Known and Resolved Issues

The following table lists known issues in all released versions of Luna 7 components. Workarounds are provided where available. Use the buttons below to display issues related to specific Luna software/firmware components.

Issues listed in green have been resolved and the component and version including the fix is provided.

Issue Labels Synopsis
LUNA-30232 fixed client

Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Unknown Mechanism Type.

Workaround: Use Luna HSM Client 10.4.1 instead.

Resolved: Fixed in Luna HSM Client 10.7.0. You must add map_aes_cmac_general_old=1 to the Toggles section of the Cryptoki.conf/cryptoki.ini file.
LUNA-28874 fixed client

Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (LunaSA Client = {ReceiveTimeout = 1000}, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0. The ReceiveTimeout setting now applies to the NTLS handshake as well.
LUNA-28807 fixed client

Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0.
LUNA-28230 open

Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that HSM slot 1 listening to local PED (PED id=0). This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected).

Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.
LUNA-27183 fixed client

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Resolved: Fixed in Luna HSM Client 10.6.0.
LUNA-27110 fixed client

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Resolved: Fixed in Luna HSM Client 10.6.0.
LUNA-26981 fixed G7BU

Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled.

Workaround: None.

Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.
LUNA-26960 open client

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist
Error in execution: host memory error.
Command Result : 0x6 (Internal Error)

Workaround: None.
LUNA-26926 open client

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.
LUNA-26488 fixed client

Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI.

Workaround: Re-register the partition with the Luna CSP.

Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.
LUNA-26370 fixed client

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.
LGX-4950 open firmware

Problem: It is possible to resize a Luna USB HSM 7 partition to 0 bytes using the LunaCM command partition resize.

Workaround: None; do not configure a partition this way.
LUNA-24800 fixed client

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-24462 fixed firmware

Problem: When the HSM hardware includes the new clock (a response to supply-chain parts shortages), the reimage operation fails. An HSM containing the new part can be recognized by the assembly number 808-000048-003 using "hsm showinfo" command for standalone PCIe HSM, or number 808-000073-002 using "hsm show" command for an HSM inside a Luna Network HSM appliance. The problem does not occur for HSMs with firmware version 7.0.3 and earlier, or firmware later than version 7.7.2.

Workaround: Apply HSM firmware version 7.8.0 (or newer). That is a standalone firmware upgrade for Luna PCIe HSM, or is part of the .SPKG for appliance software release 7.8.0 (or newer) on Luna Network HSM.
LUNA-24019 fixed client

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-23945 fixed cloudHSM

Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-23764 fixed client

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.
LUNA-23695 fixed client

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.
LGX-4942 open G7BU

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.
LUNA-22750 fixed client

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-22378 fixed client

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key
Enter Import Password:
>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key
>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-22289 fixed client

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.
LKX-9286 fixed client

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.
LGX-4240 fixed G7BU

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna Backup HSM firmware 7.7.2.
LUNA-16839 fixed client

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-16125 fixed client

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-14009 fixed client cloudHSM

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.
LUNA-10992 fixed client

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.
SH-4194 open cloudHSM

Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail.

Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.