This section contains the following procedures for maintaining and using the Luna Backup HSM 7:
>Updating the Luna Backup HSM 7 Firmware
>Rolling Back the Luna Backup HSM 7 Firmware
Updating the Luna Backup HSM 7 Firmware
To update the Luna Backup HSM 7, download the desired firmware version from the Thales Support Portal.
>Updating the Client-Connected Luna Backup HSM 7 Firmware
>Managing the Luna Backup HSM 7 v1
Updating the Client-Connected Luna Backup HSM 7 Firmware
Use the following procedure to update the Luna Backup HSM 7 firmware using LunaCM. The Backup HSM SO must complete this procedure.
NOTE This functionality requires minimum Luna HSM Client 10.3.0.
Prerequisites
>Luna Backup HSM 7 firmware update file (<filename>.fuf)
>firmware update authentication code file (<filename>.txt)
>If you have backups currently stored on the Backup HSM, they must take up less than 60% of storage capacity, or the firmware upgrade will not proceed.
NOTE If you are updating the firmware to Luna HSM Firmware 7.7.0 or newer, objects and partitions must be re-sized to include additional object overhead associated with the new V1 partitions - this is included in the process, no additional action from you
To update the Luna Backup HSM 7 firmware using LunaCM
1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the Luna HSM Client root directory.
•Windows: C:\Program Files\SafeNet\LunaClient
•Linux: /usr/safenet/lunaclient/bin
•Solaris: /opt/safenet/lunaclient/bin
NOTE On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.
2.Launch LunaCM.
3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.
lunacm:> slot set -slot <slot_number>
4.[Multifactor Quorum-Authenticated] If you are updating a multifactor quorum-authenticated Backup HSM, connect to the Remote PED server.
lunacm:> ped connect [-ip <IP_address>] [-port <port#>]
5.Log in as HSM SO.
lunacm:> role login -name so
6.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the Luna HSM Client root directory, specify the full filepaths.
lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt
The previous version of the firmware is stored in reserve on the HSM. To restore the previous firmware version, see Rolling Back the Luna Backup HSM 7 Firmware.
Updating the Appliance-Connected Luna Backup HSM 7 Firmware
Use the following procedure to update the Luna Backup HSM 7 firmware using LunaSH to the latest version that comes packaged with the appliance software. To install a different version, you must download the firmware update file (.fuf) from the Thales Support Portal and install it using LunaCM at the client (see Updating the Client-Connected Luna Backup HSM 7 Firmware). The Backup HSM SO must complete this procedure.
NOTE The Luna Network HSM 7 appliance software update includes the latest version of the Luna Backup HSM 7 firmware. Refer to the Customer Release Notes page for your appliance software version to see which Luna Backup HSM 7 is available for upgrade.
Prerequisites
>If you have backups currently stored on the Backup HSM, they must take up less than 60% of storage capacity, or the firmware upgrade will not proceed.
NOTE If you are updating the firmware to Luna HSM Firmware 7.7.0 or newer, objects and partitions must be re-sized to include additional object overhead associated with the new V1 partitions - this is included in the process, no additional action from you
To update the Luna Backup HSM 7 firmware using LunaSH
1.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).
2.[Optional] List the available Backup HSMs connected to the appliance and note the serial number of the one you wish to update.
lunash:> token backup list
3.[Multifactor Quorum-Authenticated] If you are updating a multifactor quorum-authenticated Backup HSM, connect to the PED server.
lunacm:> hsm ped connect [-ip <IP_address>] [-port <port#>]
4.Log in to the Backup HSM as HSM SO.
lunash:> token backup login -serial <serialnum>
5.Apply the Backup HSM firmware update.
lunash:> token backup update firmware -serial <serialnum>
Rolling Back the Luna Backup HSM 7 Firmware
When you update the Luna Backup HSM 7 firmware, the previous version of the firmware is stored in reserve on the HSM. If required, you can use the following procedure to roll back the HSM firmware to the previous version.
CAUTION! Firmware rollback is destructive; earlier firmware versions might have older mechanisms and security vulnerabilities that a new version does not. Ensure that you do not have any important backups stored on the HSM before you proceed. This procedure zeroizes the HSM and all backups are erased.
Prerequisites
>Connect theLuna Backup HSM 7 to a Luna HSM Client workstation.
To roll back the Luna Backup HSM 7 firmware to the previous version
1.At the LunaCM prompt, set the active slot to the Backup HSM.
lunacm:> slot set -slot <slot_number>
2.Check the previous firmware version that is available on the HSM.
lunacm:> hsm showinfo
3.[PED-Authenticated] If you are rolling back a multifactor quorum-authenticated Backup HSM, connect to the Remote PED server.
lunacm:> ped connect [-ip <IP_address>] [-port <port#>]
4.Log in as HSM SO.
lunacm:> role login -name so
5.Roll back the Backup HSM firmware.
lunacm:> hsm rollbackfw
