Updating the Luna HSM Firmware

A new Luna Network HSM 7 is delivered with the current FIPS- validated firmware installed on the HSM card, and the most recently released firmware version saved on the Luna Network HSM 7 hard drive as an optional update. When you install an appliance software update, this optional update is replaced with the latest firmware version. If you wish to use a different HSM firmware version, you can download it from the Thales Support Portal.

CAUTION!   Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

NOTE   If you are updating to Luna HSM Firmware 7.7.0 or newer, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the firmware update.

Updating the HSM Firmware After an Appliance Software Update

After an appliance software update, the latest firmware version is saved on the appliance and ready to install.

To update the HSM firmware after a software appliance update

1.Log in to LunaSH on the appliance as admin.

2.At the LunaSH prompt, login as HSM SO.

lunash:> hsm login

3.[Optional Step] Check that the desired firmware version is ready to install.

lunash:> hsm firmware show

CAUTION!   If you are using STC on the HSM Admin channel, disable it by running lunash:> hsm stc disable before you update the HSM firmware.

4.Update the firmware to the version currently stored on the appliance.

lunash:> hsm firmware upgrade

Updating the HSM Firmware to a Different Version

If you are not installing the firmware update provided in the appliance software update, download your desired HSM firmware from the Thales Support Portal. You require:

>Luna Network HSM 7 firmware update package file (<filename>.spkg)

>the secure package authentication code, provided in a text file accompanying the update package

To update the HSM firmware to a version downloaded from the Support Portal

1.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.

pscp <filepath>/<packagename>.spkg admin@<appliance_host_or_IP>:

2.Stop all client applications to the Luna Network HSM 7 appliance.

3.Using a serial or SSH connection, log in to the appliance as admin.

4.At the LunaSH prompt, login as HSM SO.

lunash:> hsm login

5.[Optional Step] Verify that the secure package file is present on the Luna Network HSM 7.

lunash:> package listfile

6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales.

lunash:> package verify <filename>.spkg -authcode <code_string>

7.Install the firmware update package, specifying the authorization code you received from Thales.

lunash:> package update <filename>.spkg -authcode <code_string>

NOTE   If you are using a service provider model, you can use the -useevp option to specify the OpenSSL EVP (Digital EnVeloPe library) API to validate the update package, rather than invoking the HSM. This allows you to install the update package without logging in as HSM SO (package update).

The package update process takes a few seconds. The firmware package is now stored on the appliance, waiting to be applied to the HSM.

8.[Optional Step] Check that the desired firmware version is ready to apply.

lunash:> hsm firmware show

CAUTION!   If you are using STC on the HSM Admin channel, disable it by running lunash:> hsm stc disable before you update the HSM firmware.

9.Update the firmware to the version currently stored on the appliance.

lunash:> hsm firmware upgrade