When Max Session Objects goes over 100 the user will now receive the following error message: CKR_MAX_OBJECT_COUNT_EXCEEDED.

Previously there was no session object limit set therefore there was no message sent to the user.

FW 2.0 has now been FIPS approved. 

The NIST Certificate verifying that FW 2.0 is now FIPS approved can be found in this Cryptographic Module Validation Program link.

The firmware versions for Luna Cloud HSM Services operating in FIPS and non-FIPS NA and EU environments have been updated. The new firmware versions based on region and FIPS mode are as follows:

• NA FIPS - 2.0
• NA non-FIPS - 2.0.1
• EU FIPS - 2.0
• EU non-FIPS - 2.0.1 

In addition to the new releases, FW 2.0.1 also includes the following bug fixes:

• LGX-4120 - Ed25519 was failing with CKR_ECC_UNKNOWN_CURVE. Ed25519 no longer fails with CKR_ECC_UNKNOWN_CURVE.
• LKX-9788 - The DES3-CBC unwrapping mechanism was failing. DES3-CBC no longer fails during unwrapping.

The firmware versions for Luna Cloud HSM Services operating in NA and EU non-FIPS environments have been updated. The current firmware version based on region and FIPS mode are as follows:

• NA FIPS - 1.5
• NA non-FIPS - 2.0
• EU FIPS - 1.5
• EU non-FIPS - 2.0 

Universal Cloning

Universal Cloning (CPv4) is now a supported feature when combining UC 10.5.0 and Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

• you have a Luna Client at version UC 10.5.0 or newer
• you have Firmware at version 2.0 or newer
• the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

More info can be found here: Universal Cloning.

The DPoD Platform API has deprecated the tileId parameter on the POST /serviceAgreements endpoint and the tileName parameter on the GET /serviceAgreements{tenantId} endpoint.

The  tileId parameter on the POST /serviceAgreements and tileName parameter on the GET /serviceAgreements{tenantId} endpoint will be removed from the platform in a future update.

See the Subscriptions API for more information about available endpoints, fields and scopes.

Version 10.5 of the HSM client is now available for download from Thales Data Protection on Demand for Luna Cloud HSM services. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the Luna Cloud HSM Client User Guide. See Upgrade Client for more information about upgrading your client.

Added

Universal Cloning

Universal Cloning (CPv4) will be a supported feature in UC 10.5.0 but only when used with Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

For more information about client features and enhancements and client advisory notes see 10.5 Client Customer Release Notes. See Known and Resolved Issues for more information about existing problems and available workarounds.

UC 10.5.0 will be available in production by 09/09/2022.

Universal Cloning (CPv4) will be a supported feature in UC 10.5.0 but only when used with Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

• you have a Luna Client at version UC 10.5.0 or newer
• you have Firmware at version 2.0 or newer
• the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients as of August 16th.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80.

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API. 

The servicePlan field is being made mandatory for service creation when using the API, for example when using POST/service_instances or POST/services.

If you use the API to provision services, you will need to pass a value matching one of the plans listed in the Open Service Broker catalog. For Luna Cloud HSM services, you must pass "single_hsm". Failure to pass a valid plan will result in a 400 error.

See the Thales Documentation Portal for more information about available endpoints and fields.