Luna HSM Client 10.4.0
Luna HSM Client 10.4.0 was released in October 2021. It includes bug fixes and security updates.
>Download Luna HSM Client 10.4.0 for Windows
>Download Luna HSM Client 10.4.0 for Linux
>Download Minimal Luna HSM Client 10.4.0 for Linux
NOTE This version of Luna HSM Client is compatible with Luna HSMs with firmware 6.2.1 and newer. Features that do not have client version dependencies will function without issue.
New Features and Enhancements
Luna HSM Client 10.4.0 includes the following new features and enhancements:
CMU allows Crypto User Login
CMU now includes a command line option to allow login by the Crypto User (CU) on a partition. It should be noted that the CU role is limited to read-only access and can not be used to manage objects.
Updates and Enhancements to Java Provider
Luna HSM Client 10.4.0 includes updates to the Java LunaProvider (see Luna JCPROV Javadocs and Luna JSP Javadocs).
>SimMultisign in JCPROV
>ECIES structure CK_ECIES_PARAMS_EXT in JCPROV
>New HA Login API in JCPROV. Includes a new sample, HALogin_v2.java.
>SHA-3 in JCPROV/JSP
>BIP32 Sample Java Application Extended to Demonstrate BIP44 Key Derivation
Updates and Enhancements to High Availability Functionality
Luna HSM Client 10.4.0 includes some improvements to HA functionality (see High-Availability Groups).
>OUID Methods GetObjectUID and GetObjectHandle Usable With HA Groups
>CK_MILENAGE_SIGN_PARAMS can now be used in HA Groups
Set CKA_EXTRACTABLE Using Luna KSP
It is now possible to set CKA_EXTRACTABLE when creating private keys using Luna KSP.
Supported Operating Systems
You can install Luna HSM Client 10.4.0 on the following operating systems:
| Operating System | Version | Secure Boot Supported |
|---|---|---|
| Windows | 10 | Yes |
| Windows Server Standard | 2022 | Yes |
| 2019 | Yes | |
| 2016 | Yes | |
| Windows Server Core | 2022 | Yes |
| 2019 | Yes | |
| 2016 | Yes | |
| Redhat-based Linux (including variants like CentOS) | 8.0, 8.1, 8.2, 8.3, 8.4 (†) | No |
| 7 | No | |
| Ubuntu * | 21.04 | No |
| 20.04 | No | |
| 18.04 | No | |
| 14.04 | No |
* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:
apt-get install build-essential alien
If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.
† RHEL and CentOS 8.0-8.4 with their original kernels. See also Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal Luna HSM Client.
ESXi Passthrough
Luna PCIe HSM 7, Luna USB HSM 7, Luna Backup HSM 7, and Luna Backup HSM G5 can be used in passthrough mode, connected to an ESXi host.
CAUTION! You must set the ESXi power policy to High Performance to ensure that adequate power is supplied to the USB-connected devices.
The following combinations of ESXi version and virtual machine operating system are supported:
| ESXi Version | Supported VM OS's |
|---|---|
|
ESXi 7.0 |
Windows 11, 2016, 2022 |
| RHEL 8.7, 8.8, 9.1 | |
| Ubuntu 14.04, 18.04, 22.04 | |
| ESXi 6.7 |
RHEL 8.7, 8.8, 9.0, 9.1, 9.2 Ubuntu 21.04, 22.04 Windows 2016, 2022 |
| ESXi 6.5 | Windows Server Core 2019 |
| Windows Server Core 2016 |
Supported Cryptographic APIs
Applications can perform cryptographic operations using the following APIs:
>PKCS#11 2.20
>OpenSSL
>Microsoft CAPI
>Microsoft CNG
>Supported Java versions:
•Open JDK 7 up to Open JDK 17
•Oracle Java 7 up to JDK 17
•IBM Java 7, 8 and 11
Advisory Notes
This section highlights important issues you should be aware of before deploying Luna HSM Client 10.4.0.
Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected
Due to changes in Windows 10 and Server 2022, device drivers are not installed unless the USB or PCIe device is connected to the client workstation. If you plan to use a Luna Backup HSM 7, Luna Backup HSM G5, Luna USB HSM 7, or Luna PCIe HSM 7 with these operating systems, use one of the following workarounds:
>Connect the Luna device to the workstation (or install the Luna PCIe HSM 7 card) before installing the Luna HSM Client software
>After installing the Luna HSM Client software:
a.Connect the Luna device(s) to the workstation (or install the Luna PCIe HSM 7 card)
b.Run LunaHSMClient.exe.
c.Select the devices you want to install drivers for.
d.Click Modify.
Red Hat Enterprise Linux 8 in FIPS Mode Requires Minimal Luna HSM Client
RHEL 8.x introduced system-wide cryptographic modes. The full Luna HSM Client installer is supported only when RHEL 8.x is in DEFAULT mode. If your RHEL 8.x OS is in FIPS mode, use the minimal Luna HSM Client.
Luna HSM Client No Longer Supports Luna PCIe HSM 6 on Windows
Luna HSM Client 10.4.0 and newer cannot be used with an installed Luna PCIe HSM 6.
CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations
When using a Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
