Changed

The following Luna Cloud HSM service names have been changed:

• HSM on Demand is now Luna Cloud HSM
• HSM on Demand for CyberArk is now Luna Cloud HSM for CyberArk
• HSM on Demand for Digital Signing is now Luna Cloud HSM for Digital Signing
• HSM on Demand for Hyperledger is now Luna Cloud HSM for Hyperledger 
• HSM on Demand for Java Code Signer is now Luna Cloud HSM for Java Code Signer 
• HSM on Demand for Microsoft ADCS is now Luna Cloud HSM for Microsoft ADCS 
• HSM on Demand for Microsoft Authenticode is now Luna Cloud HSM for Microsoft Authenticode
• HSM on Demand for Microsoft SQL Server is now Luna Cloud HSM for Microsoft SQL Server 
• HSM on Demand for PKI Private Key Protection is now Luna Cloud HSM for PKI Private Key Protection 
• HSMoD for Oracle TDE is now Luna Cloud HSM for Oracle TDE 
• HSM on Demand with Key Export is now Luna Cloud HSM with Key Export

Added:

Thales Data Protection on Demand can support requests to restore a Luna Cloud HSM Service partition to a previous state. 

Partition snapshots are taken daily and stored for 7 days. A tenant administrator can submit a partition snapshot restore request to have a partition restored to a previous state. Users can request restoration of a partition to recover from catastrophic events such as accidental zeroization of the service partition. Partition rollbacks can take up to 48 hours to complete.

Restoring a partition will undo any changes made to the service partition since the backup date, this includes removing new objects from the service partition and resetting password changes. 

Please download and complete the Partition Snapshot Restoration Request Form and include it in your support request to Thales Customer Support Portal. 

See the Partition Snapshot Restoration Guide for more information.

CipherTrust Key Broker for Google Cloud EKM service users can now access their DPoD platform tenant. Users can log in to their tenant hostname URL to access DPoD platform features such as User Management, Tenant Management, and Reporting.

CipherTrust Key Broker for Google Cloud EKM service tenants do not have access to tenant features such as Subscriber Groups or Adding Services.

Added

Data Protection on Demand sends an email alert on service creation. Tenant Administrators and Application Owners in the subscriber group where the service is created receive an email alert on service creation. 

Added

The Point to Point Encryption service is now available as a free Technology Preview.

Provision the service through your Thales DPoD tenant to access a Luna Cloud HSM and a set of utilities for secure storage and generation of Base Derivation Keys (BDKs) and Derived Keys. The service provides the HSM capabilities required to decrypt electronic payment transactions first encrypted by a point-of-sale terminal. Service keys can initialize point-of-sales terminals and decrypt data originating from point-of-sales terminals. 

See the P2PE Service Documentation for more information about downloading and configuring the service. 

Added

There is a new version of GemEngine available from the Thales Support Portal with the KB article number KB0024584. 

The purpose of the this toolkit is to allow HSMs to install a working version of SafeNet's OpenSSL dynamic engine to be integrated with OpenSSL. 

This allows Luna Cloud HSMs to be used for key storage and crypto operations through OpenSSL. 

The toolkit can be used for:

1. Installing pre-built dynamic engines to be plugged into existing OpenSSL installations for various OpenSSL streams (Linux only).
2. Compiling and installing the gem dynamic OpenSSL engine against existing or new OpenSSL installations.
3. Compiling and installing OpenSSL from source including optional FIPS mode support along with the gem dynamic OpenSSL engine.
4. Integrating OpenSSL with 3rd party applications such as OpenSSH effectively using the HSM for crypto operations and storing keys. 

The toolkit includes a script named gembuild to help achieve the above goals.

Added

Thales Data Protection on Demand can support requests to configure a single Luna Cloud HSM Service Client to connect to multiple Luna Cloud HSM Services. A single set of Service Client credentials can be used for Key Migration between connected service partitions. 

Please download and complete the Client Connection to Multiple Services Request Form and include it in your support request to Thales Customer Support Portal. 

Added

There is a new patch available for the Luna service client CSP and KSP utilities available from the Thales Support Portal with the KB article number KB0024438/DOW0007000.  This patch resolves the following issues:

• HAPP-168   Performance Optimizations enabled in CSP for Luna7
• HAPP-326   Luna KSP CKA_EXTRACTABLE
• HAPP-492   certutil verifystore command shows error when keys and CSR created with CSP
• LUNA-7254  certutil issue: Not able to get the prompt back after running "certutil -store my" when KSP is registered
• LUNA-7595  KSP keygen slow
• LUNA-8100  citrix fas NTE_BAD_DATA from KSP
• LUNA-8808  CSP with CryptoUser
• LUNA-8938  citrix fas issue ckr_device_memory for KSP
• LUNA-12715 Update the KSP code to accept the new and old certificates
• LUNA-14732 CSP SHA2 signing error on Windows 10 Docker container (kspcmd utility)
• LUNA-15597 Luna KSP CKA_EXTRACTABLE test case for UC 10.4.0 regression test
• LUNA-17051 MS HGS integration
• LUNA-21611 CSP import PFX fix
• LHSM-41992 Microsoft HGS supported algorithms and flags are required for KSP
• LHSM-42509 repair ksp for citrix/fas app
• LHSM-42911 certutil crash wrt ksp and csp
• LHSM-42949 delete key via csp
• LUNA-21906 Improve KSP Resiliency/Recovery
• LUNA-21911 kspcmd.exe doesn't exit after registering slot

The patch includes a readme.txt file which provides instructions for updating your Luna service clients CSP and KSP utilities. 

Notes:

• NOTE 1. Ensure to set "FunctionBindLevel=2" in the Misc section of crystoki.ini for this release to work with clients UC 10.3 or earlier.
• NOTE 2. For Luna Cloud HSM Services, disable session cache in the registry as shown in the following REG file sample:

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SOFTWARE\Safenet\SafeNetKSP\CurrentConfig]
        "SessionCacheEnabled"=dword:00000000

SHA Checksum:     e06cc15eb7906d6a2730f8cfac746a0e57b765896beea342d00590febb334cda

Removed

The PATCH /tenants/{id}/admin/reset and POST /tenants/{id}/admin/resetMfaToken operations have been removed from the DPoD Platform API.

Service provider administrators can no longer reset the password or MFA token of a user inside of a child tenant.  Users can use the self-service resources in the DPoD platform or submit requests to an available administrator. See User Management for more information.

Added

• Version 10.3 of the HSM service client is now available for download from Thales Data Protection on Demand. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the HSM on Demand Client User Guide. See Upgrading your Luna Cloud HSM Service Client for more information about updating your Luna Cloud HSM service client.

Bugs Found

• LUNA-14009 - Executing cmu verifyhsm does not prompt the user to enter a challenge string. Always specify a challenge string using cmu verifyhsm -challenge <string>.
• LUNA-13907 - Requesting a certificate using cmu requestcertificate using the wrong attribute to specify the private key returns an incorrect error message. Use the -privateouid to specify a private key on a Luna Cloud HSM service.
• LUNA-13780 - Executing cmu import to import a DSA key fails. Use an RSA public key instead.
• LUNA-13761 - Executing cmu selfsigncertificate with no arguments specified, on Linux, cmu fails to prompt the user for the relevant object handles/OUIDs. Always specify the object handles/OUIDs using -publichandle and -privatehandle or -publicouid and -privateouid.
• LUNA-12822 - ckmdeo option Get OUID (39) returns OUIDs with extra zeroes appended. Use option Get Attribute (24) to view the correct OUID.
• LUNA-11269 - In HA configurations, where a Luna Cloud HSM service is configured as a standby, some events (such as when a connection drops and recovers due to a timeout when contacting the service) are not recorded in the HA log file.
• SH-5595 - Deriving X9.42 DH2 keys returns CKR_OBJECT_HANDLE_INVALID. We recommend you avoid upgrading your Luna Cloud HSM service client until the issue is resolved. 
• SH-4194 - Executing cmu getpkc to confirm a public key can fail. Execute the ckdemo Display Object (27) function to confirm the key pairs origins and security in the HSM. If the CKA_NEVER_EXTRACTABLE attribute is present it confirms that the private key was created in the HSM and has never been extracted.

Bugs Fixed

• SH-4987 - The displayed serial numbers of self-signed certificates created using cmu selfsigncertificate now match the input serial number.