Known and Resolved Issues

Problem: Using the Luna HSM Client installer on RHEL, when the Luna Backup HSM option is installed without the Luna PCIe HSM option, the Luna Backup HSM 7 driver fails to start automatically, and the Luna Backup HSM 7 does not appear in LunaCM.

Workaround: Run # service g7 start in the Linux command line, wait 30-60 seconds for the driver to start up, and restart LunaCM.

Problem: TLS handshake fails in NTLS when using Luna Appliance Software 7.9.0 with Luna HSM Client 10.3.0.

Workaround: After update to Luna Appliance Software 7.9.0, regenerate the NTLS certificate.

Resolved: No longer applicable after using the above workaround.

Problem: Certificates created using vtl can have non-mandatory fields added by default if they are not specified. Example: A command createCSR -n lunaclient_1 results in a CSR that contains C, ST, L, and O, in addition to the required CN field.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: During periods of very high usage, HSM utilization percentages higher than 100% can be reported by LunaSH.

Workaround: None.

Resolved: Fixed in Luna Appliance Software 7.9.0.

Problem: CMU tool generates self-signed certificates that include the 'CRITICAL' flag, in keyusage extensions of the self-signed certificate, even when the value is set to false, which is non-compliant with RFC 5280 Appendix B.

Resolved: Fixed in Luna HSM Client 10.7.2.

Problem: Luna HSM Client 10.7.2 JSP receiving a call LunaCertificateX509.getSigAlgParams() leads to a null pointer exception, if the certificate gets generated under certain circumstances.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: Using the cluster REST API, if an optional parameter is formatted incorrectly in a request (for example, with incorrect lettercase), the request succeeds, but the improperly formatted parameter is ignored. This can result in unexpected configurations or outcomes.

Workaround: None. Ensure that all parameters are formatted according to specification.

Problem: Attempting to migrate ECDSA-256 key from MS provider to the Luna "SafeNet" provider, using ms2luna results in an error CKR_KEY_TYPE_INCONSISTENT.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: When registering slots with spaces in the slot label using the KSP registration utility, the tool truncates at the first space, rendering the slot unregistered and unusable, whereas manually registered slots with spaces in the label work fine.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: The following REST API endpoints cannot be used to transfer files that are in uncompressed formats such as .pem, .log, and .txt.

>POST /users/{userid}/files

>PUT /api/lunasa/ntls/certificate

>PUT /api/lunasa/ntls/clients/{clientid}

>PUT /api/lunasa/syslog/remoteHosts/certificate

>PUT /api/lunasa/webServer/certificate

Workaround: Use LunaSH to transfer these kinds of files.

Resolved: Fixed in Luna REST API 16, included with Luna Appliance Software version 7.9.0.

Problem: When initializing a partition as a new user with admin role and partition policy template (ppt) file, error "PPT template file not found" is thrown.

Resolved: Fixed in Luna Appliance Software 7.9.0.

Problem Using REST API to upgrade the Luna Appliance Software from version 7.8.4/7.8.5, the operation fails with message "We failed to parse your request." This error affects CCC users.

Workaround: Use LunaSH to update the Luna Appliance Software.

Resolved: Fixed in the following software patches:

>Luna Network HSM 7.8.5-20 Appliance REST API Patch

>Luna Network HSM 7.8.4-350 Appliance REST API Patch

Problem: An ssh public key generated using the ssh-keygen command is in the format "key-type key-data comment" and is accepted by the Luna Network HSM appliance, but an ssh public key generated by an application that does not include a "comment" is not accepted.

Resolved: Fixed in Luna Appliance Software 7.9.0. SSH public keys with or without comment are accepted.

Problem: KspConfig fails to process slot password longer than 62 characters.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: LunaSH allows the REST API webserver to be bound to a port between 80-1023. If a port in this range is selected, the REST API will fail to start sessions.

Workaround: Select a port in the range of 1024-65535.

Resolved: Fixed in Luna REST API 16, included with Luna Appliance Software 7.9.0.

Problem: When one or more members of an HA group are unavailable, manual synchronization fails.

Workaround: None. Automatic synchronization works among the active members as expected.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: Using Luna Appliance Software 7.8.5, adding third-party certificates generated by Microsoft CA fails with Error: File <certname>.pem does not have proper format.

Workaround: Before transferring a Windows-generated certificate to the Luna Network HSM 7, remove the CR characters from the certificate file.

Resolved: Fixed in Luna Appliance Software 7.9.0.

Problem: libCryptoki 2.so does not set the FD_CLOEXEC flag on sockets that it opens to the HSM. This results in these sockets leaking through a fork/exec pair.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: Using Luna HSM Client 10.7.2, running the LNHClientRegistration script to register the client to a cluster deletes the existing NTLS private key on the client. This occurs only if you specify the same client common name (usually its IP address) that was used for the NTLS certificate.

Workaround: Specify a different Common Name for the cluster client cert than was used for the NTLS client cert. Alternatively, to preserve the NTLS key, located in <install directory>/safenet/lunaclient/cert/client/, save a copy in another location and restore it after running the registration script.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: If the audit and operator users were enabled using Luna REST API with a Luna Appliance Software older than 7.8.0, updating directly to version 7.8.5 removes these users' role information. The operator role can no longer be used with REST API, except by re-imaging the Luna Network HSM 7. The audit role is not supported using Luna REST API, but its role information is also removed. See also RAPI-3900.

Workaround: Update the Luna Appliance Software to version 7.8.3 before updating to 7.8.5. If you are updating after an appliance re-image, consider enabling these users after the appliance software update.

Resolved: No longer applicable after using the workaround above to update to Luna Appliance Software 7.8.5.

Problem: Core dump when CA_GetCurrentHAState is called continuously (encountered when simulating rapid change of HA member availability).

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: After updating the Luna Appliance Software, custom users that were created using the Luna REST API no longer exist or their role information is removed. See also RAPI-3924.

Workaround: If you are updating from Luna Appliance Software 7.7.1 or older, re-create the custom user after the update. If are updating from Luna Appliance Software 7.8.0 or newer, reassign the role to the existing custom user after update.

Resolved: Fixed in Luna REST API 15.0.0, included with Luna Appliance Software 7.8.5.

Problem: When a syslog backup file is created using POST /api/lunasa/syslog/backups and downloaded using GET /api/lunasa/syslog/backups/{backupid}, the backup file is not deleted from the appliance memory, and this can cause the /tmp directory to fill up over time. In particular, this affects users of Crypto Command Center (CCC), which performs this task as part of automatic monitoring.

Workaround: Stop and restart the webserver service, or reboot the Luna Network HSM 7 appliance to clear the /tmp directory.

Resolved: Fixed in Luna REST API 15, included with Luna Appliance Software 7.8.5.

Problem: The network interface delete command proceeds without the "proceed" prompt, whether the -f option is used or not.

Resolved: Fixed in Luna Appliance Software 7.9.0.

Problem: ipmievd messages are improperly being written to clusterlogs.

Resolved: Fixed in Luna Appliance Software 7.9.0. Logs from ipmievd are now logged only in messages, not in clusterlogs.

Problem: When the Luna Appliance Software is updated from version 7.7.x or older to 7.8.x, the hostname reported in syslogs reverts to localhost. The correct hostname is still shown in the output for lunash:> network show.

Workaround: To recover the hostname in logs, use lunash:> network hostname <hostname> to reset it. You must use the same hostname that is currently set, or NTLS connections will be affected.

Resolved: Fixed in Luna Appliance Software 7.8.5.

Problem: After restoring a cluster with multiple members from backup, some keyring configuration information may not be synchronized correctly from the primary member to the other members.

Workaround: Follow the procedure as described in Restoring a Cluster from Backup. The cluster is fully recovered after restarting the cluster service on the primary member.

Problem: When a large number (800+) of NTLS connections are made to the Luna Network HSM 7, BUS errors can be returned.

Workaround: These errors are related to lnh_slots.plugin, which is only required for the cluster feature. Move this plugin out of the plugins directory on the client to stop these errors. Otherwise, they can be safely ignored.

Problem: If system directories on the Luna Network HSM 7 appliance are filled to near their capacity, a warning like the following is displayed when you launch LunaSH:

Warning: Reached ##% consumption on one or more disk partitions.

You can get more information using lunash:> status disk.

If any of the directories listed are filled to capacity, this can interfere with appliance functions.

Workaround: None. If the /var directory is producing the warning, do not attempt to update the Luna Appliance Software to any version older than 7.8.5.

Resolved: Fixed in Luna Appliance Software 7.8.5. If you are not able to update to version 7.8.5 or newer, contact Thales Customer Support.

Problem: Remote syslog does not resolve hostnames properly in Luna Appliance Software 7.8.4. Found to occur with frequent HSM self-test.

Workaround: Add remote syslog hosts by IP address.

Resolved: Fixed in Luna Appliance Software 7.9.0.

Problem: Using Luna Appliance Software 7.8.4, if the webserver certificate is regenerated using LunaSH, applications (including Crypto Command Center) are unable to connect with the Luna Network HSM 7 using REST API due to compatibility issue with version 1 certificate.

Workaround:Use PUT /api/lunasa/webServer/certificate to regenerate the webserver certificate again.

Resolved: Fixed in Luna Appliance Software 7.8.5.

Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with CKR_DEVICE_ERROR.

Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time.

Resolved: Fixed in cluster package version 1.0.4.

Problem: The Luna REST API does not recognize usernames that include the dash character (-). Custom users created in LunaSH that include a dash will be unable to log in using the REST API.

Workaround: If you intend to use the Luna REST API, do not create custom usernames that include a dash character.

Resolved: Fixed in Luna REST API 13.0.0, included with Luna Appliance Software 7.8.3. The REST API now accepts the same username character set as LunaSH.

Problem: When entering an incorrect keyring PO password, the failed login counter that is displayed does not decrease. The failed login count for the CO role decreases by one.

Workaround: None. The actual counter does decrease as expected, and both the PO and CO roles are locked when the counter reaches zero.

Problem: If SSH traffic is bound to a network interface, deleting any network interface using lunash:> network interface delete returns a confusing warning:

WARNING! SSH is currently restricted to ethernet device unknown

Workaround: None. The device is deleted as expected; this message can be safely ignored.

Resolved: Fixed in Luna Appliance Software 7.8.5.

Problem: When using a Luna HSM with firmware 7.8.1 or newer installed to wrap RSA CRT using KM_CUSTOM_FORMAT or RSA_CRT and DSA private key using KM_GEMPLUS_GPK4000_FORMAT, the wrap command fails with log error Mechanism Param Invalid.

Workaround: None. Use a firmware version older than 7.8.1.

Resolved: Fixed in Luna HSM firmware 7.8.7.

Problem: Using Luna HSM Firmware 7.8.4 in FIPS mode, migration of keys from a Microsoft provider to Luna provider using the ms2luna utility fails with error CKR_MECHANISM_INVALID.

Workaround: None. Key migration to Luna HSM Firmware 7.8.4 is only possible in non-FIPS mode.

Resolved: Fixed in Luna HSM Client 10.7.1.

Problem: After deleting an HA group, ActiveEnhanced mode is turned off and the client returns to ActiveBasic mode.

Workaround: Turn ActiveEnhanced mode back on manually using LunaCM (hagroup recoverymode -mode activeEnhanced).

Resolved: Fixed in Luna HSM Client 10.7.2.

Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error CKR_FUNCTION_FAILED.

Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

Problem: Read-only operations running while the primary cluster member is down fail when the primary is reconnected to the cluster and Read-Write status is restored. An error is returned (CKR_USER_NOT_LOGGED_IN).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.7.2.

Problem: If the network connection to one or more members of a cluster is interrupted, the reported number of crypto operations done during the period of interruption can be inaccurate.

Workaround: None.

Resolved: Fixed in lnh_cluster package 1.0.4.

Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Unknown Mechanism Type.

Workaround: Use Luna HSM Client 10.4.1 instead.

Resolved: Fixed in Luna HSM Client 10.7.0. You must add map_aes_cmac_general_old=1 to the Toggles section of the Cryptoki.conf/cryptoki.ini file.

Problem: Network configuration changes on a cluster member sometimes result in loss of member authorization, and this is not resolved by manual authorization.

Workaround: None.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

Problem: Unable to set the severity for a remote syslog server configured with RELP. The execution failed with the error message Error: lunalogs is not configured for 192.168.0.111 despite a RELP server already configured and visible through the lunash:>remote list command .

Workaround: None.

Resolved: Fixed in Luna Appliance Software 7.8.5.

Problem: If the clusteradmin service is stopped on the Luna Network HSM 7, attempting to join a cluster produces a confusing error:

Error: Precondition specified in the request is not satisfied.
    Synchronize the time between LNHs

Workaround: None. Ensure that the clusteradmin service is running on both the joining member and the member being joined before attempting cluster join (or any other cluster operations).

Problem: It is possible to add 0.0.0.0 as a network route on the appliance. This should not be permitted.

Workaround: None. Do not set 0.0.0.0 as a network route destination. If you are trying to add the default route to this device, specify 0.0.0.0 for the gateway, not the destination.

Resolved: Fixed in Luna Network HSM appliance software 7.8.4.

Problem: After a factory reset of the network service, Default Route (eth0) : Yes is always displayed in the output for network show. This prevents the default route from being automatically assigned to bond1 after it is enabled.

Workaround: Before configuring the device you want to have the default route, first clear the default route from eth0:

lunash:> network route delete network 0.0.0.0 -device eth0 -gateway 0.0.0.0 -force

Resolved: Fixed in Luna Network HSM appliance software 7.8.4.

Problem: Using Luna Network HSM appliance software 7.8.x, the LunaSH command sysconf ntp autokeyauth generate fails with a No such file or directory error.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.4.

Problem: A leading zero (00in hex) is added to the OCTET_STRING attribute of ECDSA private keys if the MS Bit is set in the first byte (the bit size of the private key data is multiple of 8).

Workaround: None.

Resolved: Fixed in Luna HSM Firmware 7.8.4.

Problem: In LunaSH, sysconf config factoryReset -service all does not reset the ctc service to factory conditions as expected.

Workaround: Use sysconf config factoryReset -service ctc to factory reset the ctc service.

Resolved: Fixed in Luna Appliance Software 7.8.4.

Problem: When using REST API resources to set multiple HSM policies, operations may fail (400) if they are run quickly in sequence. A message is returned: Task needs to be in WAITING state to perform this operation.

Workaround: If your REST API application has operations fail like this, add a 5-second delay before the operation that fails.

Problem: Using REST API, restoring the appliance configuration from backup by specifying "service": "all" fails, and does not return a known error (null).

Workaround: Do not use the "all" option; restore services one at a time.

Resolved: Fixed in Luna REST API 14.0.0, included with Luna Appliance Software 7.8.4.

Problem: Rarely, NTLS clients are dropped from the list of registered clients on the Luna Network HSM appliance.

Workaround: Re-register the client in LunaSH.

Resolved: Fixed in Luna Appliance Software version 7.8.4.

Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (LunaSA Client = {ReceiveTimeout = 1000}, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0. The ReceiveTimeout setting now applies to the NTLS handshake as well.

Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: On the front-panel LCD display, the code for Offline, when none of the appliance's Ethernet devices are connected to a network, is incorrectly displayed as OFT.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3 -- the code is now correctly displayed as OFL.

Problem: Keyring labels created in batches using REST API contain an extraneous dash (example: HSM2:Part-1000) that is not added to keyrings created using LunaSH (example: HSM2:Part1000).

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that HSM slot 1 listening to local PED (PED id=0). This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected).

Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.

Problem: Static routes assigned to bonding interfaces (bond0 and bond1) are not included in configuration backups (sysconf config backup).

Workaround: After restoring the network configuration from backup (sysconf config restore), add the static routes to the bond interfaces manually (network route add).

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

Problem: The supportInfo.txt file generated by the LunaSH command hsm supportinfo falsely indicates that NTLS is bound to an inactive interface:

NTLS is currently bound to IP Address: "1.2.3.4" (inactive interface)

Workaround: This error can be safely ignored. The LunaSH command ntls show displays the correct information.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

Problem: LunaSH and Luna REST API have different requirements for characters that are accepted in user passwords. A user created in LunaSH that uses one of the following characters will therefore not be allowed to log in using REST API: &_|;'"<>?`.

Workaround: Change the LunaSH user password to remove any unaccepted characters before attempting to log in using REST API.

Resolved: Fixed in Luna REST API 13.0.0, included with Luna Appliance Software 7.8.3. The REST API now accepts the same password character set as LunaSH.

Problem: After re-imaging the Luna Network HSM appliance software to version 7.2.0 and then updating to version 7.8.1, registration of a PEDserver certificate (lunash:> hsm ped server register) on the appliance fails with error RC_DATA_INVALID.

Workaround: None.

Resolved:Fixed in Luna Network HSM appliance software 7.8.3.

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled.

Workaround: None.

Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist
Error in execution: host memory error.
Command Result : 0x6 (Internal Error)

Workaround: None.

Problem: After adding a network route, a failure message is returned (Failed to apply new route information to bond0.) but the route is added successfully.

Workaround: This message can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.

Problem: Using Luna Network HSM appliance software 7.7.0 and newer, after a bonding network interface is disabled, its gateway field is cleared.

Workaround: Add a manual network route to the affected interface using network route add.

Resolved: Fixed in Luna Appliance Software 7.8.5.

Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route.

Workaround:None.

Resolved: Fixed in Luna Network HSM 7.8.1 appliance software.

Problem: Using REST API 11.0.0 (included with Luna Network HSM appliance software 7.8.0), resources for verifying and installing a secure package fail.

Workaround: Use LunaSH to verify and install secure packages.

Problem: When a default route is configured on a network interface, another newly-configured DHCP interface is not assigned a gateway.

Workaround: Add a manual network route to the affected interface using network route add.

Problem: When a default route is configured on a network interface, another newly-configured static interface is not assigned a gateway.

Workaround: Add a manual network route to the affected interface using network route add.

Problem: Changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members.

Workaround: In this release, do not customize the crypto port number.

Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI.

Workaround: Re-register the partition with the Luna CSP.

Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.

Problem: When the network service on Luna Network HSM appliance software 7.8.x is reset to factory conditions (lunash:> sysconf config factoryreset -service network), the DHCP interface is not automatically assigned a gateway.

Workaround: Configure the interface manually by assigning a static IP address and gateway, or reconfiguring DHCP on the interface.

Problem: In LunaSH, after deleting a network interface, the information about that interface is still displayed in the output for network show.

Workaround: The interface is deleted; this information can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: When bonding is configured, the gateway is not set on the bond interface.

Workaround: None. Do not configure network bonding on Luna Network HSM 7.8.0.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: After resetting a keyring, role show incorrectly indicates that there are 15 failed login attempts/password change attempts remaining until keyring lockout.

Workaround: This can be safely ignored. The correct value (10) is reported by role show after logging in to the keyring using the reset credentials.

Problem: When multiple NTLS clients are registered to the Luna Network HSM by hostname, and one or more clients' hostnames fail to resolve, long delays are added to NTLS connection requests from all clients, sometimes causing timeouts (client returns ReceiveTimeout).

Resolved: Fixed in Luna Appliance Software 7.8.1.

Problem: If a RADIUS-authenticated user is created on Luna Network HSM, the cluster service will not start.

Workaround: RADIUS is not supported for use with clusters; if you have RADIUS-authenticated users on the appliance, the cluster service will start once they are deleted.

Resolved: Fixed in Luna Network HSM 7.8.1 clusters package.

Problem: When a cluster member recovers from a network outage and rejoins the cluster, the member does not recover from Read-Only mode and does not update its version of the cluster database. Operations sent to this cluster member may fail if the correct keys do not exist or if they have old attributes. LunaSH reports this member with an R in the output for cluster member list; REST API includes "visibleToServicingNode": false in the return for GET /api/clusters/{clusterid}/members.

Workaround: Restart the cluster service on the recovered member. The database is updated and operations may resume normally.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3 and the cluster 1.0.3 package.

Problem: When a custom user account is created on cluster member A, the user is required to change the initial password upon first login to cluster member A. If the user's first login is on cluster member B, however, the password change is not enforced. If the password is changed manually on member B, logging in to member A will still require another password change.

Workaround: Ensure that the user logs in for the first time to the member where the user account was created.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: After resetting a keyring to its initial conditions, LunaCM does not allow you to log in as KRSO (po), saying that the role is not initialized.

Workaround: Use ckdemo to log in as KRSO (pso) and re-initialize the KRCO role.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: Setting the core service IP using REST API appears to fail with Error: socket hang up.

Workaround: The operation has not failed, although the socket closed prematurely before receiving the successful status. The cluster service must automatically restart before the operation can be reported as a success; wait approximately 3 minutes for the service to finish restarting and then confirm. Alternatively, use LunaSH to set the service IP.

Resolved:Fixed in Luna Network HSM 7.8.1 clusters package.

Problem: Client operations on a cluster member can be disrupted briefly while a new cluster member is added.

Workaround: Configure all your cluster members before launching your client applications.

Resolved: Fixed in Luna HSM appliance software 7.8.3 and the cluster 1.0.3 package.

Problem: When the cluster service is stopped on all members and then started on all members, authorizing one member manually does not trigger auto-authorization of the other members as expected.

Workaround: You must manually authorize each member individually.

Resolved: Fixed in Luna Network HSM 7.8.1 cluster package.

Problem: In LunaSH, keyring show using the -detail option displays a confusing Error: Response rendering failed.

Workaround: This error can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3 and the cluster 1.0.3 package.

Problem: The Luna Network HSM incorrectly enforces that the HSM SO must be logged in before the Partition SO can initialize the Crypto Officer role in LunaSH.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: The REST server healthcheck creates many REST log entries:

2022 Apr 26 09:39:15 [localhost]  local5 info  LNHREST[1]: 127.0.0.1:50620 - GET /
2022 Apr 26 09:39:15 [localhost]  local5 err  LNHREST[1]: Misssing Authorization Header

Workaround: None. These logs can be ignored.

Resolved: Fixed in Luna Network HSM 7.8.1 Technical Preview.

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem:When the Luna Network HSM is configured to use RADIUS authentication, requests are sent to the RADIUS server even for local roles that are not configured for RADIUS authentication.

Workaround:None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2.

Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM.

Problem: When an incorrect partition label or password is specified when running cluster join, cluster delete, or cluster leave, the command fails as expected, but Command Result : 0 (Success) is returned.

Workaround: This message can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

Problem: In LunaSH, the following commands are not available to the operator user:

>hsm ped server register

>hsm ped server delete

>network interface slaac

>client addCA

>client listCAs

>client deleteCAs

Workaround: The admin user must be logged in to use these commands.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: After re-initializing a keyring with a different label, the keyring info cannot be found using keyring show (fails with Error: Requested resource is not found. [UI] Keyring "new_label" does not exist.).

Workaround: None.

Problem: A change to a file while it was being tarred caused an error (file changed as we read it. from the tar utility during syslog tarlog which failed the sylog command. That error is expected when a file changes and is just an informational notification that should not cause the syslog tarlog operation to fail.

Workaround: Use remote syslogging instead.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3. The script accepts that error and completes successfully.

Problem: When an HSM with an HA member partition remains in a bad state for a period of time (several hours or more), the HA group may receive a CKR_DEVICE_ERROR.

Workaround: If the HA group receives this error, the client application must be restarted. Monitor HA member HSMs to ensure they are recovered quickly.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.

Problem: The user is unable to create a data object on a keyring without first logging in as KRCO. This should not be necessary to create data objects.

Workaround: Log in as KRCO first.

Resolved: Fixed in Luna HSM firmware 7.8.1.

Problem: When the lnh_cluster-1.0.x package is installed, some extra commands are visible in LunaSH (cluster migration). These commands should be hidden.

Workaround: These commands have no effect; they can be safely ignored.

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: The Milenage mechanism generates an incorrect authentication verification quintet.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.2.

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key
Enter Import Password:
>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key
>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Re-imaging the Luna Network HSM appliance from software version 7.7.1 fails if performed by a custom admin user.

Workaround: Re-image the appliance using the default admin LunaSH account.

Resolved: Fixed in the Re-Image Software 7.7.1 and Firmware 7.7.0 Patch.

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When updating the appliance software package using REST API, the operation fails with PACKAGE_MANAGEMENT_OPERATION_FAILED.

Workaround: Use LunaSH to update the appliance software package.

Resolved: Fixed in Luna REST API 11.0.0, included with Luna Network HSM 7.8.0 appliance software.

Problem: When auto-activation is enabled on PED-authenticated HSM partitions using firmware 7.7.0 or 7.7.1, the verification string generated by entering Secure Transport Mode will differ from the one received during STM recovery.

Workaround: Deactivate all roles on all partitions before entering STM on the HSM.

Resolved: Fixed in Luna HSM firmware 7.7.2.

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When the wrong HSM SO password is presented in LunaSH with cluster create three consecutive times, no warning is displayed that the HSM will be zeroized, and the error message is generic:

Generic error by the receiver of the request.
Command Result : 65535 (Luna Shell execution)

Workaround: Ensure that you present the correct HSM SO password.

Resolved: Fixed in Luna Appliance Software 7.8.4.

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna Backup HSM firmware 7.7.2.

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Luna HSM Client fails to re-init partition with partition policy template on FW7.7

Resolved: Fixed in Luna HSM Client 10.3.0 and newer.

Problem: Configuring a default route when no gateway is present is allowed.

Workaround: To re-configure default route, when a gateway is present, delete the interface and reconfigure it.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: The file produced by lunash:> hsm supportinfo does not include any information about an attached Luna Backup HSM 7.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: Memory leak issue in Luna HSM Client 10.1 with SUSE Linux.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When partition policy 34: Allow CBC-PAD (un)wrap keys of any size is set to 0, the AES_KWP mechanism is blocked, although it does not have the same vulnerabilities as the other blocked mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0.

Problem: If the client fails to resolve the Luna Cloud service's DNS hostname, other client slots fail to load in LunaCM.

Workaround: Ensure that your DNS network is stable before deploying a Luna Cloud HSM in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: If an application running against an HA group fails over to the Luna Cloud HSM member and the DNS hostname does not resolve, a segmentation fault can occur.

Workaround: Ensure that your DNS network is stable before deploying the Luna Cloud HSM service in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Luna Backup HSM 7 does not appear as a slot in LunaCM if ShowAdminTokens = no in the Luna HSM Client configuration file (Chrystoki.conf/crystoki.ini).

Workaround: Edit the configuration file to set ShowAdminTokens = yes.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail.

Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.

Problem: Luna Network HSM LCD can freeze on reboot - periodic update of displayed messages ceases (i.e., stuck on a single message), and lcdController messages appear in system log messages. Software-initiated restart/reboot does not fix the problem. Attempting to stop/start the LCD service does not fix the problem. This is a rare, intermittent issue, and does not affect other HSM appliance functions.

Workaround: If the LCD freezes, perform a hard shutdown and restart using the appliance's power switch, or disconnecting and reconnecting the power cable (both power cables on dual-power-supply models). Wait about 30 seconds between power off and power on.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

Problem: Multiple issues related to network default gateway.

Resolved: Fixed in Luna Network HSM appliance software 7.3.3. Doesn't occur in 7.7.0 onward.

Problem: When using a one-time password to initialize the Luna Backup HSM 7's RPV (orange PED key), including the -pwd option before -ip or -hostname causes the command to fail.

Workaround: Specify the -ip or hostname before the -pwd option in the command:

lunacm:>ped connect -ip <IP_address> -pwd

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: With bonding interface configured, unable to reach through SSH after reboots. Bonding interface MAC address changing randomly after reboots.

Resolved: Fixed in Luna Network HSM appliance software 7.3.3. Problem does not exist in 7.4.2 and 7.7.0 onward.

NOTE   Resolution not confirmed but bonding interface MAC address no longer changes after reboots.

Problem: Running slot list after disconnecting and reconnecting the Luna Backup HSM 7 may cause LunaCM to exit. For example:

1.Connect the Luna Backup HSM 7 and let it complete the boot sequence.

2.Disconnect it after it has completed the boot sequence and run slot list. The backup HSM is not listed.

3.Reconnect the backup HSM and let it complete the boot sequence.

4.Run slot list. LunaCM exits.

Workaround: Do not disconnect the Luna Backup HSM 7 during a LunaCM session, unless you are finished using it.

Resolved: Fixed in Luna HSM Client 10.2.0.

Problem: Application cannot change CKA_EXTRACTABLE default value via JSP.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Minimal Luna HSM Client 7.4.0 tar file has an additional character that could affect customer scripts.

Workaround: Change filename from LunaClient-Minimal-v7.4.0-226.x86_64.tar to LunaClient-Minimal-7.4.0-226.x86_64.tar before running scripts.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: One-step NTLS fails when the appliance's SSH host key changes or when connecting for the first time.

Workaround: In LunaCM, run clientconfig deploy with the -verbose option, and manually enter y when PuTTY prompts you to update the cached SSH key.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: Registering an IPv6 NTLS client with REST API by POSTing to /api/lunasa/ntls/clients fails with an HTTP 400 error.

Workaround: None. Register NTLS clients with LunaSH to avoid this issue.

Resolved: Fixed in REST API 9.0.0, included with Luna Network HSM appliance software 7.7.0.

Problem: Command output of vtl examineCert and vtl fingerprint are reversed.

Workaround: None. Use each command to view the other's output.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: An FM-ready Luna Network HSM with appliance software version 7.4.0 and HSM firmware 7.0.3 incorrectly displays "Non-FM" in the output from hsm show in LunaSH. LunaCM slot information for a partition on this HSM correctly displays "FM Ready".

Workaround: Ignore the incorrect output. You must upgrade the HSM firmware to 7.4.0 to use FMs.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem: When backing up objects to a Luna Backup HSM 7 from user partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up: CKR_CONTAINER_OBJECT_STORAGE_FULL

Workaround: If you receive this message when backing up a user partition to a Luna Backup HSM 7, use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: During HSM initialization, if the PED operation to create the red domain key fails or times out, subsequent attempts to re-initialize the HSM will not prompt you to create the red domain key.

Workaround: Zeroize the HSM in LunaSH with hsm zeroize before re-initializing.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem: When creating an RSA key using CKDEMO, the user is mistakenly prompted for the Derive attribute (RSA key derivation is not allowed).

Workaround: None. The value entered is dropped and can be safely ignored.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: When adding a DNS server using REST API, configured port bonds are broken. If there is no other ethernet interface configured, you must use a serial connection to reconfigure the port bond.

Workaround: None. Use LunaSH to configure the DNS servers.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

Problem: On rare occasions, the appliance fails to load the K7 card driver and the HSM appears unavailable.

Workaround: Reboot the appliance.

Resolved: Fixed in Luna Network HSM appliance software version 7.3.0.

Problem: When partition policy 29: Perform RSA signing without confirmation is set to 0 (OFF), all RSA sign operations fail with an error (CKR_DATE_LEN_RANGE).

Workaround: If you use RSA signing, do not turn off partition policy 29.

Resolved: Fixed in Luna HSM firmware 7.7.0.

Problem: Updating the appliance software resets SSH port info to default value 22, causing loss of SSH connection.

Workaround: Reconnect SSH by specifying port 22, or connect to appliance via serial port to reset SSH settings.

Resolved: Fixed in Luna Network HSM appliance software version 7.4.0.

Problem: REST API DELETE /api/lunasa/ntp/servers or DELETE /api/lunasa/ntp/servers/[default local ntp server addr] deletes default NTP server.

Resolved: Fixed in Luna Network HSM appliance software 7.3.1. Default NTP server can no longer be deleted.

Problem: Java DERIVE and EXTRACT flag settings for keys injected into the HSM were forced to "true" in the JNI, which overrode any values passed by applications via Java.

Workaround: Refer to the CRN Advisory Notes.

Resolved: Fixed in Luna HSM firmware 7.3.0 and Luna HSM Client 7.3.0.

Problem: Private BIP32 Key Injection (combination of private key encryption and unwrapping operations) was not implemented in Luna 7.3.

Resolved: The call has been included; requires Luna HSM firmware 7.4.0 and Luna HSM Client 7.4.0.

Problem: When using CKdemo to perform a multipart sign/verify operation with a key that has exceeded its specified usage count, an expected error is returned (CKR_KEY_NOT_ACTIVE). The next sign/verify operation with an active key fails with an unexpected error (CKR_OPERATION_ACTIVE).

Workaround: Restart CKdemo and attempt the operation again.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: Encrypt operations using DES3_CBC_PAD and specifying a NULL buffer fail (CKR_BUFFER_TOO_SMALL).

Workaround: Manually specify a buffer size for these operations.

Resolved: Fixed in Luna HSM Client 10.3.0.

Problem: When running commands in some Luna utilities on Windows 10, password characters are duplicated.

Workaround: Contact Thales Customer Support.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: When you delete a key from a Luna Cloud HSM service, CKlog displays an incorrect object handle.

Resolved: Fixed in Luna HSM Client 10.1.0.

Problem: After a firmware update, duplicate entries are produced in the audit logs. These duplicate entries cause log verification to fail with an error (CKR_LOG_BAD_RECORD_HMAC).

Workaround: There is no way to avoid the duplicate entries. However, the other entries in the log file can be verified without error. When verifying the logs, specify a range that excludes the duplicate entries:

LunaSH: audit log verify -file [log_file] -start [first_entry] -end [last_entry]

LunaCM: audit verify file <log_file> start [first_entry] end [last_entry]

Resolved: Fixed in Luna HSM firmware 7.4.0.

Problem: When running cmu commands on Windows 10, password characters are duplicated.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When a bad remote logging host is added, existing hosts that were functioning correctly stop receiving logs.

Workaround: Ensure that all remote logging hosts are reachable and configured correctly before adding them.

Resolved: Fixed in Luna Network HSM appliance software 7.4.0.

Problem: In LunaCM, when switching the active slot between partitions on different HSMs, ped connect and ped get sometimes report an active Remote PED connection, even though the connection is broken. Authentication commands fail.

Workaround: Use ped disconnect on the active slot before switching to a different slot and running ped connect.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem: Using REST API, open application IDs sometimes cause the HSM to stop responding.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.3.0.

Problem: CA_DeriveKeyAndWrap does not handle AES_KW, AES_KWP, or AES_CTR mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0 and Luna HSM Client 10.3.0.

Problem: On Linux clients, when a non-root user attempts to uninstall the Luna HSM Client software, the process fails and the client software remains installed, but Uninstall of the Luna HSM Client 7.3.0-165 completed is displayed in the command output.

Workaround: Ignore this message and log in as the root user to uninstall the Luna HSM Client software.

Resolved: Fixed in Luna HSM Client 7.4.0.

Problem:After running sysconf appliance reboot from LunaSH, the appliance occasionally gets stuck with a Rebooting message on the LCD screen.

Workaround: Remove all power from the appliance (by removing the cable from the power supply units), wait at least 30 seconds, then reconnect power and restart the appliance.

Resolved: Download and install Luna 7 Appliance Reboot Patch 1.0.0 from the Thales Customer Support Portal. The content of this patch is included in Luna Network HSM appliance software 7.7.0.

Problem: When installing Backup HSM and Luna PED drivers from Luna HSM Client software on a host machine with a fresh, non-upgraded version of Windows 10, Windows reports an error with the driver signatures.

Workaround:

>Luna Network HSM: Download and install Luna HSM Client patch 7.2.1 from the Thales Customer Support Portal (DOW0003077). Alternatively, disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

>Luna PCIe HSM: Disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When using CKdemo to query an application partition, the Crypto Officer password is entered in visible plaintext.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: Calls to CA_OpenApplicationID fail when certain sequences of calls are run, for example:

1.CA_SetApplicationID(x,y)

2.C_OpenSession()

3.C_CloseSession()

4.CA_OpenApplicationID(x,y)

Resolved: Fixed in Luna Network HSM appliance software 7.3.0.

Problem: On Luna HSM *700 and *750 models, asymmetric digest-and-sign or digest-and-verify mechanisms produce the wrong result when the data length exceeds 64 kB.

Resolved: Fixed in Luna HSM firmware 7.2.0 and 7.0.3.

Problem: Cannot migrate keys using ms2Luna.exe for CSP.

Workaround: Copy a version of ms2Luna.exe from an older client package (6.2 or older).

Resolved: Fixed in Luna Client HSM 7.3.0.

Problem: When LunaCM is launched in Luna Minimal Client, an unexpected error is displayed (Error: Failed to initialize remote PED support).

Workaround: Edit Chrystoki.conf/crystoki.ini and remove Toolsdir from the Misc section.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: LunaSH command sysconf config factoryReset does not remove port bonding.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0.

Problem: CMU Export Public Key - Incorrect formatting of exported key. A public key, exported with command cmu export -handle [handle#] -outputfile [filename] -key has incorrect header and footer text.

Workaround: Edit the exported public key file, replacing
----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----
with
----- BEGIN PUBLIC KEY ----- and ----- END PUBLIC KEY ----- respectively.

Resolved: Fixed in Luna HSM Client 7.3.0.

Problem: When using Luna Network HSM appliance software 7.2.0 with earlier Luna HSM Client software, cmu getpkc fails with an error (Could not retrieve the PKC).

Resolved: Fixed in Luna HSM Client 7.2.0.

Problem: Unable to change CKA_EXTRACTABLE key attribute via Java (LunaProvider/JSP).

Workaround: Download and apply the Luna HSM 7.1 Java Patch from the Thales Customer Support Portal. Follow the README instructions to ensure that your Java application sets the appropriate key attributes.

Resolved: Fixed in Luna HSM Client 7.2.0.

Problem: In LunaSH, hsm firmware upgrade fails with errors (LUNA_RET_UNKNOWN_COMMAND and RC_GENERAL_ERROR) if STC is enabled on the Admin channel. It is then necessary to decommission the HSM in order to update the firmware.

Workaround: Disable STC on the Admin channel before updating the HSM firmware.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0. If STC is enabled on the Admin channel, the user is prevented from updating the HSM firmware.

Problem: Connecting a Luna Backup HSM 7 to a USB 3.0 (SuperSpeed) port may result in error messages being displayed by the host operating system. This behavior occurs in both Windows and Linux.

For example, on Windows, you may see a USB device not recognized error.

On Linux, you may see messages like the following (visible using dmesg or in /var/log/messages):

usb 1-4: device descriptor read/64, error -71
usb 1-4: Device not responding to setup address.
usb 1-4: device not accepting address 32, error -71

Workaround: You can ignore these messages, as they have no effect on the normal operation of the device.

Resolved: Resolved in Luna Backup HSM with firmware 7.7.x installed from the factory. Backup HSMs upgraded to firmware 7.7.x still display the messages.

Problem: Value for HSM policy 46 (Disable Decommission) cannot be changed. Attempting to change it returns an error (CKR_CONFIG_FAILS_DEPENDENCIES).

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: If HSM policy 39 (Allow Secure Trusted Channel) is turned off while STC is enabled on the admin channel, the HSM SO is unable to log in using hsm login.

Workaround: If this occurs, exit LunaSH and log in again as the admin user. In general, disable STC on the admin channel (hsm stc disable) before setting HSM policy 39 to 0.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0.

Problem: When you initialize an STC partition by applying a partition policy template, a confusing error (CKR_TOKEN_NOT_PRESENT) is returned.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

Problem: When you use an older client, and query partition-level capabilities and policies, the HSM returns incorrect policy numbers

Workaround: Refer to the documentation for the correct policy numbers.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: In LunaCM, hsm information monitor incorrectly reports HSM utilization.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: Multipart AES_KW operations on non-block-sized-data returns incorrect error code CKR_DEVICE_ERROR.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.2.0 onward.

Problem: In LunaCM on Windows, one-step NTLS (clientconfig deploy) is very slow and takes almost four minutes to complete the NTLS connection setup.

Workaround: None.

Resolved: One-step NTLS performance has been improved in Luna HSM Client 7.2.0.

Problem: When partition policy 39: Allow start/end date attributes is enabled, all start dates must be later than January 01, 1970.

Workaround: Ensure that start date attribute is later than January 01, 1970.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: If HSM policy 39: Enable Secure Trusted Channel has been set to 1 (ON) at any time, attempting a firmware rollback will cause the HSM to fail with an error (Unable to communicate with HSM).

Workaround: None. If you are using STC, or have enabled HSM policy 39 in the past, do not roll back the HSM firmware.

Resolved: Fixed in Luna HSM firmware 7.2.0.

Problem: C_DeriveKey does not reject templates that contain CKA_VALUE, and uses the CKA_VALUE that is provided in the external template.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.0.2 and 7.1.0.

Problem: The HSM reports 3072-bit as the maximum allowed key size for the RSA 186-3 mechanisms (CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN and CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN), when it should report 4096-bit.

C_GetMechanismInfo will report 3072 as the maximum size for these mechanisms. If your application uses C_GetMechanismInfo to query the maximum key size, it may prevent 4096 operations from working.

Workaround: Ignore the reported limit. 4096-length keys will generate successfully.

Resolved: Fixed in Luna HSM firmware 7.0.2.

Problem:Luna Network HSM appliance user names that begin with a non-alphanumeric character (period, dash, or underscore) may cause issues and/or potential system crashes.

Workaround: Always use an alphanumeric character as the first character in the user name when creating appliance user accounts.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: On Linux, the Luna HSM Client software fails to install to a directory with spaces in its name.

Workaround: Remove spaces from the directory name before installing the client.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: In LunaSH, network show displays an incorrect IPv6 Mask prefix.

Workaround: None. If set correctly, IPv6 works even though the wrong mask is displayed.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: On Linux, non-root users cannot initialize the STC token or create an STC client identity.

Workaround: Start LunaCM as root with sudo ./lunacm.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: Webserver starts even if no SSL key/cert exists, but is not accessible.

Workaround: Generate the SSL key/cert before starting the webserver.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

Problem: On Linux, non-root users cannot configure the RBS server.

Workaround: As root, run the following commands:

1.chown -R root:hsmusers /usr/safenet/lunaclient/rbs/

2.chmod g+w -R usr/safenet/lunaclient/rbs/

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: When the HSM audit logs are full, audit login appears to succeed, but the user is not actually logged in and cannot perform operations.

Workaround: Clear the audit logs by opening an SSH session as audit, and perform the following steps:

1.Tar the audit logs with the command audit log tarlogs.

2.Transfer the tar file out of the appliance.

3.Clear the audit log files to free up space on the audit log partition with the command audit log clear.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: On Linux, non-root users cannot add a new HSM server after CAfile.pem has been created by the root user.

Workaround: Use the same user account to create the certificate and register the server.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: In LunaSH, running package verify and package update with the -useevp option produces a CKR_SIGNATURE_INVALID error.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: In LunaCM, clientconfig deleteserver deregisters the HSM server on the Client, but does not delete the HSM server certificate file from the [LunaClient_dir]/cert/server directory. Attempts to re-register the same server with a regenerated certificate fail.

Workaround: Manually delete the certificate from the cert/server directory.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem: On Windows, a system crash can occur when you disconnect a Luna Backup HSM from the computer while the PEDclient service is running.

Resolved: Fixed in Luna HSM Client 7.1.0.

Problem:Luna Network HSM 7 attempts to load K6 driver upon rebooting.

Workaround: None. SNMP hsmCriticalEvent and hsmNonCriticalEvent counters are not implemented in this release, and will always remain 0.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: REST API web client shows wrong logout result.

Workaround: Use the Custom I/O to manually log out.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

Problem: In REST API, POST /auth/logout does not return Access-Control-Allow-Credentials and Access-Control-Allow-Origin in the response headers.

Workaround: None.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

Problem: On the Backup HSM, the hsm init command with the -iped option fails after hsm factoryreset.

Workaround: Run the hsm init command again. The second attempt should be successful.

Resolved: Fixed in Luna G5 Backup HSM firmware 6.27.0.

Problem: Secure NTP server connections using AutoKey authentication do not work.

Workaround: Use Symmetric-Key authentication instead.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

Problem: REST API partition actions contain actions that should be deprecated.

Workaround: Do not call these resources.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.3.0.

Problem: DSA SSH keypair is not regenerated by sysconf ssh regenkeypair.

Workaround: None. DSA keys are deprecated in OpenSSH due to weakness. Use RSA keys for SSH instead.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.