Known and Resolved Issues

The following table lists known issues in all released versions of Luna 7 components. Workarounds are provided where available. Use the buttons below to display issues related to specific Luna software/firmware components.

Issues listed in green have been resolved and the component and version including the fix is provided.

Issue Labels Synopsis
LUNA-35583 open G7BU client

Problem: When permanent slot numbers are assigned using the ShowUserSlots setting in the configuration file, backups to a client-connected Luna Backup HSM 7 fail with error CKR_CONTAINER_HANDLE_INVALID or CKR_SLOT_NOT_EMPTY.

Workaround: None. Delete the ShowUserSlots setting from the config file if you require backups taken at this client.

LUNA-35071 open G7BU client

Problem: Remote PED connection for a client-connected Luna Backup HSM 7 fails with CKR_GENERAL_ERROR.

Workaround: Start the PEDclient utility on the Luna HSM Client (pedclient -mode start).

LUNA-34579 fixed G7BU client

Problem: Using the Luna HSM Client installer on RHEL, when the Luna Backup HSM option is installed without the Luna PCIe HSM option, the Luna Backup HSM 7 driver fails to start automatically, and the Luna Backup HSM 7 does not appear in LunaCM.

Workaround: Run # service g7 start in the Linux command line, wait 30-60 seconds for the driver to start up, and restart LunaCM.

Resolved: Fixed in Luna HSM Client 10.9.0.

LUNA-33951 fixed client

Problem: Certificates created using vtl can have non-mandatory fields added by default if they are not specified. Example: A command createCSR -n lunaclient_1 results in a CSR that contains C, ST, L, and O, in addition to the required CN field.

Resolved: Fixed in Luna HSM Client 10.8.0.

LUNA-33887 fixed client

Problem: CMU tool generates self-signed certificates that include the 'CRITICAL' flag, in keyusage extensions of the self-signed certificate, even when the value is set to false, which is non-compliant with RFC 5280 Appendix B.

Resolved: Fixed in Luna HSM Client 10.7.2.

LUNA-33728 fixed client

Problem: Luna HSM Client 10.7.2 JSP receiving a call LunaCertificateX509.getSigAlgParams() leads to a null pointer exception, if the certificate gets generated under certain circumstances.

Resolved: Fixed in Luna HSM Client 10.8.0.

LUNA-33589 fixed client

Problem: Attempting to migrate ECDSA-256 key from MS provider to the Luna "SafeNet" provider, using ms2luna results in an error CKR_KEY_TYPE_INCONSISTENT.

Resolved: Fixed in Luna HSM Client 10.8.0.

LUNA-33568 fixed client

Problem: When registering slots with spaces in the slot label using the KSP registration utility, the tool truncates at the first space, rendering the slot unregistered and unusable, whereas manually registered slots with spaces in the label work fine.

Resolved: Fixed in Luna HSM Client 10.8.0.

RAPI-4135 fixed applianceSW

Problem Using REST API to upgrade the Luna Appliance Software from version 7.8.4/7.8.5, the operation fails with message "We failed to parse your request." This error affects CCC users.

Workaround: Use LunaSH to update the Luna Appliance Software.

Resolved: Fixed in the following software patches:

>Luna Network HSM 7.8.5-20 Appliance REST API Patch

>Luna Network HSM 7.8.4-350 Appliance REST API Patch

LUNA-32660 fixed client

Problem: KspConfig fails to process slot password longer than 62 characters.

Resolved: Fixed in Luna HSM Client 10.8.0.

LUNA-32047 fixed client

Problem: libCryptoki 2.so does not set the FD_CLOEXEC flag on sockets that it opens to the HSM. This results in these sockets leaking through a fork/exec pair.

Resolved: Fixed in Luna HSM Client 10.8.0.

LUNA-32007 fixed client

Problem: Core dump when CA_GetCurrentHAState is called continuously (encountered when simulating rapid change of HA member availability).

Resolved: Fixed in Luna HSM Client 10.8.0.

LUNA-30881 fixed clusterpkg

Problem: If multiple members are disconnected from the cluster simultaneously, an incorrect authorization status may be reported. If this occurs, operations on keyrings may fail with CKR_DEVICE_ERROR.

Workaround: If you know which members were disconnected, restart the cluster service on those members. If you do not know which members were disconnected, restart the cluster service on each member one at a time.

Resolved: Fixed in cluster package version 1.0.4.

LUNA-30449 fixed client clusterpkg

Problem: After deleting a cluster member, clients are unable to open a session to the cluster (C_OpenSession returns error CKR_FUNCTION_FAILED.

Workaround: Back up the cluster from the remaining member, then delete all keyrings from that member, and restore them from the backup. Clients should then be able to open sessions.

Resolved: Fixed in the lnh_cluster package version 1.0.4.

LUNA-30232 fixed client

Problem: When using Luna HSM Client 10.5.x or 10.6.0 to migrate a master key from a local keystore to a Luna HSM, the key is successfully migrated but operations fail with the log error Unknown Mechanism Type.

Workaround: Use Luna HSM Client 10.4.1 instead.

Resolved: Fixed in Luna HSM Client 10.7.0. You must add map_aes_cmac_general_old=1 to the Toggles section of the Cryptoki.conf/cryptoki.ini file.

LGX-5035 fixed firmware

Problem: A leading zero (00in hex) is added to the OCTET_STRING attribute of ECDSA private keys if the MS Bit is set in the first byte (the bit size of the private key data is multiple of 8).

Workaround: None.

Resolved: Fixed in Luna USB HSM 7 firmware 7.7.3.

LUNA-28874 fixed client

Problem: When Luna HSM Client is configured with a receive timeout less than the default 20000 ms (LunaSA Client = {ReceiveTimeout = 1000}, for example), an unsuccessful NTLS handshake still waits 20000 ms to time out. If the NTLS handshake succeeds, the custom timeout setting is observed as expected.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0. The ReceiveTimeout setting now applies to the NTLS handshake as well.

LUNA-28807 fixed client

Problem: When using lunacm.exe -f to run a list of scripted LunaCM commands, the script does not continue running after encountering an error.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.6.0.

LUNA-28230 open

Problem: When a remote PED server is configured using ped set in LunaCM or hsm ped set in LunaSH, a Partition SO login command (role login -n po) from a client will seek authentication from the configured remote PED, even if you did not first run ped connect, and ped get reports that HSM slot 1 listening to local PED (PED id=0). This does not occur when attempting to log in with a different role (the PED operation times out, or is sent to a local PED if there is one connected to the HSM, as expected).

Workaround: Always run ped connect before client commands that require authentication, if you wish to use remote PED.

LUNA-27183 fixed client

Problem: Using Luna HSM Client 10.5.1, drivers for Remote PED are not installed on Debian-based Linux (such as Ubuntu).

Workaround: None. Use Luna HSM Client 10.5.0 or older if you are setting up a Remote PED server.

Resolved: Fixed in Luna HSM Client 10.6.0.

LUNA-27110 fixed client

Problem: Using Luna HSM Client 10.5.1, ms2luna fails to migrate KSP keys to the Luna HSM. CSP keys are migrated successfully.

Workaround: Use the ms2luna utility from Luna HSM Client 10.5.0 instead.

Resolved: Fixed in Luna HSM Client 10.6.0.

LUNA-26981 fixed G7BU

Problem: A Luna Backup HSM 7 cannot restore objects to any partition on a Luna HSM with firmware 7.7.1 or newer and HSM policy 50: Allow Functionality Modules enabled, even if the source of the backup also had FMs enabled.

Workaround: None.

Resolved Fixed in Luna Backup HSM firmware 7.7.2. Both the backup source partition and the target restore partition must have partition policy 42: Allow CPv1 disabled.

LUNA-26960 open client

Problem: On AIX, the LunaCM command partition domainlist returns an error:

lunacm:>partition domainlist
Error in execution: host memory error.
Command Result : 0x6 (Internal Error)

Workaround: None.

LUNA-26926 open client

Problem: On Linux, a non-root user in the hsmusers group is unable to start pedclient.

Workaround: None.

LUNA-26681 fixed applianceSW

Problem:When both bond0 and bond1 are configured on the appliance, both bonded interfaces are configured with a default route. Only the first-enabled bond interface should have the default route.

Workaround:None.

Resolved: Fixed in Luna Network HSM 7.8.1 appliance software.

LUNA-26488 fixed client

Problem: Using Luna HSM Client 10.4.x to 10.5.0, the Luna Client CSP partition password can no longer be decrypted via the Windows DPAPI.

Workaround: Re-register the partition with the Luna CSP.

Resolved: Fixed in Luna HSM Client 10.5.1 -- an option has been added (/password) to provide the partition password using the register utility.

LUNA-26370 fixed client

Problem: The Mutex lock file generated by Luna HSM Client is created with the wrong permissions (writable by everyone).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.1.

LGX-4950 open firmware

Problem: It is possible to resize a Luna USB HSM 7 partition to 0 bytes using the LunaCM command partition resize.

Workaround: None; do not configure a partition this way.

LUNA-24800 fixed client

Problem: After a key is destroyed, C_Encrypt calls using the key's handle return CKR_TOKEN_NOT_PRESENT instead of CKR_KEY_HANDLE_INVALID. This can interfere with the operation of running applications.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-24019 fixed client

Problem: When using Luna HSM Client 10.4.x, integration with Microsoft NDES does not work (HTTP Error 500.0).

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23945 fixed cloudHSM

Problem: Using Luna HSM Client 10.4.1, when a Luna Cloud HSM service is configured as an HA group member with multifactor quorum-authenticated Luna 7 partitions, operations do not fail over to Luna Cloud when Luna 7 partitions become unavailable.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23764 fixed client

Problem: When cklogs are enabled on a Linux client, source ./setenv --addcloudhsm fails with ERROR: Failed to add cloud hsm configuration to 'Chrystoki.conf', failed to configure PluginsModuleDir in Misc section.

Workaround: Disable cklogs with vtl cklogsupport disable before running the setenv script.

Resolved: Fixed in Luna HSM Client 10.5.0.

LUNA-23695 fixed client

Problem:Using Luna HSM Client 10.3.0 or 10.4.0, LunaHAStatus returns CKR_DATA_INVALID for all members of an HA group after a period of time.

Workaround:None.

Resolved: Fixed in Luna HSM Client 10.5.0.

LGX-4942 open G7BU

Problem: Luna Backup HSM firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password.

Workaround: Change all passwords to use a minimum of 8 characters.

LUNA-22750 fixed client

Problem: The cryptoki library crashes when CKA_UNWRAP_TEMPLATE or CKA_DERIVE_TEMPLATE is called.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-22378 fixed client

Problem: cmu importkey fails to import encrypted keys.

Workaround: Follow these steps to import the EC key in encrypted form from ec.pfx :

>openssl pkcs12 -in ec.pfx -nocerts -nodes -out Temp.key
Enter Import Password:
>openssl pkcs8 -in Temp.key -topk8 -nocrypt -out PKCS8.key
>cmu importkey -in PKCS8.key -PKCS8 -keyalg ECDSA

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-22289 fixed client

Problem: CK_MILENAGE_SIGN_PARAMS does not function correctly when the application is used with an HA group.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LKX-9286 fixed client

Problem: Two audit log entries can occasionally be recorded on the same line of the audit log file, corrupting the file and causing log verification to fail.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LGX-4240 fixed G7BU

Problem: Attempts to change the HSM SO credential on a multifactor-authenticated Luna Backup HSM with firmware 7.7.1 fail with CKR_INVALID_ENTRY_TYPE.

Workaround: None.

Resolved: Fixed in Luna Backup HSM firmware 7.7.2.

LUNA-16839 fixed client

Problem: When using HA, the poll function can fail with CKR_DEVICE_ERROR or CKR_TOKEN_NOT_PRESENT. HA logs show a failover followed by an immediate recovery.

Workaround: None.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-16125 fixed client

Problem: WRAP operations fail when the Luna HSM is integrated with Hortonworks in FIPS mode.

Workaround: None. Operations succeed when not in FIPS mode.

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-14009 fixed client cloudHSM

Problem: When running cmu verifyhsm, the interactive mode does not prompt for a challenge string, and fails with "Parameters missing".

Workaround: Always specify a challenge string: cmu verifyhsm -challenge "string"

Resolved: Fixed in Luna HSM Client 10.4.0.

LUNA-10992 fixed client

Problem: When using an HA group made up of Luna partitions and a Luna Cloud HSM service in FIPS mode, if the Luna partition is unavailable, 3DES keygen fails with CKR_MECHANISM_INVALID error.

Workaround: Ensure that all HA group members are available before initiating 3DES keygen.

Resolved: Fixed in Luna HSM Client 10.4.0.

SH-4194 open cloudHSM

Problem: If you perform cmu getpkc on a Luna Cloud HSM service to confirm a public key, the operation can sometimes fail.

Workaround: To confirm your key pair's origins and security in an HSM, run CKDemo's DisplayObject (27) function. If the CKA_NEVER_EXTRACTABLE attribute is present, this confirms that the private key was created in the HSM and never extracted.