Extra slots that say "token not present"
This happens for two reasons:
>PKCS#11 originated in a world of software cryptography, which only later acknowledged the existence of Hardware Security Modules, so initially it did not have the concept of physically removable crypto slots. PKCS#11 requires a static list of slots when an application starts. The cryptographic "token" can be inserted into, or removed from a slot dynamically (by a user), for the duration of the application.
>When the token is inserted, the running application must be able to detect that token. When the token is removed, the running application gets "token not present". Because we allow for the possibility of backup, we routinely declare 'place-holder' slots that might later be filled by a physical Luna USB HSM 7 or a Luna Backup HSM.
In the Chrystoki.conf file (or the Windows crystoki.ini file), for Luna USB HSM 7, you can remove the empty slots by modifying the CardReader entry, like this:
CardReader = {
LunaG5Slots=0;
}
For Luna Network HSM 7, which has its configuration file internal to the appliance, and not directly accessible for modification, you cannot change the default cryptographic slot allotments.
Error: 'hsm update firmware' failed. (10A0B : LUNA_RET_OPERATION_RESTRICTED) when attempting to perform hsm update firmware
You must ensure that STM is disabled before you run the firmware update.
Also, as with any update, you should backup any important HSM contents before proceeding.
LUNA_RET_OPERATION_RESTRICTED when attempting to perform a restore operation
Did you perform the backup before Functionality Modules (FMs) were enabled on the HSM? Enabling FMs allows injection of software into the HSM, which makes it inherently less secure than an HSM that has never had FMs enabled. The cloning operation (used to perform backup and restore) recognizes the state of the source and target devices, and can refuse to transfer objects from a more secure device to a less-secure device.
In general, to ensure that you will be able to backup and restore (with partition archive commands) or clone directly with clone commands or include partitions in HA groups (which also uses cloning), ensure that partition policies are set the same on the involved partitions.
KR_ECC_POINT_INVALID Error when decrypting a file encrypted from BSAFE through ECIES using ECC key with any of the curves from the x9_t2 section
As indicated on the BSAFE web site, they support only the NIST-approved curves (prime, Binary, and Koblitz). That includes most/all the curves from test items 0 through 37 in CK Demo: the "secp", "X9_62_prime", and "sect" curves.
The X9.62 curves that are failing in this task are X9.62 binary/char2 curves which do not appear to be supported by BSAFE. So, you appear to be encountering a BSAFE limitation and not a Luna HSM problem.
Error during SSL Connect (RC_OPERATION_TIMED_OUT) logged to /var/log/messages by the Luna HSM Client
It means that the client did not receive the SSL handshake response from the appliance within 20 seconds (hard coded).
The following is a list of some potential causes:
>Network issue.
>Appliance is under heavy load with connection requests - this can happen at startup/restart, if client applications attempt to (re-)assert hundreds of connections all at once, without staging or staggering them, and the initial setup handshakes take too long for some transactions (start-up bottleneck). After a large number of simultaneous connections has been successfully established, they can be maintained without further problem.
>Appliance is under heavy load servicing crypto requests from connected clients.
>Appliance was powered down (perhaps the power plug was pulled) in the middle of the handshake.
>The client computer might be experiencing high CPU load, causing it to occasionally delay responses to the appliance.
Error during shutdown like "PolicyKit daemon disconnected from the bus. We are no longer a registered authenticated agent. Unrecoverable Error: Cannot get child exit status"
This messaging is normal and expected: communication and authentication services have already closed; the admin user is no longer authenticated and connected to the appliance at this stage of shutdown.
Slow/interrupted response from the HSM, and the "hsm show" command shows LUNA_RET_SM_SESSION_REALLOC_ERROR
Appliance Details: ================== Software Version: 7.0.0 Error: 'hsm show' failed. (310102 : LUNA_RET_SM_SESSION_REALLOC_ERROR) Command Result : 65535 (Luna Shell execution)
The error LUNA_RET_SM_SESSION_REALLOC_ERROR means the HSM cannot expand the session table.
The HSM maintains a table for all of the open sessions. For performance reasons, the table is quite small initially. As sessions are opened (and not closed) the table fills up. When the table gets full, the HSM tries to expand the table. If there is not enough available RAM to grow the table, this error is returned.
RAM can be used up by an application that creates and does not delete a large number of session objects, as well as by an application that opens and fails to close a large number of sessions.
The obvious solution is proper housekeeping. Your applications must clean up after themselves, by closing sessions that are no longer in use - this deletes session objects associated with those sessions. If your application practice is to have long-lived sessions, and to open many objects in a given session, then your application should explicitly delete those session objects as soon as each one is no longer necessary.
By far, we see more of the former problem - abandoned sessions - and very often in conjunction with Java-based applications. Proper garbage collection includes deleting session objects when they are no longer useful, or simply closing sessions as soon as they are not required. Formally closing a session (or stopping/restarting the HSM) deletes all session objects within each affected session. These actions keep the session table small, so it uses the least possible HSM volatile memory.
Low Battery Message
The HSM card used in the Luna Network HSM 7 and Luna PCIe HSM 7 products, is equipped with a non-replaceable battery that is expected to last the life of the product. If you notice a log message or other warning about ‘battery low’, or similar, contact Technical Support.
