Thales Data Protection on Demand 

https://thalesdocs.com/dpod/support/changelog/index.html

Universal Cloning

UC 10.5.0 will be available in production by 09/09/2022.

Universal Cloning (CPv4) will be a supported feature in UC 10.5.0 but only when used with Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

  • you have a Luna Client at version UC 10.5.0 or newer
  • you have Firmware at version 2.0 or newer
  • the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

 

UC Dynamic UserID Loading

As of UC 10.5, the configuration of multiple users will be supported which allows multiple partition slots to be accessed from a single client instance. This allows customers to add multiple UserID's (a combination of unique AuthTokenClientID, AuthTokenClientSecret, AuthTokenConfigURI) without the need to restart the application after the addition of a new UserID. This will enable a service provider to configure multiple UserID's without impacting the service any of the other users in the same UC instance.

The ability to load multiple partitions to the same UserID without impacting service to other users will also be supported. If an attempt is made to add the same partition ID to a different user that will be ignored and a Warning log will be generated.

 

More info can be found here: "Dynamic Partition Loading for Luna Cloud HSM Services"

New certificate issuer for European data center

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients as of August 16th.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80.

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Audit Logs Available for Luna Cloud HSM Services

Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API

Updated Luna Cloud HSM Service Firmware Versions in NA

The firmware versions for Luna Cloud HSM Services operating in NA environments have been updated. The current firmware version based on region and FIPS mode are as follows:

  • NA FIPS - 1.5
  • NA non-FIPS - 1.5
  • EU FIPS - 1.5
  • EU non-FIPS - 1.6 

FW 1.5 includes improvements to the Point to Point encryption service. FW 1.5 also includes the following bug fixes:

  • SH-4366 - The firmware can create but not import public+sensitive keys. You must specify both CKA_PRIVATE=1 and CKA_SENSITIVE=1 Key Attributes for all Generated, Derived and Unwrapped keys
  • SH-5322 - The firmware crashes when cancelling a multi-part operation. The firmware no longer crashes when cancelling a multi-part operation.
  • SH-5595 - Deriving x9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID. Deriving x9.42 DH2 no longer returns CKR_OBJECT_HANDLE_INVALID

New certificate issuer for European data center

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients starting in August 2022.

A knowledge base article with a full description of the change is available hereThe article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Updated Luna Cloud HSM Service Firmware Versions in EU

The firmware versions for Luna Cloud HSM Services operating in EU environments have been updated. The current firmware version based on region and FIPS mode are as follows:

  • NA FIPS - 1.4.0
  • NA non-FIPS - 1.4.2
  • EU FIPS - 1.5
  • EU non-FIPS - 1.6 

FW 1.5 includes improvements to the Point to Point encryption service. FW 1.5 also includes the following bug fixes:

  • SH-4366 - The firmware can create but not import public+sensitive keys. You must specify both CKA_PRIVATE=1 and CKA_SENSITIVE=1 Key Attributes for all Generated, Derived and Unwrapped keys
  • SH-5322 - The firmware crashes when cancelling a multi-part operation. The firmware no longer crashes when cancelling a multi-part operation.
  • SH-5595 - Deriving x9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID. Deriving x9.42 DH2 no longer returns CKR_OBJECT_HANDLE_INVALID

FW 1.6 includes all of the improvements from FW1.5 and additional enhancements.

Input fields will be trimmed for tenant registration

The input fields for tenant registration, excluding the password field, will be trimmed. Leading and trailing spaces on input fields, excluding the password field, will be removed by the platform during registration. 

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for this behavior. 

See the Data Protection on Demand (DPoD) API for more information.

Additional registration fields are being made mandatory for tenant registration

The following fields are being made mandatory for tenant registration when Country is set to United States, Canada, or Australia:

  • State/Province/Region

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for these new mandatory fields. 

See the Data Protection on Demand (DPoD) API for more information about available endpoints and fields.

New certificate issuer for North American datacenter

This change has been rescheduled to Tuesday February 8th 14:00 UTC to give customers more time to adjust their environments.

A knowledge base article with a full description of the change is available hereThe article contains important information on mandatory changes for users on 10.0 or 10.1 client versions in North America.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change on Tuesday February 8th 14:00 UTC  to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Show Previous EntriesShow Previous Entries