

Problem: When installing Backup HSM and Luna PED drivers from Luna HSM Client software on a host machine with a fresh, non-upgraded version of Windows 10, Windows reports an error with the driver signatures.

Workaround:

>Luna Network HSM: Download and install Luna HSM Client patch 7.2.1 from the Thales Customer Support Portal (DOW0003077). Alternatively, disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

>Luna PCIe HSM: Disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When uninstalling the client software and reinstalling in a new file location, ipv6 certificates are not copied from the original location, and NTLS connections are lost.

Workaround: Manually copy the certificates from the old client install location to the new one.

Problem: On Linux, client software cannot be installed to a directory that includes a space character. If such an install path is specified, the path is cut off at the space (for example, specifying /luna client/ creates install directory /luna).

Workaround: Do not specify an install directory that includes spaces.

Problem: When using CKdemo to query an application partition, the Crypto Officer password is entered in visible plaintext.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: Calls to CA_OpenApplicationID fail when certain sequences of calls are run, for example:

1.CA_SetApplicationID(x,y)

2.C_OpenSession()

3.C_CloseSession()

4.CA_OpenApplicationID(x,y)

Resolved: Fixed in Luna Network HSM appliance software 7.3.0.

Problem: On Luna HSM *700 and *750 models, asymmetric digest-and-sign or digest-and-verify mechanisms produce the wrong result when the data length exceeds 64 kB.

Resolved: Fixed in Luna HSM firmware 7.2.0 and 7.0.3.

Problem: Cannot migrate keys using ms2Luna.exe for CSP.

Workaround: Copy a version of ms2Luna.exe from an older client package (6.2 or older).

Resolved: Fixed in Luna Client HSM 7.3.0.

Problem: In LunaSH, after running hsm ped connect on an uninitialized Luna Network HSM, hsm ped show may incorrectly display Number of Connected PED Server : 0.

Workaround: None necessary; this behavior does not affect the functioning of Remote PED.

Problem: When LunaCM is launched in Luna Minimal Client, an unexpected error is displayed (Error: Failed to initialize remote PED support).

Workaround: Edit Chrystoki.conf/crystoki.ini and remove Toolsdir from the Misc section.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: vtl cklog enable/disable command not working if LibUNIX and LibUNIX64 are in different folders.

Workaround: Enable cklog manually by editing Chrystoki.conf/Chystoki.ini. Refer to the SDK Reference for details.

Problem: LunaSH command sysconf config factoryReset does not remove port bonding.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0.

Problem: CMU Export Public Key - Incorrect formatting of exported key. A public key, exported with command cmu export -handle [handle#] -outputfile [filename] -key has incorrect header and footer text.

Workaround: Edit the exported public key file, replacing
----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----
with
----- BEGIN PUBLIC KEY ----- and ----- END PUBLIC KEY ----- respectively.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When using Luna Network HSM appliance software 7.2.0 with earlier Luna HSM Client software, cmu getpkc fails with an error (Could not retrieve the PKC).

Resolved: Fixed in Luna HSM Client 7.2.0.

Problem: Unable to change CKA_EXTRACTABLE key attribute via Java (LunaProvider/JSP).

Workaround: Download and apply the Luna HSM 7.1 Java Patch from the Thales Customer Support Portal. Follow the README instructions to ensure that your Java application sets the appropriate key attributes.

Resolved: Fixed in Luna HSM Client 7.2.0.

Problem: In LunaSH, hsm firmware upgrade fails with errors (LUNA_RET_UNKNOWN_COMMAND and RC_GENERAL_ERROR) if STC is enabled on the Admin channel. It is then necessary to decommission the HSM in order to update the firmware.

Workaround: Disable STC on the Admin channel before updating the HSM firmware.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0. If STC is enabled on the Admin channel, the user is prevented from updating the HSM firmware.

Problem: One-step NTLS can fail after installing, uninstalling, and reinstalling the Luna HSM Client on Windows.

Workaround: Use the multi-step NTLS setup procedure to create a connection to the Luna Network HSM appliance.

Problem: Connecting a Luna B700 Backup HSM to a USB 3.0 (SuperSpeed) port may result in error messages being displayed by the host operating system. This behavior occurs in both Windows and Linux.

For example, on Windows, you may see a USB device not recognized error.

On Linux, you may see messages like the following (visible using dmesg or in /var/log/messages):

usb 1-4: device descriptor read/64, error -71

usb 1-4: Device not responding to setup address.

usb 1-4: device not accepting address 32, error -71

Workaround: You can ignore these messages, as they have no effect on the normal operation of the device.

Resolved: Resolved in Luna B700 Backup HSM with firmware 7.7.x installed from the factory. Backup HSMs upgraded to firmware 7.7.x still display the messages.

Problem: The default maximum length for HA log files is incorrectly set to 40000 bytes, and misreported in LunaCM as 262144 bytes (the intended minimum). This can lead to many small HA log files being rotated frequently.

Workaround: Manually set the HA log maximum file size using hagroup halog -maxlength [bytes] the first time you configure HA logging.

Problem: Value for HSM policy 46 (Disable Decommission) cannot be changed. Attempting to change it returns an error (CKR_CONFIG_FAILS_DEPENDENCIES).

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: CKR_DATA_INVALID on wrap/unwrap with multitoken on AIX and Solaris clients.

Workaround: None.

Problem: If HSM policy 39 (Allow Secure Trusted Channel) is turned off while STC is enabled on the admin channel, the HSM SO is unable to log in using hsm login.

Workaround: If this occurs, exit LunaSH and log in again as the admin user. In general, disable STC on the admin channel (hsm stc disable) before setting HSM policy 39 to 0.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0.

Problem: When you initialize an STC partition by applying a partition policy template, a confusing error (CKR_TOKEN_NOT_PRESENT) is returned.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: When you use an older client, and query partition-level capabilities and policies, the HSM returns incorrect policy numbers

Workaround: Refer to the documentation for the correct policy numbers.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: LunaCM occasionally freezes in Windows 2016 when a new slot is created or deleted.

Workaround: End the LunaCM instance with Task Manager and restart LunaCM.

Problem: In LunaCM, hsm information monitor incorrectly reports HSM utilization.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: Multipart AES_KW operations on non-block-sized-data returns incorrect error code CKR_DEVICE_ERROR.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.2.0 onward.

Problem: In LunaCM on Windows, one-step NTLS (clientconfig deploy) is very slow and takes almost four minutes to complete the NTLS connection setup.

Workaround: None.

Resolved: One-step NTLS performance has been improved in Luna HSM Client 7.2.0.

Problem: When attempting to restrict SSH access to an individual ethernet device (eth#) that is configured within a port bond (bond0 or bond1), a confusing error is returned:

Usage: /bin/grep [OPTION]... PATTERN [FILE]...

Try '/bin/grep --help' for more information.

Warning: SSH is already restricted to the specified ip address / ethernet

card. No changes made.

Workaround: This operation is expected to fail. With port bonding configured, restrict SSH to one of the port bonds instead.

Problem: Unable to establish NTLS connection using the one-step NTLS procedure on Solaris x86 when there are more partitions(10~15).

Workaround: Use the multi-step NTLS connection procedure on a Solaris client.

Problem: Unable to add new member to HA group after removing primary member.

Workaround: Manually delete the serial number of the deleted Luna Network HSM's partition from the VirtualToken00Members field in the Chrystoki.conf/Crystoki.ini file and then add the new partition to the existing HA group. It is added successfully, and the old entry from the LunaCM HA list is also removed.

Problem: When partition policy 39: Allow start/end date attributes is enabled, all start dates must be later than January 01, 1970.

Workaround: Ensure that start date attribute is later than January 01, 1970.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: If HSM policy 39: Enable Secure Trusted Channel has been set to 1 (ON) at any time, attempting a firmware rollback will cause the HSM to fail with an error (Unable to communicate with HSM).

Workaround: None. If you are using STC, or have enabled HSM policy 39 in the past, do not roll back the HSM firmware.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: C_DeriveKey does not reject templates that contain CKA_VALUE, and uses the CKA_VALUE that is provided in the external template.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.0.2 and 7.1.0.

Problem: The HSM reports 3072-bit as the maximum allowed key size for the RSA 186-3 mechanisms (CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN and CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN), when it should report 4096-bit.

C_GetMechanismInfo will report 3072 as the maximum size for these mechanisms. If your application uses C_GetMechanismInfo to query the maximum key size, it may prevent 4096 operations from working.

Workaround: Ignore the reported limit. 4096-length keys will generate successfully.

Resolved: Fixed in Luna HSM firmware 7.0.2.

Problem:Luna Network HSM appliance user names that begin with a non-alphanumeric character (period, dash, or underscore) may cause issues and/or potential system crashes.

Workaround: Always use an alphanumeric character as the first character in the user name when creating appliance user accounts.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: On Linux, the Luna HSM Client software fails to install to a directory with spaces in its name.

Workaround: Remove spaces from the directory name before installing the client.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: CMU may crash or report a memory allocation error when using a non-FIPS signing mechanism in FIPS mode.

Workaround: Specify a FIPS-approved signing mechanism such as sha256withRSA.

Problem: In LunaSH, network show displays an incorrect IPv6 Mask prefix.

Workaround: None. If set correctly, IPv6 works even though the wrong mask is displayed.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: On Linux, non-root users cannot initialize the STC token or create an STC client identity.

Workaround: Start LunaCM as root with sudo ./lunacm.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: Webserver starts even if no SSL key/cert exists, but is not accessible.

Workaround: Generate the SSL key/cert before starting the webserver.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

Problem: On Linux, non-root users cannot configure the RBS server.

Workaround: As root, run the following commands:

1.chown -R root:hsmusers /usr/safenet/lunaclient/rbs/

2.chmod g+w -R usr/safenet/lunaclient/rbs/

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: When the HSM audit logs are full, audit login appears to succeed, but the user is not actually logged in and cannot perform operations.

Workaround: Clear the audit logs by opening an SSH session as audit, and perform the following steps:

1.Tar the audit logs with the command audit log tarlogs.

2.Transfer the tar file out of the appliance.

3.Clear the audit log files to free up space on the audit log partition with the command audit log clear.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: After performing sysconf config factoryreset, the appliance host name is not reset.

Workaround: None.

Problem: On Linux, non-root users cannot add a new HSM server after CAfile.pem has been created by the root user.

Workaround: Use the same user account to create the certificate and register the server.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: Untarred audit log files are not visible to the user.

Workaround: Untarred audit log files will not appear in the list of log files generated by the LunaSH command my file list, but they can still be verified using audit log verify -file <filename> -serialsource <serialnum>.

Problem: In LunaCM, the partition clone command fails the first time if the Partition SO is logged in to the target slot.

Workaround: Run the partition clone command again. The second attempt should be successful.

Problem: In LunaSH, running package verify and package update with the -useevp option produces a CKR_SIGNATURE_INVALID error.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: In LunaCM, clientconfig deleteserver deregisters the HSM server on the Client, but does not delete the HSM server certificate file from the [LunaClient_dir]/cert/server directory. Attempts to re-register the same server with a regenerated certificate fail.

Workaround: Manually delete the certificate from the cert/server directory.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: After rebooting the appliance, occasionally clients cannot see partitions on the first connection attempt.

Workaround: Run the vtl verify command again. The second attempt should be successful.

Problem: LunaCM hangs on exit on Windows 2016.

Workaround: End the LunaCM instance using the Task Manager.

Problem: On Windows, a system crash can occur when you disconnect a Luna Backup HSM from the computer while the PEDclient service is running.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: When the cklog library is configured, an error.txt file containing extraneous messages may be created.

Workaround: None.

Problem:Luna Network HSM 7 attempts to load K6 driver upon rebooting.

Workaround: None. SNMP hsmCriticalEvent and hsmNonCriticalEvent counters are not implemented in this release, and will always remain 0.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: REST API web client shows wrong logout result.

Workaround: Use the Custom I/O to manually log out.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

Problem: In REST API, GET /api/lunasa/hsms may return an empty list.

Workaround: Another attempt may return a populated list if an HSM is available.

Problem: When trying to run the HALogin.java script, a CKR_UNKNOWN error is returned.

Workaround: None. Do not use the HALogin.java sample.

Problem: When configuring a network device for IPv6 using SLAAC or DHCPv6, the IPv6 address is retrieved, but the name server and search domain are not.

Workaround: Configure the name server and search domain manually, using the LunaSH command network dns add.

Problem: When running the MiscCSRCertificateDemo.java sample, a null pointer exception occurs.

Workaround: None.

Problem: The hagroup list command returns an error.

Workaround: Run the hagroup list command again. The second attempt should be successful.

Problem: After modifying the webserver settings the apiversion under /api/lunasa becomes 0.

Workaround: Restart the webserver service.

Problem: In REST API, POST /auth/logout does not return Access-Control-Allow-Credentials and Access-Control-Allow-Origin in the response headers.

Workaround: None.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

Problem: On the Backup HSM, the hsm init command with the -iped option fails after hsm factoryreset.

Workaround: Run the hsm init command again. The second attempt should be successful.

Resolved: Fixed in Luna G5 Backup HSM firmware 6.27.0.

Problem: You cannot add a host or network route using the LunaSH network route add command without including the gateway value.

Workaround: None.

Problem: Secure NTP server connections using AutoKey authentication do not work.

Workaround: Use Symmetric-Key authentication instead.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: During key wrapping/unwrapping, calling with a NULL data pointer to get the data length causes the key to be used twice, incrementing the key usage count both times.

Workaround: Specify a buffer size larger than the keys you intend to wrap/unwrap.

Problem: REST API partition actions contain actions that should be deprecated.

Workaround: Do not call these resources.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.3.0.

Problem: In LunaSH, sysconf config restore does not restore the SSH password for the admin user. If the password is not reset immediately, the admin user will be unable to log in to the appliance in subsequent SSH sessions.

Workaround: Use sysconf config clear to reset the admin password to the default. You must do this in the same session that you used to run the sysconf config restore command.

Problem: Some appliance sensor information is missing or incorrectly reported via SNMP.

Workaround: Use the LunaSH command status sensors to obtain this information.

Problem: Remote backup through TCP/IP via the LunaCM command partition archive backup -slot remote -hostname [hostname] -port [portnum] is not recognized.

Workaround: Use RBS to backup partitions remotely.

Problem: DSA SSH keypair is not regenerated by sysconf ssh regenkeypair.

Workaround: None. DSA keys are deprecated in OpenSSH due to weakness. Use RSA keys for SSH instead.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: When using CKdemo with HA groups, an Attribute type invalid error is returned.

Workaround: If you plan to use HA Groups, change your CKdemo settings to use legacy role logins. To do this, select Role Support from the 98) Options in the OTHERS menu.

Problem: If you zeroize an HSM hosting an HA group member partition, all running cryptographic operations against the HA group fail.

Workaround: Remove any member partition from the HA group before zeroizing the host HSM.

Problem: If the configured audit logging directory is not found, the PEDclient service fails with error LOGGER_init failed.

Workaround: Ensure that the directory you configure for audit logging exists.