Thales Data Protection on Demand 

https://thalesdocs.com/dpod/support/changelog/index.html

Floating IP for Luna Cloud HSM Datacenters

Starting in January 2024, Luna Cloud HSM Datacenters will be configured with a floating IP address. Users should be aware that any client configuration that relies on a static IP address configuration will no longer operate once this change is made. Please consult the Client Network Connectivity Documentation for information about configuring your client environment. Thales does not recommend using any static IP filtering when accessing the service. Should your configuration require the use of static IP address filtering, please contact Thales Customer Support for more information.

The Support Tool Has Been Upgraded

An issue was found with the Luna Cloud HSM Support Tool version 1.0.0 where incorrect data was reported for datacentre connectivity in some cases. 

This issue has been fixed with the Luna Cloud HSM Support Tool version 1.0.2.

Luna Cloud HSM Support Tool version 1.0.2 addresses the following bug: 

  • LCH-1498 - Support Tool reports incorrect info due to AuthN Changes.

Luna Cloud HSM Releases FW 2.0.2 Upgrade

FW 2.0.2 has been released to all production environments. This release resolves an issue that prevented cloning objects between two Luna Cloud HSM partitions when using the 10.5 client.

The new firmware versions based on region and FIPS mode are as follows: 

  • NA FIPS - 2.0.2
  • NA non-FIPS - 2.0.2
  • EU FIPS - 2.0.2
  • EU non-FIPS - 2.0.2

FW 2.0.2 includes the following bug fixes:

  • LCH-489 - CPv4 Cloning command permissions incorrect for pre-FW-2.0 partitions.
  • DPS-10104 - Luna Cloud HSM Partition Cloning Fails with the 10.5 Client

    Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
    -> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.

    -> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.


CipherTrust Data Security Platform Beta in EU

The CipherTrust Data Security Platform is now visible in EU tenants as a beta service offering. Access to the beta service is restricted at this time. The beta service is disabled in all tenants that are not participating in the beta.

For more information about registering for the CipherTrust Data Security Platform beta please contact steve.kingston@thalesgroup.com.

Luna Cloud HSM Partition Cloning Fails with the 10.5 Client

Bugs Found 

  • DPS-10104 - Luna Cloud HSM Partition Cloning Fails with the 10.5 Client
    Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
    -> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.
    -> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.
    You can make the request by following this link:
    https://thalesdocs.com/dpod/resources/client_resources/client_connect_to_multiple_services/index.html

Mutex Error Message When Using CKLog Fixed in UC 10.5

In UC 10.4, a bug was found when using CKLog in Linux with a Luna Cloud HSM client package. The output was spammed with "LunaNamedSystemMutex: open() failed: No such file or directory".

In the UC 10.5 client, the new mutex folder will use the /lock directory which solves this issue.

UC Dynamic UserID Loading

As of UC 10.5, the configuration of multiple users will be supported which allows multiple partition slots to be accessed from a single client instance. This allows customers to add multiple UserID's (a combination of unique AuthTokenClientID, AuthTokenClientSecret, AuthTokenConfigURI) without the need to restart the application after the addition of a new UserID. This will enable a service provider to configure multiple UserID's without impacting the service any of the other users in the same UC instance.

The ability to load multiple partitions to the same UserID without impacting service to other users will also be supported. If an attempt is made to add the same partition ID to a different user that will be ignored and a Warning log will be generated.

 

More info can be found here: "Dynamic Partition Loading for Luna Cloud HSM Services"

Updated Luna Cloud HSM Service Firmware Versions in NA

The firmware versions for Luna Cloud HSM Services operating in NA environments have been updated. The current firmware version based on region and FIPS mode are as follows:

  • NA FIPS - 1.5
  • NA non-FIPS - 1.5
  • EU FIPS - 1.5
  • EU non-FIPS - 1.6 

FW 1.5 includes improvements to the Point to Point encryption service. FW 1.5 also includes the following bug fixes:

  • SH-4366 - The firmware can create but not import public+sensitive keys. You must specify both CKA_PRIVATE=1 and CKA_SENSITIVE=1 Key Attributes for all Generated, Derived and Unwrapped keys
  • SH-5322 - The firmware crashes when cancelling a multi-part operation. The firmware no longer crashes when cancelling a multi-part operation.
  • SH-5595 - Deriving x9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID. Deriving x9.42 DH2 no longer returns CKR_OBJECT_HANDLE_INVALID

New certificate issuer for European data center

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients starting in August 2022.

A knowledge base article with a full description of the change is available hereThe article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Input fields will be trimmed for tenant registration

The input fields for tenant registration, excluding the password field, will be trimmed. Leading and trailing spaces on input fields, excluding the password field, will be removed by the platform during registration. 

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for this behavior. 

See the Data Protection on Demand (DPoD) API for more information.

Show Previous EntriesShow Previous Entries