Known and Resolved Issues

Problem: When permanent slot numbers are assigned using the ShowUserSlots setting in the configuration file, backups to a client-connected Luna Backup HSM 7 fail with error CKR_CONTAINER_HANDLE_INVALID or CKR_SLOT_NOT_EMPTY.

Workaround: None. Delete the ShowUserSlots setting from the config file if you require backups taken at this client.

Problem: Remote PED connection for a client-connected Luna Backup HSM 7 fails with CKR_GENERAL_ERROR.

Workaround: Start the PEDclient utility on the Luna HSM Client (pedclient -mode start).

Problem: Using the Luna HSM Client installer on RHEL, when the Luna Backup HSM option is installed without the Luna PCIe HSM option, the Luna Backup HSM 7 driver fails to start automatically, and the Luna Backup HSM 7 does not appear in LunaCM.

Workaround: Run # service g7 start in the Linux command line, wait 30-60 seconds for the driver to start up, and restart LunaCM.

Resolved: Fixed in Luna HSM Client 10.9.0.

Problem: Certificates created using vtl can have non-mandatory fields added by default if they are not specified. Example: A command createCSR -n lunaclient_1 results in a CSR that contains C, ST, L, and O, in addition to the required CN field.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: CMU tool generates self-signed certificates that include the 'CRITICAL' flag, in keyusage extensions of the self-signed certificate, even when the value is set to false, which is non-compliant with RFC 5280 Appendix B.

Resolved: Fixed in Luna HSM Client 10.7.2.

Problem: Luna HSM Client 10.7.2 JSP receiving a call LunaCertificateX509.getSigAlgParams() leads to a null pointer exception, if the certificate gets generated under certain circumstances.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: Attempting to migrate ECDSA-256 key from MS provider to the Luna "SafeNet" provider, using ms2luna results in an error CKR_KEY_TYPE_INCONSISTENT.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: When registering slots with spaces in the slot label using the KSP registration utility, the tool truncates at the first space, rendering the slot unregistered and unusable, whereas manually registered slots with spaces in the label work fine.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem Using REST API to upgrade the Luna Appliance Software from version 7.8.4/7.8.5, the operation fails with message "We failed to parse your request." This error affects CCC users.

Workaround: Use LunaSH to update the Luna Appliance Software.

Resolved: Fixed in the following software patches:

>Luna Network HSM 7.8.5-20 Appliance REST API Patch

>Luna Network HSM 7.8.4-350 Appliance REST API Patch

Problem: KspConfig fails to process slot password longer than 62 characters.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: libCryptoki 2.so does not set the FD_CLOEXEC flag on sockets that it opens to the HSM. This results in these sockets leaking through a fork/exec pair.

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: Core dump when CA_GetCurrentHAState is called continuously (encountered when simulating rapid change of HA member availability).

Resolved: Fixed in Luna HSM Client 10.8.0.

Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with CKR_DEVICE_ERROR.

Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time.

Resolved: Fixed in cluster package version 1.0.4.

Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error CKR_FUNCTION_FAILED.

Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Unknown Mechanism Type.

Workaround: Use Luna HSM Client 10.4.1 instead.

Resolved: Fixed in Luna HSM Client 10.7.0. You must add map_aes_cmac_general_old=1 to the Toggles section of the Cryptoki.conf/cryptoki.ini file.

Problem: A leading zero (00in hex) is added to the OCTET_STRING attribute of ECDSA private keys if the MS Bit is set in the first byte (the bit size of the private key data is multiple of 8).

Workaround: None.

Resolved: Fixed in Luna USB HSM 7 firmware 7.7.3.

Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (LunaSA Client = {ReceiveTimeout = 1000}, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0. The ReceiveTimeout setting now applies to the NTLS handshake as well.

Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that HSM slot 1 listening to local PED (PED id=0). This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected).

Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Resolved: Fixed in Luna HSM Client 10.6.0.

Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled.

Workaround: None.

Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist
Error in execution: host memory error.
Command Result : 0x6 (Internal Error)

Workaround: None.

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.

Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route.

Workaround:None.

Resolved: Fixed in Luna Network HSM 7.8.1 appliance software.

Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI.

Workaround: Re-register the partition with the Luna CSP.

Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

Problem: It is possible to resize a Luna USB HSM 7 partition to 0 bytes using the LunaCM command partition resize.

Workaround: None; do not configure a partition this way.

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key
Enter Import Password:
>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key
>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna Backup HSM firmware 7.7.2.

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.