A new certificate issuer will be used in the European data center for Luna Cloud HSM clients as of August 16th.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80.

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API. 

The servicePlan field is being made mandatory for service creation when using the API, for example when using POST/service_instances or POST/services.

If you use the API to provision services, you will need to pass a value matching one of the plans listed in the Open Service Broker catalog. For Luna Cloud HSM services, you must pass "single_hsm". Failure to pass a valid plan will result in a 400 error.

See the Thales Documentation Portal for more information about available endpoints and fields.

The firmware versions for Luna Cloud HSM Services operating in EU environments have been updated. The current firmware version based on region and FIPS mode are as follows:

• NA FIPS - 1.4.0
• NA non-FIPS - 1.4.2
• EU FIPS - 1.5
• EU non-FIPS - 1.6 

FW 1.5 includes improvements to the Point to Point encryption service. FW 1.5 also includes the following bug fixes:

• SH-4366 - The firmware can create but not import public+sensitive keys. You must specify both CKA_PRIVATE=1 and CKA_SENSITIVE=1 Key Attributes for all Generated, Derived and Unwrapped keys
• SH-5322 - The firmware crashes when cancelling a multi-part operation. The firmware no longer crashes when cancelling a multi-part operation.
• SH-5595 - Deriving x9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID. Deriving x9.42 DH2 no longer returns CKR_OBJECT_HANDLE_INVALID

FW 1.6 includes all of the improvements from FW1.5 and additional enhancements.

Additional Fields are now Mandatory for Tenant Registration

The following fields are now mandatory for tenant registration:

• Address
• City
• ZIP Code
• State/Province/Region*

* Mandatory if Country is set to United States, Canada, or Australia

Version 10.4.1 of the Luna HSM client is now available for download from the Thales Customer Support Portal.  This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the Luna Cloud HSM Client User Guide.

• Download Luna HSM Client 10.4.1 for Windows
• Download Luna HSM Client 10.4.1 for Linux

Added

• Luna HSM Client 10.4.1 allows you to initialize a Luna Cloud HSM service using a domain secret imported from a red PED key. This allows you to clone objects between PED-authenticated Luna HSM partitions and Luna Cloud HSM enabling cloud backups and improving availability by adding Luna Cloud HSM to your HA groups. See Initializing a Luna Cloud HSM Service for more information.

Added

The Thales Luna Cloud HSM service is now available through Google Cloud Marketplace. Provisioning a Luna Cloud HSM service through Google Cloud Marketplace automatically generates a Thales Data Protection on Demand (DPoD) tenant and registers the user as the primary tenant administrator. The DPoD tenant provides access to features such as reporting and user and account management.

See the Thales Luna Cloud HSM service and Thales Data Protection on Demand documentation for more information.

Changed

The following Luna Cloud HSM service names have been changed:

• HSM on Demand is now Luna Cloud HSM
• HSM on Demand for CyberArk is now Luna Cloud HSM for CyberArk
• HSM on Demand for Digital Signing is now Luna Cloud HSM for Digital Signing
• HSM on Demand for Hyperledger is now Luna Cloud HSM for Hyperledger 
• HSM on Demand for Java Code Signer is now Luna Cloud HSM for Java Code Signer 
• HSM on Demand for Microsoft ADCS is now Luna Cloud HSM for Microsoft ADCS 
• HSM on Demand for Microsoft Authenticode is now Luna Cloud HSM for Microsoft Authenticode
• HSM on Demand for Microsoft SQL Server is now Luna Cloud HSM for Microsoft SQL Server 
• HSM on Demand for PKI Private Key Protection is now Luna Cloud HSM for PKI Private Key Protection 
• HSMoD for Oracle TDE is now Luna Cloud HSM for Oracle TDE 
• HSM on Demand with Key Export is now Luna Cloud HSM with Key Export

The authentication method used by the 10.0 and 10.1 version of the Luna Cloud HSM client is being deprecated. Clients using this authentication will no longer be supported by the Luna Cloud HSM service after December 31, 2021. 

We recommend you upgrade your client to the latest version at your earliest convenience. See Upgrading your client for more information.