Luna Cloud HSM Releases FW 2.0.5 Upgrade

FW 2.0.5 has been released to all production environments. This release resolves the issue with restoring Luna Cloud HSM backups from a Luna USB Backup HSM.

The new firmware versions based on region and FIPS mode are as follows:

NA FIPS - 2.0.5
NA non-FIPS - 2.0.5
EU FIPS - 2.0.5
EU non-FIPS - 2.0.5

Added

Luna Cloud HSM Backup

The issue with restoring Luna Cloud HSM backups from a Luna USB Backup HSM has been rectified with FW 2.0.5.

The Support Tool Has Been Upgraded

An issue was found with the Luna Cloud HSM Support Tool version 1.0.0 where incorrect data was reported for datacentre connectivity in some cases.

This issue has been fixed with the Luna Cloud HSM Support Tool version 1.0.2.

Luna Cloud HSM Support Tool version 1.0.2 addresses the following bug:

LCH-1498 - Support Tool reports incorrect info due to AuthN Changes.

Luna Cloud HSM Releases FW 2.0.2 Upgrade

FW 2.0.2 has been released to all production environments. This release resolves an issue that prevented cloning objects between two Luna Cloud HSM partitions when using the 10.5 client.

The new firmware versions based on region and FIPS mode are as follows:

NA FIPS - 2.0.2
NA non-FIPS - 2.0.2
EU FIPS - 2.0.2
EU non-FIPS - 2.0.2

FW 2.0.2 includes the following bug fixes:

LCH-489 - CPv4 Cloning command permissions incorrect for pre-FW-2.0 partitions.
DPS-10104 - Luna Cloud HSM Partition Cloning Fails with the 10.5 Client
Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
-> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.
-> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.

Mutex Error Message When Using CKLog Fixed in UC 10.5

In UC 10.4, a bug was found when using CKLog in Linux with a Luna Cloud HSM client package. The output was spammed with "LunaNamedSystemMutex: open() failed: No such file or directory".

In the UC 10.5 client, the new mutex folder will use the /lock directory which solves this issue.

Updated Luna Cloud HSM Service Firmware Versions in NA

The firmware versions for Luna Cloud HSM Services operating in NA environments have been updated. The current firmware version based on region and FIPS mode are as follows:

NA FIPS - 1.5
NA non-FIPS - 1.5
EU FIPS - 1.5
EU non-FIPS - 1.6

FW 1.5 includes improvements to the Point to Point encryption service. FW 1.5 also includes the following bug fixes:

SH-4366 - The firmware can create but not import public+sensitive keys. You must specify both CKA_PRIVATE=1 and CKA_SENSITIVE=1 Key Attributes for all Generated, Derived and Unwrapped keys
SH-5322 - The firmware crashes when cancelling a multi-part operation. The firmware no longer crashes when cancelling a multi-part operation.
SH-5595 - Deriving x9.42 DH2 returns CKR_OBJECT_HANDLE_INVALID. Deriving x9.42 DH2 no longer returns CKR_OBJECT_HANDLE_INVALID

10.3 Luna Cloud HSM Service Client

Added

Version 10.3 of the HSM service client is now available for download from Thales Data Protection on Demand. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the HSM on Demand Client User Guide. See Upgrading your Luna Cloud HSM Service Client for more information about updating your Luna Cloud HSM service client.

Bugs Found

LUNA-14009 - Executing cmu verifyhsm does not prompt the user to enter a challenge string. Always specify a challenge string using cmu verifyhsm -challenge <string>.
LUNA-13907 - Requesting a certificate using cmu requestcertificate using the wrong attribute to specify the private key returns an incorrect error message. Use the -privateouid to specify a private key on a Luna Cloud HSM service.
LUNA-13780 - Executing cmu import to import a DSA key fails. Use an RSA public key instead.
LUNA-13761 - Executing cmu selfsigncertificate with no arguments specified, on Linux, cmu fails to prompt the user for the relevant object handles/OUIDs. Always specify the object handles/OUIDs using -publichandle and -privatehandle or -publicouid and -privateouid.
LUNA-12822 - ckmdeo option Get OUID (39) returns OUIDs with extra zeroes appended. Use option Get Attribute (24) to view the correct OUID.
LUNA-11269 - In HA configurations, where a Luna Cloud HSM service is configured as a standby, some events (such as when a connection drops and recovers due to a timeout when contacting the service) are not recorded in the HA log file.
SH-5595 - Deriving X9.42 DH2 keys returns CKR_OBJECT_HANDLE_INVALID. We recommend you avoid upgrading your Luna Cloud HSM service client until the issue is resolved.
SH-4194 - Executing cmu getpkc to confirm a public key can fail. Execute the ckdemo Display Object (27) function to confirm the key pairs origins and security in the HSM. If the CKA_NEVER_EXTRACTABLE attribute is present it confirms that the private key was created in the HSM and has never been extracted.

Bugs Fixed

SH-4987 - The displayed serial numbers of self-signed certificates created using cmu selfsigncertificate now match the input serial number.

Update to Service Elections Process

Added

Subscriber tenant administrators can complete the Add Service Elections Form, a separate commitment from the Initial Service Elections Form, to demonstrate additional service commitments to their service provider.

Bugs Found

DPS-6769 - The Salesforce Key Broker service does not update the Last Modified At and Modified By columns in the Service Details tables when service secrets are updated.

Bugs Fixed

DPS-6737 DPoD Terms of Service now display correctly in the Safari browser. The DPoD Terms of Service are always available from the support portal.
DPS-6761 - If the DPoD user interface cannot display the Salesforce Secret Type, the DPoD user interface will display the Salesforce value.

Non-FIPS Luna Cloud HSM Firmware Version 1.4.2

Changed

Non-FIPS Luna Cloud HSM service firmware has been updated to version 1.4.2. Firmware version 1.4.2 provides various performance improvements and is an enabler for future marketplace services. See Luna Cloud HSM Services for more information about FIPS and non-FIPS services.

Deprecated

The DPoD platform will remove the ability for a service provider administrator to reset a tenant administrators account password. Tenant administrators can use the self-service password reset from the DPoD tenant login screen or request that a sibling tenant administrator reset their password.

Bugs Fixed

SH-4366 - Firmware version 1.4.2 for non-FIPS Luna Cloud HSM services disallows the creation of a key with both the "public" and "sensitive" attribute combination.

Release 1.17.2

Bugs Fixed

DPS-5823 - New service clients created in the North America (NA) environment can connect to a service on Windows Server 2012r2 operating systems.

Release 1.16.1

Bugs Fixed

DPS-5433 - Administrator users can now reset their own password using the Actions column in the User Details table. When changing your own password, the option displays as Change Password. When changing another users password, the option displays as Reset User Password.
DPS-5493 - The Rotation Policies section of the Salesforce Key Broker service displays.

Show Previous Entries