Updating the Luna Network HSM 7 Appliance Software
The Luna Network HSM 7 appliance software consists of the LunaSH command-line shell and its underlying software components. Use the following procedure to install the Luna Network HSM 7 appliance software update.
The update package includes an image of the latest HSM firmware, which you must install to take advantage of all the new features in this release. When you install the appliance software update, the latest firmware image is stored on the appliance file system but not installed.
CAUTION! The system can hold only one firmware version in standby at a time. Updating the appliance software version also updates the firmware version held in reserve on the HSM, overwriting the version that was stored there before. If you are keeping a specific firmware version in reserve (for example, awaiting a FIPS validation announcement for that version), do not update the appliance software.
If you have a Luna Network HSM 7 that was shipped before December 2019, you must install the Luna Network HSM 7 Reboot Patch before updating to Luna Appliance Software 7.7.0 or newer. If this patch is not installed, the appliance software update will not proceed.
A change to network routing when updating to Luna Appliance Software 7.7.0 or newer, from any prior 7.x version, can cause your appliance to become unreachable via network connection. Older appliance versions permitted the existence of multiple default routes. Beginning with Luna Appliance Software 7.7.0, only one instance of the default route can exist.
Options for a successful update with minimal disruption are:
>Remove all but one instance of the ‘default route’, using the network route delete command, before upgrading from any appliance software version older than Luna Appliance Software 7.7.0.
>Connect locally via serial cable to perform the update, so your access to the network appliance is not lost when network connection becomes temporarily unavailable (pending proper network configuration).
Note also that if you re-image, going back to a version older than Luna Appliance Software 7.7.0, the routing table goes back to the old format and you must apply one of the above precautions again, to update.
If the above precautions are not taken and the appliance becomes unreachable, complete the following steps to restore connection to the appliance:
1.Connect locally via serial cable.
2.Delete all network interfaces. See network interface delete.
3.Configure a network interface to use a default route by doing one of the following:
•Configure the network interface to use a static IP configuration while specifying the -gateway option. See network interface static.
•Configure the network interface to use DHCP. See network interface dhcp.
After you complete the above steps, network connectivity to the appliance is restored and any remaining interfaces that are configured do not have a default route set.
NOTE The appliance software update cannot be rolled back directly. You can re-image to a predetermined configuration and then update to a desired appliance software version (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). The HSM firmware, however, can be rolled back to the previously-installed version (see Rolling Back the Luna HSM Firmware).
Firmware installation is a separate procedure (see Updating the Luna HSM Firmware).
To update the appliance software and firmware, you must transfer and apply a secure package file to the Luna Network HSM 7. You require:
>Luna Network HSM 7 appliance software update package file (<filename>.spkg)
>the secure package authentication code, provided in a text file accompanying the update package
To upgrade the Luna Network HSM 7 appliance software
1.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.
pscp <path>/<filename>.spkg admin@<appliance_host/IP>:
2.Stop all client applications to the Luna Network HSM 7 appliance.
3.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).
4.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
5.[Optional Step] Verify that the secure package file is present on the Luna Network HSM 7.
lunash:> package listfile
6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales.
lunash:> package verify <filename>.spkg -authcode <code_string>
7.Install the update on the Luna Network HSM 7.
lunash:> package update <filename>.spkg -authcode <code_string>
The installation/update process takes approximately one and a half minutes. A series of messages shows the progress of the update. At the end of this process, a message Software update completed! appears.
8.Reboot the Luna Network HSM 7 appliance.
lunash:> sysconf appliance reboot
NOTE If you are updating the appliance software from version 7.4.x or older to Luna Appliance Software 7.7.0 or newer, the appliance reboots automatically.
The latest firmware update package is now stored in reserve on the appliance, waiting to be installed. See Updating the Luna HSM Firmware to install the firmware.
