Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API. 

The servicePlan field is being made mandatory for service creation when using the API, for example when using POST/service_instances or POST/services.

If you use the API to provision services, you will need to pass a value matching one of the plans listed in the Open Service Broker catalog. For Luna Cloud HSM services, you must pass "single_hsm". Failure to pass a valid plan will result in a 400 error.

See the Thales Documentation Portal for more information about available endpoints and fields.

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients starting in August 2022.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Additional Fields are now Mandatory for Tenant Registration

The following fields are now mandatory for tenant registration:

• Address
• City
• ZIP Code
• State/Province/Region*

* Mandatory if Country is set to United States, Canada, or Australia

The input fields for tenant registration, excluding the password field, will be trimmed. Leading and trailing spaces on input fields, excluding the password field, will be removed by the platform during registration. 

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for this behavior. 

See the Data Protection on Demand (DPoD) API for more information.

The following fields are being made mandatory for tenant registration when Country is set to United States, Canada, or Australia:

• State/Province/Region

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for these new mandatory fields. 

See the Data Protection on Demand (DPoD) API for more information about available endpoints and fields.

This change has been rescheduled to Tuesday February 8th 14:00 UTC to give customers more time to adjust their environments.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions in North America.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change on Tuesday February 8th 14:00 UTC  to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

The following fields are being made mandatory for tenant registration:

• Address
• City
• ZIP or postal code

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for these new mandatory fields. 

See the Data Protection on Demand (DPoD) Public API for more information about available endpoints and fields.

Under Development

If you are using an IP address in your HTTP Network Connection between your DPoD service and the DPoD platform we recommend you update your configuration to use the fully qualified domain name as described in Network Connectivity.

If your network configuration uses any hard coded IP addresses, be aware that upcoming changes to the DPoD platform will disrupt your connection to the service.

Features under development

• FIPS Certification Firmware Candidate - The HSM firmware is undergoing FIPS certification coordination.

Added

• Added the Virtual Token Library (VTL) to the 1.10 HSMoD service client. 
• Client patched reducing timeout and failover issues during key and certificate migration.
• Direct link to SafeNet Data Protection on Demand **Status Page** available in user interface footer.
• The Company name no longer needs to be unique. Now, multiple enterprise tenants can share a common company name.
• Service provider monthly reports now include the minimum billable units (MBU) selection from the tenants **Initial Elections** form.

Deprecated

• Deprecating support for 32-bit operating systems.
• Ending support for Windows Server 2008 and Windows Server 2008 R2.

Removed

• You cannot download a new HSMoD service client for a service which existed prior to release 1.5. Recreate the service.

Bugs Fixed

• DPS-3071 - Deleting an application owner account before deleting any associated platform credentials results in being unable to delete both the platform credentials and any associated subscriber group.
• DPS-3006 - The HSM on Demand service generic mapping refers to key_vault in reports and the API.