When Max Session Objects goes over 100 the user will now receive the following error message: CKR_MAX_OBJECT_COUNT_EXCEEDED.

Previously there was no session object limit set therefore there was no message sent to the user.

Bugs Found 

• DPS-10104 - Luna Cloud HSM Partition Cloning Fails with the 10.5 Client
  Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
  -> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.
  -> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.
  You can make the request by following this link:
  https://thalesdocs.com/dpod/resources/client_resources/client_connect_to_multiple_services/index.html

The firmware versions for Luna Cloud HSM Services operating in NA and EU non-FIPS environments have been updated. The current firmware version based on region and FIPS mode are as follows:

• NA FIPS - 1.5
• NA non-FIPS - 2.0
• EU FIPS - 1.5
• EU non-FIPS - 2.0 

Universal Cloning

Universal Cloning (CPv4) is now a supported feature when combining UC 10.5.0 and Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

• you have a Luna Client at version UC 10.5.0 or newer
• you have Firmware at version 2.0 or newer
• the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

More info can be found here: Universal Cloning.

In UC 10.4, a bug was found when using CKLog in Linux with a Luna Cloud HSM client package. The output was spammed with "LunaNamedSystemMutex: open() failed: No such file or directory".

In the UC 10.5 client, the new mutex folder will use the /lock directory which solves this issue.

The DPoD Platform API has deprecated the tileId parameter on the POST /serviceAgreements endpoint and the tileName parameter on the GET /serviceAgreements{tenantId} endpoint.

The  tileId parameter on the POST /serviceAgreements and tileName parameter on the GET /serviceAgreements{tenantId} endpoint will be removed from the platform in a future update.

See the Subscriptions API for more information about available endpoints, fields and scopes.

Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API. 

The servicePlan field is being made mandatory for service creation when using the API, for example when using POST/service_instances or POST/services.

If you use the API to provision services, you will need to pass a value matching one of the plans listed in the Open Service Broker catalog. For Luna Cloud HSM services, you must pass "single_hsm". Failure to pass a valid plan will result in a 400 error.

See the Thales Documentation Portal for more information about available endpoints and fields.

The firmware versions for Luna Cloud HSM Services operating in EU environments have been updated. The current firmware version based on region and FIPS mode are as follows:

• NA FIPS - 1.4.0
• NA non-FIPS - 1.4.2
• EU FIPS - 1.5
• EU non-FIPS - 1.6 

FW 1.5 includes improvements to the Point to Point encryption service. FW 1.5 also includes the following bug fixes:

• SH-4366 - The firmware can create but not import public+sensitive keys. You must specify both CKA_PRIVATE=1 and CKA_SENSITIVE=1 Key Attributes for all Generated, Derived and Unwrapped keys
• SH-5322 - The firmware crashes when cancelling a multi-part operation. The firmware no longer crashes when cancelling a multi-part operation.
• SH-5595 - Deriving x9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID. Deriving x9.42 DH2 no longer returns CKR_OBJECT_HANDLE_INVALID

FW 1.6 includes all of the improvements from FW1.5 and additional enhancements.

Additional Fields are now Mandatory for Tenant Registration

The following fields are now mandatory for tenant registration:

• Address
• City
• ZIP Code
• State/Province/Region*

* Mandatory if Country is set to United States, Canada, or Australia