Changed

The following Luna Cloud HSM service names have been changed:

• HSM on Demand is now Luna Cloud HSM
• HSM on Demand for CyberArk is now Luna Cloud HSM for CyberArk
• HSM on Demand for Digital Signing is now Luna Cloud HSM for Digital Signing
• HSM on Demand for Hyperledger is now Luna Cloud HSM for Hyperledger 
• HSM on Demand for Java Code Signer is now Luna Cloud HSM for Java Code Signer 
• HSM on Demand for Microsoft ADCS is now Luna Cloud HSM for Microsoft ADCS 
• HSM on Demand for Microsoft Authenticode is now Luna Cloud HSM for Microsoft Authenticode
• HSM on Demand for Microsoft SQL Server is now Luna Cloud HSM for Microsoft SQL Server 
• HSM on Demand for PKI Private Key Protection is now Luna Cloud HSM for PKI Private Key Protection 
• HSMoD for Oracle TDE is now Luna Cloud HSM for Oracle TDE 
• HSM on Demand with Key Export is now Luna Cloud HSM with Key Export

Version 10.4 of the HSM client is now available for download from Thales Data Protection on Demand for Luna Cloud HSM services. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the Luna Cloud HSM Client User Guide. See Upgrade Client for more information about upgrading your client.

Added

• Clients downloaded from Thales DPoD include the setenv.cmd -addcloudhsm (Windows) and setenv --addcloudhsm (Linux) scripts which automatically copy the necessary Luna Cloud HSM service partition configuration entries to an existing Luna HSM client configuration file. See Adding a Luna Cloud HSM Service for more information.

Changed

• Windows operating systems print Application Error Logs and Curl Logs to the Windows Event Viewer. See Configuration File Summary and Client Troubleshooting for more information.
• Linux operating systems print Application Error Logs and Curl Logs to /var/log/messages. See Configuration File Summary and Client Troubleshooting for more information.

Removed

• Application Error Logs no longer support fatal or trace level error logs. See Configuration File Summary and Client Troubleshooting for more information.
• Support for Windows Server 2012 R2 is ended.

For more information about client features and enhancements and client advisory notes see 10.4 Client Customer Release Notes. See Known and Resolved Issues for more information about existing problems and available workarounds.

Fixed

Fixed an issue with CipherTrust Key Broker for Google Cloud EKM where users receive intermittent timeout and 503 errors when accessing keys. Users no longer receive intermittent timeout or 503 errors when accessing keys. 

The authentication method used by the 10.0 and 10.1 version of the Luna Cloud HSM client is being deprecated. Clients using this authentication will no longer be supported by the Luna Cloud HSM service after December 31, 2021. 

We recommend you upgrade your client to the latest version at your earliest convenience. See Upgrading your client for more information.

Added:

Thales Data Protection on Demand can support requests to restore a Luna Cloud HSM Service partition to a previous state. 

Partition snapshots are taken daily and stored for 7 days. A tenant administrator can submit a partition snapshot restore request to have a partition restored to a previous state. Users can request restoration of a partition to recover from catastrophic events such as accidental zeroization of the service partition. Partition rollbacks can take up to 48 hours to complete.

Restoring a partition will undo any changes made to the service partition since the backup date, this includes removing new objects from the service partition and resetting password changes. 

Please download and complete the Partition Snapshot Restoration Request Form and include it in your support request to Thales Customer Support Portal. 

See the Partition Snapshot Restoration Guide for more information.

CipherTrust Key Broker for Google Cloud EKM service users can now access their DPoD platform tenant. Users can log in to their tenant hostname URL to access DPoD platform features such as User Management, Tenant Management, and Reporting.

CipherTrust Key Broker for Google Cloud EKM service tenants do not have access to tenant features such as Subscriber Groups or Adding Services.

Added

Data Protection on Demand sends an email alert on service creation. Tenant Administrators and Application Owners in the subscriber group where the service is created receive an email alert on service creation. 

Added

The Point to Point Encryption service is now available as a free Technology Preview.

Provision the service through your Thales DPoD tenant to access a Luna Cloud HSM and a set of utilities for secure storage and generation of Base Derivation Keys (BDKs) and Derived Keys. The service provides the HSM capabilities required to decrypt electronic payment transactions first encrypted by a point-of-sale terminal. Service keys can initialize point-of-sales terminals and decrypt data originating from point-of-sales terminals. 

See the P2PE Service Documentation for more information about downloading and configuring the service. 

Added

There is a new version of GemEngine available from the Thales Support Portal with the KB article number KB0024584. 

The purpose of the this toolkit is to allow HSMs to install a working version of SafeNet's OpenSSL dynamic engine to be integrated with OpenSSL. 

This allows Luna Cloud HSMs to be used for key storage and crypto operations through OpenSSL. 

The toolkit can be used for:

1. Installing pre-built dynamic engines to be plugged into existing OpenSSL installations for various OpenSSL streams (Linux only).
2. Compiling and installing the gem dynamic OpenSSL engine against existing or new OpenSSL installations.
3. Compiling and installing OpenSSL from source including optional FIPS mode support along with the gem dynamic OpenSSL engine.
4. Integrating OpenSSL with 3rd party applications such as OpenSSH effectively using the HSM for crypto operations and storing keys. 

The toolkit includes a script named gembuild to help achieve the above goals.

Added

Thales Data Protection on Demand can support requests to configure a single Luna Cloud HSM Service Client to connect to multiple Luna Cloud HSM Services. A single set of Service Client credentials can be used for Key Migration between connected service partitions. 

Please download and complete the Client Connection to Multiple Services Request Form and include it in your support request to Thales Customer Support Portal.