Known and Resolved Issues

The following table lists known issues in all released versions of Luna 7 components. Workarounds are provided where available. Use the buttons below to display issues related to specific Luna software/firmware components.

Issues listed in green have been resolved and the component and version including the fix is provided.

Issue Labels Synopsis
LUNA-32033 open client clusterpkg

Problem: Using Luna HSM Client 10.7.2, running the LNHClientRegistration script to register the client to a cluster deletes the existing NTLS private key on the client. This occurs only if you specify the same client common name (usually its IP address) that was used for the NTLS certificate.

Workaround: Specify a different Common Name for the cluster client cert than was used for the NTLS client cert. Alternatively, to preserve the NTLS key, located in <install directory>/safenet/lunaclient/cert/client/, save a copy in another location and restore it after running the registration script.

RAPI-3924 open applianceSW

Problem: If the audit and operator users were enabled using Luna REST API with a Luna Appliance Software older than 7.8.0, updating directly to version 7.8.5 removes these users' role information. The operator role can no longer be used with REST API, except by re-imaging the Luna Network HSM 7. The audit role is not supported using Luna REST API, but its role information is also removed. See also RAPI-3900.

Workaround: Update the Luna Appliance Software to version 7.8.3 before updating to 7.8.5. If you are updating after an appliance re-image, consider enabling these users after the appliance software update.

RAPI-3900 fixed applianceSW

Problem: After updating the Luna Appliance Software, custom users that were created using the Luna REST API no longer exist or their role information is removed. See also RAPI-3924.

Workaround: If you are updating from Luna Appliance Software 7.7.1 or older, re-create the custom user after the update. If are updating from Luna Appliance Software 7.8.0 or newer, reassign the role to the existing custom user after update.

Resolved: Fixed in Luna REST API 15.0.0, included with Luna Appliance Software 7.8.5.

LUNA-31935 fixed applianceSW

Problem: When a syslog backup file is created using POST /api/lunasa/syslog/backups and downloaded using GET /api/lunasa/syslog/backups/{backupid}, the backup file is not deleted from the appliance memory, and this can cause the /tmp directory to fill up over time. In particular, this affects users of Crypto Command Center (CCC), which performs this task as part of automatic monitoring.

Workaround: Stop and restart the webserver service, or reboot the Luna Network HSM 7 appliance to clear the /tmp directory.

Resolved: Fixed in Luna REST API 15, included with Luna Appliance Software 7.8.5.

LUNA-31658 fixed applianceSW

Problem: When the Luna Appliance Software is updated from version 7.7.x or older to 7.8.x, the hostname reported in syslogs reverts to localhost. The correct hostname is still shown in the output for lunash:> network show.

Workaround: To recover the hostname in logs, use lunash:> network hostname <hostname> to reset it. You must use the same hostname that is currently set, or NTLS connections will be affected.

Resolved: Fixed in Luna Appliance Software 7.8.5.

LUNA-31648 open clusterpkg

Problem: After restoring a cluster with multiple members from backup, some keyring configuration information may not be synchronized correctly from the primary member to the other members.

Workaround: Follow the procedure as described in Restoring a Cluster from Backup. The cluster is fully recovered after restarting the cluster service on the primary member.

LUNA-31392 open client

Problem: When a large number (800+) of NTLS connections are made to the Luna Network HSM 7, BUS errors can be returned.

Workaround: These errors are related to lnh_slots.plugin, which is only required for the cluster feature. Move this plugin out of the plugins directory on the client to stop these errors. Otherwise, they can be safely ignored.

LUNA-31351 fixed applianceSW

Problem: If system directories on the Luna Network HSM 7 appliance are filled to near their capacity, a warning like the following is displayed when you launch LunaSH:

Warning: Reached ##% consumption on one or more disk partitions.

You can get more information using lunash:> status disk.

If any of the directories listed are filled to capacity, this can interfere with appliance functions.

Workaround: None. If the /var directory is producing the warning, do not attempt to update the Luna Appliance Software to any version older than 7.8.5.

Resolved: Fixed in Luna Appliance Software 7.8.5. If you are not able to update to version 7.8.5 or newer, contact Thales Customer Support.

RAPI-3347 fixed applianceSW

Problem: Using Luna Appliance Software 7.8.4, if the webserver certificate is regenerated using LunaSH, applications (including Crypto Command Center) are unable to connect with the Luna Network HSM 7 using REST API due to compatibility issue with version 1 certificate.

Workaround:Use PUT /api/lunasa/webServer/certificate to regenerate the webserver certificate again.

Resolved: Fixed in Luna Appliance Software 7.8.5.

LUNA-30881 fixed clusterpkg

Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with CKR_DEVICE_ERROR.

Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time.

Resolved: Fixed in cluster package version 1.0.4.

RAPI-3271 fixed applianceSW

Problem: The Luna REST API does not recognize usernames that include the dash character (-). Custom users created in LunaSH that include a dash will be unable to log in using the REST API.

Workaround: If you intend to use the Luna REST API, do not create custom usernames that include a dash character.

Resolved: Fixed in Luna REST API 13.0.0, included with Luna Appliance Software 7.8.3. The REST API now accepts the same username character set as LunaSH.

LUNA-30812 fixed applianceSW

Problem: If SSH traffic is bound to a network interface, deleting any network interface using lunash:> network interface delete returns a confusing warning:

WARNING! SSH is currently restricted to ethernet device unknown

Workaround: None. The device is deleted as expected; this message can be safely ignored.

Resolved: Fixed in Luna Appliance Software 7.8.5.

LUNA-30782 open clusterpkg

Problem: When entering an incorrect keyring PO password, the failed login counter that is displayed does not decrease. The failed login count for the CO role decreases by one.

Workaround: None. The actual counter does decrease as expected, and both the PO and CO roles are locked when the counter reaches zero.

LUNA-30737 open firmware

Problem: When using a Luna HSM with firmware 7.8.1 or newer installed to wrap RSA CRT using KM_CUSTOM_FORMAT or RSA_CRT and DSA private key using KM_GEMPLUS_GPK4000_FORMAT, the wrap command fails with log error Mechanism Param Invalid.

Workaround: None. Use a firmware version older than 7.8.1.

Resolved: Fixed in Luna HSM firmware 7.8.7.

LUNA-30534 fixed client firmware

Problem: Using Luna HSM Firmware 7.8.4 in FIPS mode, migration of keys from a Microsoft provider to Luna provider using the ms2luna utility fails with error CKR_MECHANISM_INVALID.

Workaround: None. Key migration to Luna HSM Firmware 7.8.4 is only possible in non-FIPS mode.

Resolved: Fixed in Luna HSM Client 10.7.1.

LUNA-30528 fixed applianceSW client

Problem: After deleting an HA group, ActiveEnhanced mode is turned off and the client returns to ActiveBasic mode.

Workaround: Turn ActiveEnhanced mode back on manually using LunaCM (hagroup recoverymode -mode activeEnhanced).

Resolved: Fixed in Luna HSM Client 10.7.2.

LUNA-30449 fixed client clusterpkg

Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error CKR_FUNCTION_FAILED.

Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

LUNA-30377 fixed clusterpkg

Problem: Read-only operations running while the primary cluster member is down fail when the primary is reconnected to the cluster and Read-Write status is restored. An error is returned (CKR_USER_NOT_LOGGED_IN).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.7.2.

LUNA-30374 fixed clusterpkg

Problem: If the network connection to one or more members of a cluster is interrupted, the reported number of crypto operations done during the period of interruption can be inaccurate.

Workaround: None.

Resolved: Fixed in lnh_cluster package 1.0.4.

LUNA-30232 fixed client

Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Unknown Mechanism Type.

Workaround: Use Luna HSM Client 10.4.1 instead.

Resolved: Fixed in Luna HSM Client 10.7.0. You must add map_aes_cmac_general_old=1 to the Toggles section of the Cryptoki.conf/cryptoki.ini file.

LUNA-30115 fixed clusterpkg

Problem: Network configuration changes on a cluster member sometimes result in loss of member authorization, and this is not resolved by manual authorization.

Workaround: None.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

LUNA-30110 fixed applianceSW

Problem: Unable to set the severity for a remote syslog server configured with RELP. The execution failed with the error message Error: lunalogs is not configured for 192.168.0.111 despite a RELP server already configured and visible through the lunash:>remote list command .

Workaround: None.

Resolved: Fixed in Luna Appliance Software 7.8.5.

LUNA-30050 open

Problem: If the clusteradmin service is stopped on the Luna Network HSM 7, attempting to join a cluster produces a confusing error:

Error: Precondition specified in the request is not satisfied.
    Synchronize the time between LNHs

Workaround: None. Ensure that the clusteradmin service is running on both the joining member and the member being joined before attempting cluster join (or any other cluster operations).

LUNA-30046 fixed applianceSW

Problem: It is possible to add 0.0.0.0 as a network route on the appliance. This should not be permitted.

Workaround: None. Do not set 0.0.0.0 as a network route destination. If you are trying to add the default route to this device, specify 0.0.0.0 for the gateway, not the destination.

Resolved: Fixed in Luna Network HSM appliance software 7.8.4.

LUNA-29723 fixed applianceSW

Problem: After a factory reset of the network service, Default Route (eth0) : Yes is always displayed in the output for network show. This prevents the default route from being automatically assigned to bond1 after it is enabled.

Workaround: Before configuring the device you want to have the default route, first clear the default route from eth0:

lunash:> network route delete network 0.0.0.0 -device eth0 -gateway 0.0.0.0 -force

Resolved: Fixed in Luna Network HSM appliance software 7.8.4.

LUNA-29666 fixed applianceSW

Problem: Using Luna Network HSM appliance software 7.8.x, the LunaSH command sysconf ntp autokeyauth generate fails with a No such file or directory error.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.4.

LUNA-29311 fixed applianceSW

Problem: In LunaSH, sysconf config factoryReset -service all does not reset the ctc service to factory conditions as expected.

Workaround: Use sysconf config factoryReset -service ctc to factory reset the ctc service.

Resolved: Fixed in Luna Appliance Software 7.8.4.

RAPI-2715 open applianceSW

Problem: When using REST API resources to set multiple HSM policies, operations may fail (400) if they are run quickly in sequence. A message is returned: Task needs to be in WAITING state to perform this operation.

Workaround: If your REST API application has operations fail like this, add a 5-second delay before the operation that fails.

RAPI-2701 fixed applianceSW

Problem: Using REST API, restoring the appliance configuration from backup by specifying "service": "all" fails, and does not return a known error (null).

Workaround: Do not use the "all" option; restore services one at a time.

Resolved: Fixed in Luna REST API 14.0.0, included with Luna Appliance Software 7.8.4.

LUNA-28874 fixed client

Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (LunaSA Client = {ReceiveTimeout = 1000}, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0. The ReceiveTimeout setting now applies to the NTLS handshake as well.

LUNA-28807 fixed client

Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0.

LUNA-28763 fixed applianceSW

Problem: On the front-panel LCD display, the code for Offline, when none of the appliance's Ethernet devices are connected to a network, is incorrectly displayed as OFT.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3 -- the code is now correctly displayed as OFL.

LUNA-28663 fixed clusterpkg

Problem: Keyring labels created in batches using REST API contain an extraneous dash (example: HSM2:Part-1000) that is not added to keyrings created using LunaSH (example: HSM2:Part1000).

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

LUNA-28230 open

Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that HSM slot 1 listening to local PED (PED id=0). This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected).

Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.

LUNA-28081 fixed applianceSW

Problem: Static routes assigned to bonding interfaces (bond0 and bond1) are not included in configuration backups (sysconf config backup).

Workaround: After restoring the network configuration from backup (sysconf config restore), add the static routes to the bond interfaces manually (network route add).

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

LUNA-27898 fixed applianceSW

Problem: The supportInfo.txt file generated by the LunaSH command hsm supportinfo falsely indicates that NTLS is bound to an inactive interface:

NTLS is currently bound to IP Address: "1.2.3.4" (inactive interface)

Workaround: This error can be safely ignored. The LunaSH command ntls show displays the correct information.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

RAPI-2200 fixed applianceSW

Problem: LunaSH and Luna REST API have different requirements for characters that are accepted in user passwords. A user created in LunaSH that uses one of the following characters will therefore not be allowed to log in using REST API: &_|;'"<>?`.

Workaround: Change the LunaSH user password to remove any unaccepted characters before attempting to log in using REST API.

Resolved: Fixed in Luna REST API 13.0.0, included with Luna Appliance Software 7.8.3. The REST API now accepts the same password character set as LunaSH.

LUNA-27598 fixed applianceSW

Problem: After re-imaging the Luna Network HSM appliance software to version 7.2.0 and then updating to version 7.8.1, registration of a PEDserver certificate (lunash:> hsm ped server register) on the appliance fails with error RC_DATA_INVALID.

Workaround: None.

Resolved:Fixed in Luna Network HSM appliance software 7.8.3.

LUNA-27183 fixed client

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Resolved: Fixed in Luna HSM Client 10.6.0.

LUNA-27110 fixed client

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Resolved: Fixed in Luna HSM Client 10.6.0.

LUNA-26981 fixed G7BU

Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled.

Workaround: None.

Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.

LUNA-26960 open client

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist
Error in execution: host memory error.
Command Result : 0x6 (Internal Error)

Workaround: None.

LUNA-26959 fixed applianceSW

Problem: After adding a network route, a failure message is returned (Failed to apply new route information to bond0.) but the route is added successfully.

Workaround: This message can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3.

LUNA-26926 open client

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.

LUNA-26702 fixed applianceSW

Problem: Using Luna Network HSM appliance software 7.7.0 and newer, after a bonding network interface is disabled, its gateway field is cleared.

Workaround: Add a manual network route to the affected interface using network route add.

Resolved: Fixed in Luna Appliance Software 7.8.5.

LUNA-26681 fixed applianceSW

Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route.

Workaround:None.

Resolved: Fixed in Luna Network HSM 7.8.1 appliance software.

RAPI-2010 open applianceSW

Problem: Using REST API 11.0.0 (included with Luna Network HSM appliance software 7.8.0), resources for verifying and installing a secure package fail.

Workaround: Use LunaSH to verify and install secure packages.

LUNA-26584 open applianceSW

Problem: When a default route is configured on a network interface, another newly-configured DHCP interface is not assigned a gateway.

Workaround: Add a manual network route to the affected interface using network route add.

LUNA-26583 open applianceSW

Problem: When a default route is configured on a network interface, another newly-configured static interface is not assigned a gateway.

Workaround: Add a manual network route to the affected interface using network route add.

LUNA-26485 open clusterpkg

Problem: Changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members.

Workaround: In this release, do not customize the crypto port number.

LUNA-26488 fixed client

Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI.

Workaround: Re-register the partition with the Luna CSP.

Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.

LUNA-26389 open applianceSW

Problem: When the network service on Luna Network HSM appliance software 7.8.x is reset to factory conditions (lunash:> sysconf config factoryreset -service network), the DHCP interface is not automatically assigned a gateway.

Workaround: Configure the interface manually by assigning a static IP address and gateway, or reconfiguring DHCP on the interface.

LUNA-26386 fixed applianceSW

Problem: In LunaSH, after deleting a network interface, the information about that interface is still displayed in the output for network show.

Workaround: The interface is deleted; this information can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

LUNA-26370 fixed client

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

LUNA-26360 fixed applianceSW

Problem: When bonding is configured, the gateway is not set on the bond interface.

Workaround: None. Do not configure network bonding on Luna Network HSM 7.8.0.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

LUNA-26317 open clusterpkg

Problem: After resetting a keyring, role show incorrectly indicates that there are 15 failed login attempts/password change attempts remaining until keyring lockout.

Workaround: This can be safely ignored. The correct value (10) is reported by role show after logging in to the keyring using the reset credentials.

LUNA-26186 fixed applianceSW

Problem: When multiple NTLS clients are registered to the Luna Network HSM by hostname, and one or more clients' hostnames fail to resolve, long delays are added to NTLS connection requests from all clients, sometimes causing timeouts (client returns ReceiveTimeout).

Resolved: Fixed in Luna Appliance Software 7.8.1.

LUNA-25898 fixed clusterpkg

Problem: If a RADIUS-authenticated user is created on Luna Network HSM, the cluster service will not start.

Workaround: RADIUS is not supported for use with clusters; if you have RADIUS-authenticated users on the appliance, the cluster service will start once they are deleted.

Resolved: Fixed in Luna Network HSM 7.8.1 clusters package.

LUNA-25891 fixed clusterpkg

Problem: When a cluster member recovers from a network outage and rejoins the cluster, the member does not recover from Read-Only mode and does not update its version of the cluster database. Operations sent to this cluster member may fail if the correct keys do not exist or if they have old attributes. LunaSH reports this member with an R in the output for cluster member list; REST API includes "visibleToServicingNode": false in the return for GET /api/clusters/{clusterid}/members.

Workaround: Restart the cluster service on the recovered member. The database is updated and operations may resume normally.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3 and the cluster 1.0.3 package.

LUNA-25886 fixed clusterpkg

Problem: When a custom user account is created on cluster member A, the user is required to change the initial password upon first login to cluster member A. If the user's first login is on cluster member B, however, the password change is not enforced. If the password is changed manually on member B, logging in to member A will still require another password change.

Workaround: Ensure that the user logs in for the first time to the member where the user account was created.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

LUNA-25811 fixed client clusterpkg

Problem: After resetting a keyring to its initial conditions, LunaCM does not allow you to log in as KRSO (po), saying that the role is not initialized.

Workaround: Use ckdemo to log in as KRSO (pso) and re-initialize the KRCO role.

Resolved: Fixed in Luna HSM Client 10.5.1.

LUNA-25611 fixed clusterpkg

Problem: Setting the core service IP using REST API appears to fail with Error: socket hang up.

Workaround: The operation has not failed, although the socket closed prematurely before receiving the successful status. The cluster service must automatically restart before the operation can be reported as a success; wait approximately 3 minutes for the service to finish restarting and then confirm. Alternatively, use LunaSH to set the service IP.

Resolved:Fixed in Luna Network HSM 7.8.1 clusters package.

LUNA-25344 fixed clusterpkg

Problem: Client operations on a cluster member can be disrupted briefly while a new cluster member is added.

Workaround: Configure all your cluster members before launching your client applications.

Resolved: Fixed in Luna HSM appliance software 7.8.3 and the cluster 1.0.3 package.

LUNA-25278 fixed clusterpkg

Problem: When the cluster service is stopped on all members and then started on all members, authorizing one member manually does not trigger auto-authorization of the other members as expected.

Workaround: You must manually authorize each member individually.

Resolved: Fixed in Luna Network HSM 7.8.1 cluster package.

LUNA-25108 fixed clusterpkg

Problem: In LunaSH, keyring show using the -detail option displays a confusing Error: Response rendering failed.

Workaround: This error can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3 and the cluster 1.0.3 package.

LUNA-25093 fixed applianceSW

Problem: The Luna Network HSM incorrectly enforces that the HSM SO must be logged in before the Partition SO can initialize the Crypto Officer role in LunaSH.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

LUNA-25067 fixed clusterpkg

Problem: The REST server healthcheck creates many REST log entries:

2022 Apr 26 09:39:15 [localhost]  local5 info  LNHREST[1]: 127.0.0.1:50620 - GET /
2022 Apr 26 09:39:15 [localhost]  local5 err  LNHREST[1]: Misssing Authorization Header

Workaround: None. These logs can be ignored.

Resolved: Fixed in Luna Network HSM 7.8.1 Technical Preview.

LUNA-24800 fixed client

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-24474 fixed applianceSW

Problem:When the Luna Network HSM is configured to use RADIUS authentication, requests are sent to the RADIUS server even for local roles that are not configured for RADIUS authentication.

Workaround:None.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

LUNA-24462 fixed firmware

Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2.

Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM.

LUNA-24240 fixed clusterpkg

Problem: When an incorrect partition label or password is specified when running cluster join, cluster delete, or cluster leave, the command fails as expected, but Command Result : 0 (Success) is returned.

Workaround: This message can be safely ignored.

Resolved: Fixed in Luna Network HSM appliance software 7.8.1.

LUNA-24101 fixed applianceSW

Problem: In LunaSH, the following commands are not available to the operator user:

>hsm ped server register

>hsm ped server delete

>network interface slaac

>client addCA

>client listCAs

>client deleteCAs

Workaround: The admin user must be logged in to use these commands.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

LUNA-24019 fixed client

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23945 fixed cloudHSM

Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23764 fixed client

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23695 fixed client

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23691 fixed client clusterpkg

Problem: After re-initializing a keyring with a different label, the keyring info cannot be found using keyring show (fails with Error: Requested resource is not found. [UI] Keyring "new_label" does not exist.).

Workaround: None.

LUNA-23471 fixed applianceSW

Problem: A change to a file while it was being tarred caused an error (file changed as we read it. from the tar utility during syslog tarlog which failed the sylog command. That error is expected when a file changes and is just an informational notification that should not cause the syslog tarlog operation to fail.

Workaround: Use remote syslogging instead.

Resolved: Fixed in Luna Network HSM appliance software 7.8.3. The script accepts that error and completes successfully.

LUNA-23417 fixed client

Problem: When an HSM with an HA member partition remains in a bad state for a period of time (several hours or more), the HA group may receive a CKR_DEVICE_ERROR.

Workaround: If the HA group receives this error, the client application must be restarted. Monitor HA member HSMs to ensure they are recovered quickly.

Resolved: Fixed in Luna HSM Client 10.4.0.

LGX-4942 open G7BU

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.

LUNA-23140 fixed clusterpkg firmware

Problem: The user is unable to create a data object on a keyring without first logging in as KRCO. This should not be necessary to create data objects.

Workaround: Log in as KRCO first.

Resolved: Fixed in Luna HSM firmware 7.8.1.

LUNA-23134 open clusterpkg

Problem: When the lnh_cluster-1.0.x package is installed, some extra commands are visible in LunaSH (cluster migration). These commands should be hidden.

Workaround: These commands have no effect; they can be safely ignored.

LUNA-22750 fixed client

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-22593 open clusterpkg

Problem: Failed attempts to change the password for a role (where an incorrect current password is specified) do not increment towards role lockout.

Workaround: None.

LUNA-22456 fixed firmware

Problem: The Milenage mechanism generates an incorrect authentication verification quintet.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.2.

LUNA-22378 fixed client

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key
Enter Import Password:
>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key
>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-22353 fixed applianceSW

Problem: Re-imaging the Luna Network HSM appliance from software version 7.7.1 fails if performed by a custom admin user.

Workaround: Re-image the appliance using the default admin LunaSH account.

Resolved: Fixed in the Re-Image Software 7.7.1 and Firmware 7.7.0 Patch.

LUNA-22289 fixed client

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

RAPI-1853 fixed applianceSW

Problem: When updating the appliance software package using REST API, the operation fails with PACKAGE_MANAGEMENT_OPERATION_FAILED.

Workaround: Use LunaSH to update the appliance software package.

Resolved: Fixed in Luna REST API 11.0.0, included with Luna Network HSM 7.8.0 appliance software.

LKX-9419 fixed firmware

Problem: When auto-activation is enabled on PED-authenticated HSM partitions using firmware 7.7.0 or 7.7.1, the verification string generated by entering Secure Transport Mode will differ from the one received during STM recovery.

Workaround: Deactivate all roles on all partitions before entering STM on the HSM.

Resolved: Fixed in Luna HSM firmware 7.7.2.

LKX-9286 fixed client

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-21646 fixed clusterpkg

Problem: When the wrong HSM SO password is presented in LunaSH with cluster create three consecutive times, no warning is displayed that the HSM will be zeroized, and the error message is generic:

Generic error by the receiver of the request.
Command Result : 65535 (Luna Shell execution)

Workaround: Ensure that you present the correct HSM SO password.

Resolved: Fixed in Luna Appliance Software 7.8.4.

LGX-4240 fixed G7BU

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna Backup HSM firmware 7.7.2.

LUNA-16839 fixed client

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-16125 fixed client

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-15539 fixed client

Problem: Luna HSM Client fails to re-init partition with partition policy template on FW7.7

Resolved: Fixed in Luna HSM Client 10.3.0 and newer.

LUNA-15390 fixed applianceSW

Problem: Configuring a default route when no gateway is present is allowed.

Workaround: To re-configure default route, when a gateway is present, delete the interface and reconfigure it.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

LGX-3534 fixed G7BU applianceSW

Problem: The file produced by lunash:> hsm supportinfo does not include any information about an attached Luna Backup HSM 7.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

LUNA-14571 fixed client

Problem: Memory leak issue in Luna HSM Client 10.1 with SUSE Linux.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.3.0.

LUNA-14009 fixed client cloudHSM

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.

LKX-8494 fixed firmware

Problem: When partition policy 34: Allow CBC-PAD (un)wrap keys of any size is set to 0, the AES_KWP mechanism is blocked, although it does not have the same vulnerabilities as the other blocked mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0.

LUNA-11616 fixed client cloudHSM

Problem: If the client fails to resolve the Luna Cloud service's DNS hostname, other client slots fail to load in LunaCM.

Workaround: Ensure that your DNS network is stable before deploying a Luna Cloud HSM in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

LUNA-11447 fixed client cloudHSM

Problem: If an application running against an HA group fails over to the Luna Cloud HSM member and the DNS hostname does not resolve, a segmentation fault can occur.

Workaround: Ensure that your DNS network is stable before deploying the Luna Cloud HSM service in an HA group. Ideally, configure multiple DNS nameservers for failover.

Resolved: Fixed in Luna HSM Client 10.2.0.

LGX-1844 fixed G7BU client

Problem: Luna Backup HSM 7 does not appear as a slot in LunaCM if ShowAdminTokens = no in the Luna HSM Client configuration file (Chrystoki.conf/crystoki.ini).

Workaround: Edit the configuration file to set ShowAdminTokens = yes.

Resolved: Fixed in Luna HSM Client 10.3.0.

LUNA-10992 fixed client

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.

SH-4194 open cloudHSM

Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail.

Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.

LUNA-10803 fixed applianceSW

Problem: Luna Network HSM LCD can freeze on reboot - periodic update of displayed messages ceases (i.e., stuck on a single message), and lcdController messages appear in system log messages. Software-initiated restart/reboot does not fix the problem. Attempting to stop/start the LCD service does not fix the problem. This is a rare, intermittent issue, and does not affect other HSM appliance functions.

Workaround: If the LCD freezes, perform a hard shutdown and restart using the appliance's power switch, or disconnecting and reconnecting the power cable (both power cables on dual-power-supply models). Wait about 30 seconds between power off and power on.

Resolved: Fixed in Luna Network HSM appliance software 7.8.0.

LUNA-10348 fixed applianceSW

Problem: Multiple issues related to network default gateway.

Resolved: Fixed in Luna Network HSM appliance software 7.3.3. Doesn't occur in 7.7.0 onward.

LGX-1295 fixed G7BU client

Problem: When using a one-time password to initialize the Luna Backup HSM 7's RPV (orange PED key), including the -pwd option before -ip or -hostname causes the command to fail.

Workaround: Specify the -ip or hostname before the -pwd option in the command:

lunacm:>ped connect -ip <IP_address> -pwd

Resolved: Fixed in Luna HSM Client 10.2.0.

LUNA-9040 fixed applianceSW

Problem: With bonding interface configured, unable to reach through SSH after reboots. Bonding interface MAC address changing randomly after reboots.

Resolved: Fixed in Luna Network HSM appliance software 7.3.3. Problem does not exist in 7.4.2 and 7.7.0 onward.

NOTE   Resolution not confirmed but bonding interface MAC address no longer changes after reboots.

LGX-1203 fixed G7BU client

Problem: Running slot list after disconnecting and reconnecting the Luna Backup HSM 7 may cause LunaCM to exit. For example:

1.Connect the Luna Backup HSM 7 and let it complete the boot sequence.

2.Disconnect it after it has completed the boot sequence and run slot list. The backup HSM is not listed.

3.Reconnect the backup HSM and let it complete the boot sequence.

4.Run slot list. LunaCM exits.

Workaround: Do not disconnect the Luna Backup HSM 7 during a LunaCM session, unless you are finished using it.

Resolved: Fixed in Luna HSM Client 10.2.0.

LUNA-8881 fixed client

Problem: Application cannot change CKA_EXTRACTABLE default value via JSP.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.1.0.

LUNA-8833 fixed client

Problem: Minimal Luna HSM Client 7.4.0 tar file has an additional character that could affect customer scripts.

Workaround: Change filename from LunaClient-Minimal-v7.4.0-226.x86_64.tar to LunaClient-Minimal-7.4.0-226.x86_64.tar before running scripts.

Resolved: Fixed in Luna HSM Client 10.1.0.

LUNA-8780 fixed client

Problem: One-step NTLS fails when the appliance's SSH host key changes or when connecting for the first time.

Workaround: In LunaCM, run clientconfig deploy with the -verbose option, and manually enter y when PuTTY prompts you to update the cached SSH key.

Resolved: Fixed in Luna HSM Client 10.1.0.

LUNA-8760 fixed applianceSW

Problem: Registering an IPv6 NTLS client with REST API by POSTing to /api/lunasa/ntls/clients fails with an HTTP 400 error.

Workaround: None. Register NTLS clients with LunaSH to avoid this issue.

Resolved: Fixed in REST API 9.0.0, included with Luna Network HSM appliance software 7.7.0.

LUNA-8758 fixed client

Problem: Command output of vtl examineCert and vtl fingerprint are reversed.

Workaround: None. Use each command to view the other's output.

Resolved: Fixed in Luna HSM Client 10.1.0.

LUNA-22384 fixed applianceSW

Problem: An FM-ready Luna Network HSM with appliance software version 7.4.0 and HSM firmware 7.0.3 incorrectly displays "Non-FM" in the output from hsm show in LunaSH. LunaCM slot information for a partition on this HSM correctly displays "FM Ready".

Workaround: Ignore the incorrect output. You must upgrade the HSM firmware to 7.4.0 to use FMs.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

LGX-1149 fixed G7BU client

Problem: When backing up objects to a Luna Backup HSM 7 from user partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up: CKR_CONTAINER_OBJECT_STORAGE_FULL

Workaround: If you receive this message when backing up a user partition to a Luna Backup HSM 7, use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.

Resolved: Fixed in Luna HSM Client 10.3.0.

LUNA-8619 fixed applianceSW

Problem: During HSM initialization, if the PED operation to create the red domain key fails or times out, subsequent attempts to re-initialize the HSM will not prompt you to create the red domain key.

Workaround: Zeroize the HSM in LunaSH with hsm zeroize before re-initializing.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

LKX-5396 fixed client

Problem: When creating an RSA key using CKDEMO, the user is mistakenly prompted for the Derive attribute (RSA key derivation is not allowed).

Workaround: None. The value entered is dropped and can be safely ignored.

Resolved: Fixed in Luna HSM Client 10.1.0.

LUNA-8348 fixed applianceSW

Problem: When adding a DNS server using REST API, configured port bonds are broken. If there is no other ethernet interface configured, you must use a serial connection to reconfigure the port bond.

Workaround: None. Use LunaSH to configure the DNS servers.

Resolved: Fixed in Luna Network HSM appliance software 7.7.0.

LUNA-8343 fixed applianceSW

Problem: On rare occasions, the appliance fails to load the K7 card driver and the HSM appears unavailable.

Workaround: Reboot the appliance.

Resolved: Fixed in Luna Network HSM appliance software version 7.3.0.

LKX-5351 fixed firmware

Problem: When partition policy 29: Perform RSA signing without confirmation is set to 0 (OFF), all RSA sign operations fail with an error (CKR_DATE_LEN_RANGE).

Workaround: If you use RSA signing, do not turn off partition policy 29.

Resolved: Fixed in Luna HSM firmware 7.7.0.

LUNA-7979 fixed applianceSW

Problem: Updating the appliance software resets SSH port info to default value 22, causing loss of SSH connection.

Workaround: Reconnect SSH by specifying port 22, or connect to appliance via serial port to reset SSH settings.

Resolved: Fixed in Luna Network HSM appliance software version 7.4.0.

LUNA-7791 fixed applianceSW

Problem: REST API DELETE /api/lunasa/ntp/servers or DELETE /api/lunasa/ntp/servers/[default local ntp server addr] deletes default NTP server.

Resolved: Fixed in Luna Network HSM appliance software 7.3.1. Default NTP server can no longer be deleted.

LUNA-7585 fixed client firmware

Problem: Java DERIVE and EXTRACT flag settings for keys injected into the HSM were forced to "true" in the JNI, which overrode any values passed by applications via Java.

Workaround: Refer to the CRN Advisory Notes.

Resolved: Fixed in Luna HSM firmware 7.3.0 and Luna HSM Client 7.3.0.

LUNA-7499 fixed client firmware

Problem: Private BIP32 Key Injection (combination of private key encryption and unwrapping operations) was not implemented in Luna 7.3.

Resolved: The call has been included; requires Luna HSM firmware 7.4.0 and Luna HSM Client 7.4.0.

LUNA-7438 fixed client

Problem: When using CKdemo to perform a multipart sign/verify operation with a key that has exceeded its specified usage count, an expected error is returned (CKR_KEY_NOT_ACTIVE). The next sign/verify operation with an active key fails with an unexpected error (CKR_OPERATION_ACTIVE).

Workaround: Restart CKdemo and attempt the operation again.

Resolved: Fixed in Luna HSM Client 10.3.0.

LUNA-7436 fixed client

Problem: Encrypt operations using DES3_CBC_PAD and specifying a NULL buffer fail (CKR_BUFFER_TOO_SMALL).

Workaround: Manually specify a buffer size for these operations.

Resolved: Fixed in Luna HSM Client 10.3.0.

LUNA-7430 fixed client

Problem: When running commands in some Luna utilities on Windows 10, password characters are duplicated.

Workaround: Contact Thales Customer Support.

Resolved: Fixed in Luna HSM Client 7.4.0.

LUNA-10915 fixed client

Problem: When you delete a key from a Luna Cloud HSM service, CKlog displays an incorrect object handle.

Resolved: Fixed in Luna HSM Client 10.1.0.

LKX-4543 fixed firmware

Problem: After a firmware update, duplicate entries are produced in the audit logs. These duplicate entries cause log verification to fail with an error (CKR_LOG_BAD_RECORD_HMAC).

Workaround: There is no way to avoid the duplicate entries. However, the other entries in the log file can be verified without error. When verifying the logs, specify a range that excludes the duplicate entries:

LunaSH: audit log verify -file [log_file] -start [first_entry] -end [last_entry]

LunaCM: audit verify file <log_file> start [first_entry] end [last_entry]

Resolved: Fixed in Luna HSM firmware 7.4.0.

LUNA-7258 fixed client

Problem: When running cmu commands on Windows 10, password characters are duplicated.

Resolved: Fixed in Luna HSM Client 7.3.0.

LUNA-7164 fixed applianceSW

Problem: When a bad remote logging host is added, existing hosts that were functioning correctly stop receiving logs.

Workaround: Ensure that all remote logging hosts are reachable and configured correctly before adding them.

Resolved: Fixed in Luna Network HSM appliance software 7.4.0.

LUNA-7074 fixed client

Problem: In LunaCM, when switching the active slot between partitions on different HSMs, ped connect and ped get sometimes report an active Remote PED connection, even though the connection is broken. Authentication commands fail.

Workaround: Use ped disconnect on the active slot before switching to a different slot and running ped connect.

Resolved: Fixed in Luna HSM Client 7.4.0.

LUNA-7000 fixed applianceSW

Problem: Using REST API, open application IDs sometimes cause the HSM to stop responding.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.3.0.

LKX-4250 fixed client firmware

Problem: CA_DeriveKeyAndWrap does not handle AES_KW, AES_KWP, or AES_CTR mechanisms.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.7.0 and Luna HSM Client 10.3.0.

LUNA-3683 fixed client

Problem: On Linux clients, when a non-root user attempts to uninstall the Luna HSM Client software, the process fails and the client software remains installed, but Uninstall of the Luna HSM Client 7.3.0-165 completed is displayed in the command output.

Workaround: Ignore this message and log in as the root user to uninstall the Luna HSM Client software.

Resolved: Fixed in Luna HSM Client 7.4.0.

LUNA-3364 fixed applianceSW

Problem:After running sysconf appliance reboot from LunaSH, the appliance occasionally gets stuck with a Rebooting message on the LCD screen.

Workaround: Remove all power from the appliance (by removing the cable from the power supply units), wait at least 30 seconds, then reconnect power and restart the appliance.

Resolved: Download and install Luna 7 Appliance Reboot Patch 1.0.0 from the Thales Customer Support Portal. The content of this patch is included in Luna Network HSM appliance software 7.7.0.

LUNA-3298 fixed client

Problem: When installing Backup HSM and Luna PED drivers from Luna HSM Client software on a host machine with a fresh, non-upgraded version of Windows 10, Windows reports an error with the driver signatures.

Workaround:

>Luna Network HSM: Download and install Luna HSM Client patch 7.2.1 from the Thales Customer Support Portal (DOW0003077). Alternatively, disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

>Luna PCIe HSM: Disable Windows 10 driver signature enforcement before installing the Luna HSM Client.

Resolved: Fixed in Luna HSM Client 7.3.0.

LUNA-3275 fixed client

Problem: When using CKdemo to query an application partition, the Crypto Officer password is entered in visible plaintext.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.3.0.

LUNA-3254 fixed applianceSW

Problem: Calls to CA_OpenApplicationID fail when certain sequences of calls are run, for example:

1.CA_SetApplicationID(x,y)

2.C_OpenSession()

3.C_CloseSession()

4.CA_OpenApplicationID(x,y)

Resolved: Fixed in Luna Network HSM appliance software 7.3.0.

LKX-3338 fixed firmware

Problem: On Luna HSM *700 and *750 models, asymmetric digest-and-sign or digest-and-verify mechanisms produce the wrong result when the data length exceeds 64 kB.

Resolved: Fixed in Luna HSM firmware 7.2.0 and 7.0.3.

LUNA-3167 fixed client

Problem: Cannot migrate keys using ms2Luna.exe for CSP.

Workaround: Copy a version of ms2Luna.exe from an older client package (6.2 or older).

Resolved: Fixed in Luna Client HSM 7.3.0.

LUNA-3071 fixed client

Problem: When LunaCM is launched in Luna Minimal Client, an unexpected error is displayed (Error: Failed to initialize remote PED support).

Workaround: Edit Chrystoki.conf/crystoki.ini and remove Toolsdir from the Misc section.

Resolved: Fixed in Luna HSM Client 7.3.0.

LUNA-3015 fixed applianceSW

Problem: LunaSH command sysconf config factoryReset does not remove port bonding.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0.

LUNA-2983 fixed client

Problem: CMU Export Public Key - Incorrect formatting of exported key. A public key, exported with command cmu export -handle [handle#] -outputfile [filename] -key has incorrect header and footer text.

Workaround: Edit the exported public key file, replacing
----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----
with
----- BEGIN PUBLIC KEY ----- and ----- END PUBLIC KEY ----- respectively.

Resolved: Fixed in Luna HSM Client 7.3.0.

LUNA-2947 fixed client

Problem: When using Luna Network HSM appliance software 7.2.0 with earlier Luna HSM Client software, cmu getpkc fails with an error (Could not retrieve the PKC).

Resolved: Fixed in Luna HSM Client 7.2.0.

LUNA-2677 fixed client

Problem: Unable to change CKA_EXTRACTABLE key attribute via Java (LunaProvider/JSP).

Workaround: Download and apply the Luna HSM 7.1 Java Patch from the Thales Customer Support Portal. Follow the README instructions to ensure that your Java application sets the appropriate key attributes.

Resolved: Fixed in Luna HSM Client 7.2.0.

LUNA-2663 fixed applianceSW

Problem: In LunaSH, hsm firmware upgrade fails with errors (LUNA_RET_UNKNOWN_COMMAND and RC_GENERAL_ERROR) if STC is enabled on the Admin channel. It is then necessary to decommission the HSM in order to update the firmware.

Workaround: Disable STC on the Admin channel before updating the HSM firmware.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0. If STC is enabled on the Admin channel, the user is prevented from updating the HSM firmware.

LGX-358 fixed G7BU

Problem: Connecting a Luna Backup HSM 7 to a USB 3.0 (SuperSpeed) port may result in error messages being displayed by the host operating system. This behavior occurs in both Windows and Linux.

For example, on Windows, you may see a USB device not recognized error.

On Linux, you may see messages like the following (visible using dmesg or in /var/log/messages):

usb 1-4: device descriptor read/64, error -71
usb 1-4: Device not responding to setup address.
usb 1-4: device not accepting address 32, error -71

Workaround: You can ignore these messages, as they have no effect on the normal operation of the device.

Resolved: Resolved in Luna Backup HSM with firmware 7.7.x installed from the factory. Backup HSMs upgraded to firmware 7.7.x still display the messages.

LKX-3233 fixed firmware

Problem: Value for HSM policy 46 (Disable Decommission) cannot be changed. Attempting to change it returns an error (CKR_CONFIG_FAILS_DEPENDENCIES).

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

LUNA-2230 fixed applianceSW

Problem: If HSM policy 39 (Allow Secure Trusted Channel) is turned off while STC is enabled on the admin channel, the HSM SO is unable to log in using hsm login.

Workaround: If this occurs, exit LunaSH and log in again as the admin user. In general, disable STC on the admin channel (hsm stc disable) before setting HSM policy 39 to 0.

Resolved: Fixed in Luna Network HSM appliance software 7.2.0.

LUNA-2224 fixed client

Problem: When you initialize an STC partition by applying a partition policy template, a confusing error (CKR_TOKEN_NOT_PRESENT) is returned.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.7.1.

LKX-3178 fixed client firmware

Problem: When you use an older client, and query partition-level capabilities and policies, the HSM returns incorrect policy numbers

Workaround: Refer to the documentation for the correct policy numbers.

Resolved: Fixed in Luna HSM firmware 7.2.0.

LKX-3159 fixed firmware

Problem: In LunaCM, hsm information monitor incorrectly reports HSM utilization.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.2.0.

LUNA-2081 fixed client

Problem: Multipart AES_KW operations on non-block-sized-data returns incorrect error code CKR_DEVICE_ERROR.

Workaround: None.

Resolved: Fixed in Luna HSM Client 7.2.0 onward.

LUNA-2077 fixed client

Problem: In LunaCM on Windows, one-step NTLS (clientconfig deploy) is very slow and takes almost four minutes to complete the NTLS connection setup.

Workaround: None.

Resolved: One-step NTLS performance has been improved in Luna HSM Client 7.2.0.

LKX-3042 fixed firmware

Problem: When partition policy 39: Allow start/end date attributes is enabled, all start dates must be later than January 01, 1970.

Workaround: Ensure that start date attribute is later than January 01, 1970.

Resolved: Fixed in Luna HSM firmware 7.2.0.

LKX-3184 fixed firmware

Problem: If HSM policy 39: Enable Secure Trusted Channel has been set to 1 (ON) at any time, attempting a firmware rollback will cause the HSM to fail with an error (Unable to communicate with HSM).

Workaround: None. If you are using STC, or have enabled HSM policy 39 in the past, do not roll back the HSM firmware.

Resolved: Fixed in Luna HSM firmware 7.2.0.

LKX-2824 fixed firmware

Problem: C_DeriveKey does not reject templates that contain CKA_VALUE, and uses the CKA_VALUE that is provided in the external template.

Workaround: None.

Resolved: Fixed in Luna HSM firmware 7.0.2 and 7.1.0.

LKX-2812 fixed firmware

Problem: The HSM reports 3072-bit as the maximum allowed key size for the RSA 186-3 mechanisms (CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN and CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN), when it should report 4096-bit.

C_GetMechanismInfo will report 3072 as the maximum size for these mechanisms. If your application uses C_GetMechanismInfo to query the maximum key size, it may prevent 4096 operations from working.

Workaround: Ignore the reported limit. 4096-length keys will generate successfully.

Resolved: Fixed in Luna HSM firmware 7.0.2.

LUNA-454 fixed applianceSW

Problem:Luna Network HSM appliance user names that begin with a non-alphanumeric character (period, dash, or underscore) may cause issues and/or potential system crashes.

Workaround: Always use an alphanumeric character as the first character in the user name when creating appliance user accounts.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

LUNA-853 fixed client

Problem: On Linux, the Luna HSM Client software fails to install to a directory with spaces in its name.

Workaround: Remove spaces from the directory name before installing the client.

Resolved: Fixed in Luna HSM Client 7.1.0.

LUNA-169 fixed applianceSW

Problem: In LunaSH, network show displays an incorrect IPv6 Mask prefix.

Workaround: None. If set correctly, IPv6 works even though the wrong mask is displayed.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

LUNA-264 fixed client

Problem: On Linux, non-root users cannot initialize the STC token or create an STC client identity.

Workaround: Start LunaCM as root with sudo ./lunacm.

Resolved: Fixed in Luna HSM Client 7.1.0.

LUNA-7194 fixed applianceSW

Problem: Webserver starts even if no SSL key/cert exists, but is not accessible.

Workaround: Generate the SSL key/cert before starting the webserver.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

LUNA-263 fixed client

Problem: On Linux, non-root users cannot configure the RBS server.

Workaround: As root, run the following commands:

1.chown -R root:hsmusers /usr/safenet/lunaclient/rbs/

2.chmod g+w -R usr/safenet/lunaclient/rbs/

Resolved: Fixed in Luna HSM Client 7.1.0.

LUNA-163 fixed applianceSW

Problem: When the HSM audit logs are full, audit login appears to succeed, but the user is not actually logged in and cannot perform operations.

Workaround: Clear the audit logs by opening an SSH session as audit, and perform the following steps:

1.Tar the audit logs with the command audit log tarlogs.

2.Transfer the tar file out of the appliance.

3.Clear the audit log files to free up space on the audit log partition with the command audit log clear.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

LUNA-261 fixed client

Problem: On Linux, non-root users cannot add a new HSM server after CAfile.pem has been created by the root user.

Workaround: Use the same user account to create the certificate and register the server.

Resolved: Fixed in Luna HSM Client 7.1.0.

LUNA-166 fixed applianceSW

Problem: In LunaSH, running package verify and package update with the -useevp option produces a CKR_SIGNATURE_INVALID error.

Workaround: None.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

LUNA-266 fixed client

Problem: In LunaCM, clientconfig deleteserver deregisters the HSM server on the Client, but does not delete the HSM server certificate file from the [LunaClient_dir]/cert/server directory. Attempts to re-register the same server with a regenerated certificate fail.

Workaround: Manually delete the certificate from the cert/server directory.

Resolved: Fixed in Luna HSM Client 7.1.0.

LUNA-801 fixed G5BU client

Problem: On Windows, a system crash can occur when you disconnect a Luna Backup HSM from the computer while the PEDclient service is running.

Resolved: Fixed in Luna HSM Client 7.1.0.

CPP-2820 fixed applianceSW

Problem:Luna Network HSM 7 attempts to load K6 driver upon rebooting.

Workaround: None. SNMP hsmCriticalEvent and hsmNonCriticalEvent counters are not implemented in this release, and will always remain 0.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

RAPI-1248 fixed applianceSW

Problem: REST API web client shows wrong logout result.

Workaround: Use the Custom I/O to manually log out.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

RAPI-1062 fixed applianceSW

Problem: In REST API, POST /auth/logout does not return Access-Control-Allow-Credentials and Access-Control-Allow-Origin in the response headers.

Workaround: None.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.4.0.

CPP-2376 fixed G5BU

Problem: On the Backup HSM, the hsm init command with the -iped option fails after hsm factoryreset.

Workaround: Run the hsm init command again. The second attempt should be successful.

Resolved: Fixed in Luna G5 Backup HSM firmware 6.27.0.

LUNA-1948 fixed applianceSW

Problem: Secure NTP server connections using AutoKey authentication do not work.

Workaround: Use Symmetric-Key authentication instead.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

LUNA-3621 fixed applianceSW

Problem: REST API partition actions contain actions that should be deprecated.

Workaround: Do not call these resources.

Resolved: Fixed in REST API 7.0.0, included with Luna Network HSM appliance software 7.3.0.

LUNA-1423 fixed applianceSW

Problem: DSA SSH keypair is not regenerated by sysconf ssh regenkeypair.

Workaround: None. DSA keys are deprecated in OpenSSH due to weakness. Use RSA keys for SSH instead.

Resolved: Fixed in Luna Network HSM appliance software 7.1.0.

RAPI-383 open applianceSW

Problem: REST API does not verify the NTLS client's IP against the certificate.

Workaround: None.