DPoD IDP Migration and Luna Cloud HSM Client Network Connectivity

Early in 2025 Thales Data Protection on Demand (DPoD) will be changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. To ensure continued network connectivity between your Luna Cloud HSM client and the service partition please ensure that you update your include lists to allow the Thales OneWelcome fully qualified domain names. The Luna Cloud HSM data centers are configured with floating IP addresses and as a result of this configuration we do not support using static IP addresses or hardcoded IP addresses to access the services. 

For more information about the IDP migration see the DPoD IDP Migration FAQ. For more information about configuring and troubleshooting your client connection see Client Network Connectivity and Troubleshooting the Client Connection.

DPoD IDP Migration

Thales Data Protection on Demand (DPoD) will be changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. This update enables the platform to provide modern authentication options as well as simplifying logins for users that manage multiple tenants on the platform. 

For more information about this upcoming change and potential impacts to you please see the DPoD IDP Migration FAQ.

Deprecation of CPv1 Cloning

In the upcoming release of FW 3.0 for Luna Cloud HSM, CPv1 will be removed from FIPS firmware support as it is no longer compliant with 140-3. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode. If Luna Network HSM users want to clone to Luna Cloud HSM with a FIPS partition they will have to use Luna 7.8 or higher. See Universal Cloning for more information.

Floating IP for Luna Cloud HSM Datacenters

Starting in January 2024, Luna Cloud HSM Datacenters will be configured with a floating IP address. Users should be aware that any client configuration that relies on a static IP address configuration will no longer operate once this change is made. Please consult the Client Network Connectivity Documentation for information about configuring your client environment. Thales does not recommend using any static IP filtering when accessing the service. Should your configuration require the use of static IP address filtering, please contact Thales Customer Support for more information.

Removed Service Provider Tenant Usage Report and Associated Endpoints

The Service Provider Tenant Usage Report and the associated tenants/usageReport, tenants/usageDetails, and service_instances/usageDetails endpoints have been removed from the platform.

As an alternative use the Service Report in the DPoD service provider tenant or the /v1/service_instances/usageBillingReport endpoint, and the  /v1/backoffice/serviceAgreements{tenantId} endpoint to compile tenant usage information.

Deprecated Service Provider Tenant Usage Report and Associated Endpoints

The Service Provider Tenant Usage Report and the associated tenants/usageReport, tenants/usageDetails, and service_instances/usageDetails endpoints are deprecated and will be removed from the platform by the end of 2023. 

As an alternative use the Service Report in the DPoD service provider tenant or the /v1/service_instances/usageBillingReport endpoint, and the /v1/backoffice/serviceAgreements{tenantId} endpoint to compile tenant usage information.

CipherTrust Data Security Platform Beta in EU

The CipherTrust Data Security Platform is now visible in EU tenants as a beta service offering. Access to the beta service is restricted at this time. The beta service is disabled in all tenants that are not participating in the beta.

For more information about registering for the CipherTrust Data Security Platform beta please contact steve.kingston@thalesgroup.com.

Deprecated API Parameters on POST /serviceAgreements and GET /serviceAgreements/{tenantId} endpoints

The DPoD Platform API has deprecated the tileId parameter on the POST /serviceAgreements endpoint and the tileName parameter on the GET /serviceAgreements{tenantId} endpoint.

The  tileId parameter on the POST /serviceAgreements and tileName parameter on the GET /serviceAgreements{tenantId} endpoint will be removed from the platform in a future update.

See the Subscriptions API for more information about available endpoints, fields and scopes.


UC Dynamic UserID Loading

As of UC 10.5, the configuration of multiple users will be supported which allows multiple partition slots to be accessed from a single client instance. This allows customers to add multiple UserID's (a combination of unique AuthTokenClientID, AuthTokenClientSecret, AuthTokenConfigURI) without the need to restart the application after the addition of a new UserID. This will enable a service provider to configure multiple UserID's without impacting the service any of the other users in the same UC instance.

The ability to load multiple partitions to the same UserID without impacting service to other users will also be supported. If an attempt is made to add the same partition ID to a different user that will be ignored and a Warning log will be generated.

 

More info can be found here: "Dynamic Partition Loading for Luna Cloud HSM Services"

New certificate issuer for European data center

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients starting in August 2022.

A knowledge base article with a full description of the change is available hereThe article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Show Previous EntriesShow Previous Entries