Thales Data Protection on Demand now includes an HSM on Demand with Key Export service. The HSM on Demand with Key Export provides users with remote access to an HSM with private key exporting. For more information see HSM on Demand with Key Export.
The DPoD service client is now fully compatible with CipherTrust Manager version 2.1, allowing Luna Cloud HSM services to act as the root of trust for CipherTrust Manager Instances.
The Service Provider Tenant Service Report, a report on all Tenants and the Services they are consuming, is now available for Service Provider Tenants in the DPoD platform. See Reporting for more information about the new report.
The External Marketplace Name and External Marketplace Account Id columns have been added to all Service Provider reports in the DPoD platform.
Service Provider Administrator Platform Credentials. Platform credentials allow Service Provider Administrators to access and mange tenants, users, and reports using the DPoD API.
Changed
"HSM on Demand Services" are now "Luna Cloud HSM Services"
"Key Management on Demand Services" are now "CipherTrust Key Management Services"
The CipherTrust Key Broker for Google Cloud EKM service is now available. Register for the service through the Google Marketplace to gain access to an HSM secured key encryption key for use as a wrapping key in Google Cloud EKM. Access the service documentation for more information about the CipherTrust Key Broker for Google Cloud EKM service.
Bugs Found
EKMS-652 - The Add Key Ring button is disabled in the CipherTrust Key Broker for Google Cloud EKM service if you attempt to create a Key Ring without first adding an EKM Policy. Create an EKM Policy before adding a Key Ring.
EKMS-659 - The CipherTrust Key Broker for Google Cloud EKM dashboard URL shows a 404. Access the CipherTrust Key Broker for Google Cloud EKM log in page and enter the FQDN of your CipherTrust Key Broker for Google Cloud EKM dashboard to log in.
DPS-5823 - New service clients created in the North America (NA) environment cannot connect to a service on Windows Server 2012r2 operating systems.
Version 10.2 of the HSM service client is now available for download from Thales Data Protection on Demand. This client supports hybrid usage of both HSMoD services and the Luna HSM product line, as detailed in the HSM on Demand Client User Guide. Refer to the HSM Client 10.2 Customer Release Notes document for more information. See Upgrading your HSMoD Service Client for more information about updating your HSMoD service client.
HSM on Demand service clients now use JWT authentication.
The HSMoD service client is now supported on the following operating systems:
RHEL8/CentOS8
Windows Server 2019 (standard and core)
You can configure additional logs (Application Error Logs and Curl Logs) in the application console. See the HSM on Demand Troubleshooting section for more information.
Changed
The new HSMoD service has updated entries in the REST and XTC sections of the crystoki.ini (Windows) and the Chrystoki.conf (Linux) configuration files. Refer to the Configuration File Summary for a description of the default options and additional settings.
Deleting a client from a JWT authenticated HSMoD service now revokes the client ID and client secret associated with that client. Create a new HSMoD service client for the service to resume access. See Managing HSMoD Services for more information about deleting a service client and revoking the service credentials.
If your application relies on Oracle Java 7 or Java 8, you must update the advanced version provided by Oracle. You require (at minimum) version 7u131 or 82u121. Please refer to the Oracle website for more information.
If your application relies on IBM Java 7 or 8, do not update your service client.If you want to update your client software, consider adopting OpenJDK or another supported Java version See Supported Cryptographic APIs.
Bugs Found
DPS-5531 - If you exit the Suggest An Edit feature, in the DPoD Platform documentation, using the Close button, you can no longer scroll the documentation page. Refresh the page to continue scrolling.
DPS-5493 - The Rotation Policies section of the Salesforce Key Broker service do not display. There is no workaround at this time.
DPS-5433 - Tenant administrator users cannot reset their password using the Actions column in the User Details table. Change your Tenant Administrator password by clicking Change password in the upper right corner of the DPoD UI.
SH-4987 - When creating a self-signed certificate with cmu selfsigncertificate, additional characters are added to the specified serial number. Use cmu getattribute to list the actual serial number assigned to the certificate.
Bugs Fixed
Luna-11616 - LunaCM displays available slots if the client fails to resolve the DPoD service's hostname. Restart LunaCM to re-attempt the connection to the service.
Luna-11447 - Resolved a segmentation fault stopping HA members from failing over to an HSMoD service.
HOD-957 - The default log level in the client was updated to provide improved details.
Added the Key Broker for Azure Key Management on Demand service tile to the DPoD platform. The Key Broker for Azure service generates high-entropy keys and securely imports them into the user's Microsoft Azure Key Vault where the keys can be used to enhance data protection and compliance.
Tenant Administrator users can now use HSM on Demand services.
Deprecated
Removing support for the DPoD API endpoint /services in the next release. We recommend you begin using the /service_instances endpoint for all related HSMoD service client operations.
Bugs Found
DPS-2808: When the Service Provider deletes a Tenant, if the deletion fails the Tenant Details page is not accessible. Workaround: This issue results from attempting to delete a Tenant with active services. To clear this state you must remove the blocking service from the Tenant's Application Owner users.
HOD-957: There is no user feedback in the lunacm utility on connection timeout. As a result, the client can appear to hang indefinitely. Workaround: Wait for the client to timeout or close and restart lunacm to re-attempt the connection.
KBR-620: The Salesforce Key Broker service is not available over the API. Workaround: Use a DPoD Application Owner account to configure a Salesforce Key broker service.
DPS-2161: Services with extended ascii characters in their name do not display properly in reports. Workaround: Open the report in a spreadsheet program with UTF-8 encoding.
Bugs Fixed
DPS-3083: The DPoD API endpoint /service_instances succeeds on the bind HSMoD service client operation.
DPS-2614: Tenant names are now trimmed on creation.
DPS-2494: Non-functional tenants that appear in the "Pending" state in the user interface are no longer included in reports.
Firmware for FIPS and non-FIPS services has been upgraded to version 1.4. Firmware version 1.4 enables future platform functionality.
Firmware version 1.4 is FIPS 140-2 Level 3 validated - The SafeNet Cyptovisor K7 Cryptographic Module used in the SafeNet Data Protection on Demand service is FIPS 140-2 Level 3 validated. For more information see the NIST Certificate #3519.
SafeNet Data Protection on Demand now includes a Luna HSM Backup service. The Luna HSM Backup is an HSM on Demand (HSMoD) service offering that provides a dedicated backup and restore location for your organization's on-premises Luna HSMs. For more information about the Luna HSM Backup service see the section Luna HSM Backup.
SafeNet Data Protection on Demand now inclues a Key Broker for Azure service. The Key Broker for Azure Service is a Key Management on Demand service offering that generates high-entropy keys and securely imports them into the user's Microsoft Azure Key Vault where the keys can be used to enhance data protection and compliance, for example using Azure Information Protection to encrypt Office 365 documents. For more information about the Key Broker for Azure Service see the section Key Broker for Azure Service.
SafeNet Data Protection on Demand now contains Partner Service Tiles. Partner service tiles redirect the user to an affiliated service site where users can register for a DPoD partner's service offering. For more information about Partner services see the Partner Services Documentation.
Version 10.1 of the HSMoD service client is now available for download from SafeNet Data Protection on Demand. This client supports hybrid usage of both HSMoD services and the SafeNet Luna Product Line, as detailed in the HSM on Demand Client User Guide. These features include:
Secure key cloning between HSMoD Services and password-authenticated SafeNet Luna Network HSM 7.x or SafeNet Luna PCIe HSM 7.x.
Failover between HSMoD Services and password authenticated SafeNet Luna Network HSM 7.x or SafeNet Luna PCIe HSM 7.x. This feature is configured using LunaCM's high availability (ha and hagroup) commands. We recommend the default setting of the HSMoD service as a standby member of the HA group.
Key backup and restore with the password-authenticated SafeNet Luna G5 Backup HSM.
Bugs Fixed
SH-4350 - Utilities included in older clients downloaded before October 2019 can have a delay of up to 20 seconds on startup. Resolution: Clients that contain this bug are no longer supported or available for download.
SH-3519 - The LunaProvider.jar does not allow generation of FIPS 186-3-approved RSA keys. Resolution: The LunaProvider.jar included in the latest client package includes this support.
LUNA-10915, SH-3162 - When you delete a key from the an HSMoD service, CKlog displays an incorrect object handle. Resolution: Fixed in the latest client package.
