Luna HSM 5.2.2
Luna HSM 5.2.2 UPGRADE INSTRUCTIONS Document part number: 007-012226-001 Revision E Document issued on: 12 November 2013
Contents Overview .....................................................................................................................................................................2 About Luna HSM 5.2.2 ...........................................................................................................................................2 Upgrade Paths ........................................................................................................................................................2 Component Firmware Versions ..............................................................................................................................3 Preparing for the Upgrade ..........................................................................................................................................4 Obtaining the Upgrade Software ............................................................................................................................4 Required Authentication Credentials ......................................................................................................................4 Preparing Your HSMs For the Upgrade .................................................................................................................4 Performing the Upgrade .............................................................................................................................................5 Upgrading the Client Software ................................................................................................................................5 Upgrading the Luna SA Appliance Software ..........................................................................................................7 Upgrading the HSM Firmware ................................................................................................................................8 Additional Tasks for CSP/KSP Users ...................................................................................................................... 10 Additional Tasks for Java Users .............................................................................................................................. 10 Returning the HSM to Operation ............................................................................................................................. 10 Technical Support Information ................................................................................................................................. 11 Trademarks and Disclaimer ..................................................................................................................................... 11
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
1 of 11
Overview This document describes how to upgrade your Luna SA, Luna PCI-E, and Luna G5 devices, and their supporting components, to Luna HSM 5.2.2. Depending on your specific product and the supporting components it uses, you may have to upgrade your client software, appliance software, and/or HSM firmware. Detailed instructions are included for upgrading all products and components supported in Luna HSM 5.2.2.
About Luna HSM 5.2.2 Luna HSM 5.2.2 introduces new FIPS candidate firmware version 6.10.2. With the exception of the new firmware, Luna HSM 5.2.2 is identical to Luna HSM 5.2.1. For more information regarding Luna HSM 5.2.2, refer to the customer release notes. The most up-to-date version of the Luna HSM 5.2.x Customer Release Notes document is at http://www.securedbysafenet.com/releasenotes/luna/crn_luna_hsm_5-2.pdf
Upgrade Paths The Luna HSM factory installed firmware is upgradeable, as follows: Luna SA 5.2.2 HSMs are shipped from the factory with firmware 6.2.1, upgradable to 6.10.2. Luna PCI-E 5.2.2 HSMs are shipped from the factory with firmware 6.2.1, upgradable to 6.10.2. Luna G5 5.2.2 HSMs are shipped from the factory with firmware 6.2.3, upgradable to 6.10.2. Luna Backup HSMs are shipped from the factory with firmware 6.0.8, upgradable to 6.10.2 Refer to the Luna HSM 5.2.2 Customer Release Notes for new features that require firmware 6.10.2, and new features that work with firmware 6.2.1.
Updating both software and firmware to newest versions Component
From version...
To version...
Luna SA client software
5.0, 5.1, 5.1.1, 5.2.0, or 5.2.1
5.2.2
Luna SA appliance software
5.0, 5.1, 5.2.0 or 5.2.1
5.2.2
Luna PCI-E client software
5.0, 5.2.0, or 5.2.1
5.2.2
Luna G5 client software
1.3 , 5.2.0, or 5.2.1
5.2.2
HSM firmware
6.0.8, 6.1.6, 6.2.1**, 6.2.3*** or 6.10.1
6.10.2
Updating software, but retaining most recent FIPS-validated firmware Component
From version...
To version...
Luna SA client software
5.0 or 5.1 or 5.1.1 or 5.2.0
5.2.2
Luna SA appliance software
5.0, 5.1, 5.2.0, or 5.2.1
5.2.2
Luna PCI-E client software
5.0 or 5.2.0
5.2.2
Luna G5 client software
1.3 or 5.2.0
5.2.2
HSM firmware
6.0.8, 6.1.6, 6.2.1**, or 6.2.3***
6.2.1**, 6.2.3***
Note
Customers with Luna SA 5.0.x wanting to use 6.2.1 firmware (the most recent FIPSvalidated firmware, at time of writing), must upgrade to software 5.1 first, in order to obtain the firmware 6.2.1 update. After upgrading to 5.1, you can upgrade to version 5.2.2 (if you upgrade directly to 5.2.2, you miss the 6.2.1 firmware option and have only the 6.10.2 option). **Luna PCI-E and Luna SA – firmware 6.2.1 is the most recent FIPS-validated firmware, at time of writing. ***Luna G5 – firmware 6.2.3 is the most recent FIPS-validated firmware, at time of writing. Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
2 of 11
Component Firmware Versions The following table lists the supported firmware versions for the various components supported in Luna HSM 5.2.2 Component
Version
HSM firmware
6.10.2
Luna Backup HSM firmware
6.10.2
Luna G5 (for PKI bundle) firmware
6.10.2
PED II
2.5.0-3
PED IIr (Remote PED) (requires PED workstation s/w on PC) [optional]
2.5.0-3
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
3 of 11
Preparing for the Upgrade Before attempting to upgrade to Luna HSM 5.2.2, ensure that you have satisfied the following prerequisites: you have the upgrade software. you have the authentication credentials required to perform the upgrade. you have prepared your HSMs for the upgrade. Each of these prerequisites are discussed in detail in the following sections.
Obtaining the Upgrade Software All of the software and firmware required to upgrade to Luna HSM 5.2.2 is included on the Luna HSM 5.2.2 software DVD. The upgrade software is also available via download from the Technical Support Customer Portal.
Note
Authorization codes are required to install firmware. To obtain the authorization codes for your firmware, contact SafeNet Technical Support. The following packages are included in the upgrade software: Luna HSM 5.2.2 Client software Luna SA 5.2.2 appliance software Luna HSM 6.10.2 firmware PED firmware (Refer to the readme.txt file included on the Luna HSM 5.2.2 software DVD for more information)
Required Authentication Credentials You must be able to login to the HSM as the security officer (SO) to perform the upgrade. On PED-authenticated HSMs, you need the blue PED key(s). On password-authenticated HSMs, you need the SO password. On Luna SA, you also need to be able to login to the appliance using an admin-level account before you can login to the HSM as the SO.
Preparing Your HSMs For the Upgrade Perform the following tasks to prepare your HSM for the upgrade: 1. Ensure that your client and appliance software and firmware is at a version listed in "Upgrade Paths" on page 2. 2. Connect your HSM appliance or host computer to an uninterruptible power supply (UPS), if available. Although this is not a requirement, use of a UPS is strongly recommended to ensure a successful completion of all upgrade activities. 3. Ensure that your USB devices (Luna G5, Luna Backup HSM or Luna Remote PED) are connected, using a USB cable, to the computer on which you are installing the Luna software. If the USB devices are not connected to the host computer, the USB drivers do not install successfully. This issue applies to Windows 2008 only. 4. If the Secure Recovery Key (SRK) on the HSM is enabled, it must be disabled before you can upgrade the HSM firmware. The SRK is an external split of the HSM's Master Tamper Key (MTK) that is imprinted on the purple PED key. When you disable the SRK, the SRV (Secure Recovery Vector) portion of the MTK is returned to the HSM, so that the SRV is no longer external to the HSM. It is only in this state that you can upgrade the HSM firmware. After you upgrade the firmware, you can re-enable SRK, if desired, to re-imprint a purple PED key with the SRV. 5. Backup the content of your HSM or HSM partitions to Luna SA Backup HSMs (if you have the Backup option). 6. Copy the Luna HSM 5.2.2 upgrade software package (the downloaded tar file) to the client computer and use your favorite archiving program to untar the archive. 7. Stop all applications and services that are using the HSM. Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
4 of 11
Performing the Upgrade Depending on the product you are upgrading you may need to upgrade the client software, appliance software, and/or the HSM firmware, as specified in the following table: Product
Client software upgrade
Appliance software upgrade HSM firmware upgrade
Luna SA
X*
X
Luna PCI-E
X*
X
Luna G5
X*
X
X
*Except for upgrade from Luna HSM 5.2.1 You must upgrade the software/firmware in the following order: 1. Client software 2. Appliance software 3. HSM firmware
Upgrading the Client Software Note
You must upgrade the client software before upgrading the appliance software or HSM firmware.
Note
You do not need to upgrade the client software if you are upgrading from Luna HSM 5.2.1. The 5.2.1 and 5.2.2 client software is identical. Upgrading your client software consists of the following main steps: 1. Uninstall your old client software. When you uninstall your old Luna HSM client software, backups of your existing configuration file and certificates (Luna SA only) are retained so that they may be restored. Any other custom files/directories found in the client installation directory/folder that are not part of the standard client installation are also retained. 2. Uninstall the old Luna driver (Luna G5 and Luna PCI-E only). The method you use depends on your HSM, as follows: Luna PCI-E
Use the Windows uninstaller (Start > Control Panel > Programs and Features)
Luna G5
Use the Device Manager (My Computer > Properties > Device Manager)
3. (Luna G5 only): Delete the following file: C:\Windows\System32\Drivers\LunaUHD.sys 4. If you are using Luna KSP, uninstall it using Programs and Features 5. Install the Luna HSM 5.2 client software. On Linux/Unix, your backup configuration file and certificates are automatically restored. On Windows, your backup configuration file and certificates are not automatically restored, although a default Luna HSM 5.2 configuration file is added to the installation directory which you can edit later to restore your previous configuration. 6. (Windows Luna SA only): Restore your certificates. 7. (Windows only): Copy any configuration settings you wish to retain from the backup configuration file to the default Luna HSM 5.2.2 configuration file. 8. Upgrade the configuration file to conform with the new Luna HSM 5.2.2 client installation folder/directory. The new directory on Linux/Unix is /usr/safenet/lunaclient. The new folder on Windows is C:\Program Files\SafeNet\LunaClient. (These folder/directory designations were already in place if you are upgrading from Luna HSM 5.2.0 to 5.2.2).
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
5 of 11
To upgrade the client software to Luna HSM 5.2.2 1. Uninstall the currently installed Luna client software. The method you use is platform specific, as follows: Windows
Use the Windows uninstaller (Start > Control Panel > Programs and Features) to uninstall all of the Luna client software components.
Unix/Linux
Run the /uninstall.sh script.
Your existing configuration and certificates are retained for re-use with the upgraded client, as follows: — The Chrystoki.conf (Linux/Solaris/HP-UX) or crystoki.ini (Windows) file, which contains your configuration, is retained in the legacy installation folder/directory, as follows: Windows
C:\Program Files\\crystoki.ini
Linux
/etc/Chrystoki.conf.rpmsave
Solaris
/etc/Chrystoki.conf.dssave
HP-UX
/etc/Chrystoki.conf.depsave
AIX
/etc/Chrystoki.conf.bffsave
— Luna SA only: The cert folder/directory, which contains your certificates, is retained in the legacy installation folder/directory, as follows: Windows
C:\Program Files\\cert
Linux
/usr//cert
Solaris
/opt//cert
HP-UX
/opt//cert
AIX
/usr//cert
2. Install the Luna HSM 5.2.2 software. The method you use is platform specific, as follows: Windows
Run the .msi installation program and follow the installation instructions.
Linux/Unix
Run the install.sh installation script and follow the installation instructions.
Depending on your operating system, portions of your previous configuration may be automatically restored, as follows: Windows
The previous configuration file and certificates are not restored, but are left as is in the old Luna client folder.
Linux
The installer detects the presence of the /etc/Chrystoki.conf.rpmsave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
Solaris
The installer detects the presence of the /etc/Chrystoki.conf.dssave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
HP-UX
The installer detects the presence of the /etc/Chrystoki.conf.depsave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
AIX
The installer detects the presence of the /etc/Chrystoki.conf.bffsave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
6 of 11
3.
(Windows only): Copy any configuration setting you want to retain from the backup configuration file to the new Luna HSM 5.2.2 default configuration file. When copying the old settings, ensure that you overwrite the corresponding Luna HSM 5.2.2 default settings with the copied settings so that there is only a single instance of a particular keyword in the configuration file.
4. Edit the configuration file, as necessary, to change the any entries that include the old installation path to use the new path. OS
Old statement
Luna HSM 5.2.2 statement
Windows
Any statements that include the legacy Luna Change the path specifications so that they Client path (C:\Program adhere to the new structure (C:\Program Files\) Files\SafeNet\LunaClient)
Linux or AIX
Any statements that include the legacy Luna Change the path specifications so that they Client path (/usr/) adhere to the new structure (/usr/safenet/lunaclient)
Solaris or HP-UX
Any statements that include the legacy Luna Change the path specifications so that they Client path (/opt/) adhere to the new structure (/opt/safenet/lunaclient)
5. (Windows Luna SA only): Copy the folder containing your certificates (C:\Program Files\LunaSA\cert) folder to the Luna HSM 5.2.2 installation folder/directory (C:\Program Files\SafeNet\LunaClient\cert).
Upgrading the Luna SA Appliance Software Note
You must upgrade the Luna SA appliance software before you upgrade the Luna SA HSM firmware. The appliance software can only be applied to the Luna SA appliance.
To upgrade the Luna SA Appliance software to Luna HSM 5.2.2 1. Copy the Luna HSM 5.2.2 appliance package file (.spkg) to the Luna SA appliance you want to upgrade: Windows
pscp <path>\<partnum>.spkg admin@:
Unix/Linux
scp <path>/<partnum>.spkg admin@:
2. Stop all client applications that are connected to the Luna SA. 3. At the console, log in to the Luna SA appliance using an admin-level account (the default account is admin). 4. Log in to the Luna SA HSM as the HSM admin user: lunash :> hsm login For Luna SA with Trusted Path, the blue PED Key is required. For Luna SA with Password Authentication, you are prompted for the HSM Admin (SO) password. 5. Verify that the upgrade package file that you copied is present (optional): lunash :> package listfile 6. Verify the upgrade package (optional): lunash :> package verify <partnum>.spkg -authcode The verification process requires approximately 90 seconds. 7. Install the upgrade package: lunash :> package update <partnum>.spkg -authcode The installation/upgrade process takes approximately 90 seconds. During that time, a series of messages are displayed that detail the progress of the upgrade. At the end of this process, a message “Software upgrade completed!” is displayed.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
7 of 11
Upgrading the HSM Firmware Note
Upgrade the HSM firmware only after you have upgraded the client software and appliance software, if applicable. You do not needed to upgrade the client software if you are upgrading from Luna HSM 5.2.1). On Luna SA, you use lunash to upgrade the firmware. On Luna PCI-E and Luna G5, you use lunacm to upgrade the firmware.
To upgrade the Luna SA HSM firmware 1. Log in to the HSM as the HSM admin user if you are not already logged in. lunash :> hsm login 2. Run the firmware upgrade command. The HSM will reset when the upgrade is complete: lunash :> hsm update firmware 3. Use the hsm show command to verify that the firmware upgrade was successful: lunash :> hsm show If the upgrade was successful, the firmware version is displayed as 6.10.2.
Note
If you did not reboot the appliance before upgrading the firmware (remote PED case) the following error message is displayed: Error: Unable to communicate with HSM. Please run 'hsm supportInfo' and contact customer support. You can ignore the error message. 4. If you disabled the SRK prior to performing the firmware upgrade, re-enable it if desired. Refer to the Luna documentation for details. If you attempted to upgrade the firmware without disabling the SRK, the firmware upgrade fails with the following error: Error:
'hsm update firmware' failed. (10A0B : LUNA_RET_OPERATION_RESTRICTED)
5. If you logged into the HSM using a remote PED, ensure that all client connections are terminated and then enter the following command to reboot the appliance: sysconf appliance reboot
To upgrade the Luna PCI-E or Luna G5 HSM firmware To upgrade the firmware on a Luna PCI-E or Luna G5 HSM, you run a lunacm command on a Luna HSM 5.2.2 client computer that contains a copy of the firmware upgrade (.fuf) file and its associated firmware authentication code (.txt) file, and contains the Luna PCI-E HSM, or is connected to the Luna G5 HSM you want to upgrade. 1
Ensure that your client computer is running the Luna HSM 5.2.2 client software.
2
Copy the firmware file (.fuf) from the firmware folder on the software CD to the Luna HSM 5.2.2 client root directory (C:\Program Files\SafeNet\LunaClient on Windows; /usr/safenet/lunaclient/bin on Linux; /opt/safenet/lunaclient/bin on Solaris and HP-UX).
3
Obtain the firmware authorization code: a
Contact SafeNet Customer Support ([email protected]). The firmware authorization code is provided as a .txt file.
b
Copy the .txt file to the Luna HSM 5.2.2 client root directory (C:\Program Files\SafeNet\LunaClient on Windows; /usr/safenet/lunaclient/bin on Linux).
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
8 of 11
4
Launch the lunacm utility: Windows
Open a DOS window (Start > Programs > Accessories > Command Prompt). Change to the Luna Client root directory: cd C:\Program Files\SafeNet\LunaClient Enter the following command Lunacm
Linux
Open a terminal window and change to the Luna Client root directory: /usr/safenet/lunaclient/bin Enter the following command: ./lunacm
Solaris or HP-UX
Open a terminal window and change to the Luna Client root directory: /opt/safenet/lunaclient/bin Enter the following command: ./lunacm
5
Enter the following command to login to the HSM. Note that the password is not required on PED-based systems: hsm login [-password <password>]
6
Enter the following command to upgrade the firmware on the attached Luna HSM: hsm –updateFirmware –fuf .fuf –authcode .txt
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
9 of 11
Additional Tasks for CSP/KSP Users If you are using CSP/KSP, you must upgrade your Luna CSP/KSP configuration by performing the following tasks: 1. Launch the KSP (kspconfig.exe) or CSP (register.exe) configuration utility and perform the following tasks: a
Update the library path to point to C:\Program Files\SafeNet\LunaClient
b
Reregister the partition.
Additional Tasks for Java Users You must copy the Java library (LunaAPI.dll) and jar file (LunaProvider.jar) from the client installation folder/directory to the jre/lib/ext folder/directory.
Returning the HSM to Operation After performing the upgrade, you must reactivate the HSM partitions (if applicable) and re-register the Luna client, to return the HSM to operation.
To return the HSM to operation 1. Reactivate all partitions that were activated before the upgrade (applies to Luna SA with PED Authentication). 2. Re-register the Luna SA client. Refer to the WebHelp for details.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
10 of 11
Technical Support Information If you have questions or need additional assistance, contact Technical Support through the listings below: Contact method
Contact information
Address
SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA
Phone
United States
(800) 545-6608, (410) 931-7520
Australia and New Zealand
+1 410-931-7520
China
(86) 10 8851 9191
France
0825 341000
Germany
01803 7246269
India
+1 410-931-7520
United Kingdom
0870 7529200, +1 410 931-7520
Email
[email protected]
Web
www.safenet-inc.com/Support
Support and Downloads
www.safenet-inc.com/Support Provides access to the SafeNet Knowledge Base and quick downloads for various products.
Technical Support https://serviceportal.safenet-inc.com Customer Portal Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.
Trademarks and Disclaimer Although we have attempted to make this document as complete, accurate, and useful as possible, we cannot guarantee its contents. Errors or omissions will be corrected, as they are identified, in succeeding releases of the product. Information is subject to change without notice. Copyright 2013. All rights reserved. Luna and the SafeNet logos are registered trademarks of SafeNet Inc.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
11 of 11
Contents Overview .....................................................................................................................................................................2 About Luna HSM 5.2.2 ...........................................................................................................................................2 Upgrade Paths ........................................................................................................................................................2 Component Firmware Versions ..............................................................................................................................3 Preparing for the Upgrade ..........................................................................................................................................4 Obtaining the Upgrade Software ............................................................................................................................4 Required Authentication Credentials ......................................................................................................................4 Preparing Your HSMs For the Upgrade .................................................................................................................4 Performing the Upgrade .............................................................................................................................................5 Upgrading the Client Software ................................................................................................................................5 Upgrading the Luna SA Appliance Software ..........................................................................................................7 Upgrading the HSM Firmware ................................................................................................................................8 Additional Tasks for CSP/KSP Users ...................................................................................................................... 10 Additional Tasks for Java Users .............................................................................................................................. 10 Returning the HSM to Operation ............................................................................................................................. 10 Technical Support Information ................................................................................................................................. 11 Trademarks and Disclaimer ..................................................................................................................................... 11
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
1 of 11
Overview This document describes how to upgrade your Luna SA, Luna PCI-E, and Luna G5 devices, and their supporting components, to Luna HSM 5.2.2. Depending on your specific product and the supporting components it uses, you may have to upgrade your client software, appliance software, and/or HSM firmware. Detailed instructions are included for upgrading all products and components supported in Luna HSM 5.2.2.
About Luna HSM 5.2.2 Luna HSM 5.2.2 introduces new FIPS candidate firmware version 6.10.2. With the exception of the new firmware, Luna HSM 5.2.2 is identical to Luna HSM 5.2.1. For more information regarding Luna HSM 5.2.2, refer to the customer release notes. The most up-to-date version of the Luna HSM 5.2.x Customer Release Notes document is at http://www.securedbysafenet.com/releasenotes/luna/crn_luna_hsm_5-2.pdf
Upgrade Paths The Luna HSM factory installed firmware is upgradeable, as follows: Luna SA 5.2.2 HSMs are shipped from the factory with firmware 6.2.1, upgradable to 6.10.2. Luna PCI-E 5.2.2 HSMs are shipped from the factory with firmware 6.2.1, upgradable to 6.10.2. Luna G5 5.2.2 HSMs are shipped from the factory with firmware 6.2.3, upgradable to 6.10.2. Luna Backup HSMs are shipped from the factory with firmware 6.0.8, upgradable to 6.10.2 Refer to the Luna HSM 5.2.2 Customer Release Notes for new features that require firmware 6.10.2, and new features that work with firmware 6.2.1.
Updating both software and firmware to newest versions Component
From version...
To version...
Luna SA client software
5.0, 5.1, 5.1.1, 5.2.0, or 5.2.1
5.2.2
Luna SA appliance software
5.0, 5.1, 5.2.0 or 5.2.1
5.2.2
Luna PCI-E client software
5.0, 5.2.0, or 5.2.1
5.2.2
Luna G5 client software
1.3 , 5.2.0, or 5.2.1
5.2.2
HSM firmware
6.0.8, 6.1.6, 6.2.1**, 6.2.3*** or 6.10.1
6.10.2
Updating software, but retaining most recent FIPS-validated firmware Component
From version...
To version...
Luna SA client software
5.0 or 5.1 or 5.1.1 or 5.2.0
5.2.2
Luna SA appliance software
5.0, 5.1, 5.2.0, or 5.2.1
5.2.2
Luna PCI-E client software
5.0 or 5.2.0
5.2.2
Luna G5 client software
1.3 or 5.2.0
5.2.2
HSM firmware
6.0.8, 6.1.6, 6.2.1**, or 6.2.3***
6.2.1**, 6.2.3***
Note
Customers with Luna SA 5.0.x wanting to use 6.2.1 firmware (the most recent FIPSvalidated firmware, at time of writing), must upgrade to software 5.1 first, in order to obtain the firmware 6.2.1 update. After upgrading to 5.1, you can upgrade to version 5.2.2 (if you upgrade directly to 5.2.2, you miss the 6.2.1 firmware option and have only the 6.10.2 option). **Luna PCI-E and Luna SA – firmware 6.2.1 is the most recent FIPS-validated firmware, at time of writing. ***Luna G5 – firmware 6.2.3 is the most recent FIPS-validated firmware, at time of writing. Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
2 of 11
Component Firmware Versions The following table lists the supported firmware versions for the various components supported in Luna HSM 5.2.2 Component
Version
HSM firmware
6.10.2
Luna Backup HSM firmware
6.10.2
Luna G5 (for PKI bundle) firmware
6.10.2
PED II
2.5.0-3
PED IIr (Remote PED) (requires PED workstation s/w on PC) [optional]
2.5.0-3
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
3 of 11
Preparing for the Upgrade Before attempting to upgrade to Luna HSM 5.2.2, ensure that you have satisfied the following prerequisites: you have the upgrade software. you have the authentication credentials required to perform the upgrade. you have prepared your HSMs for the upgrade. Each of these prerequisites are discussed in detail in the following sections.
Obtaining the Upgrade Software All of the software and firmware required to upgrade to Luna HSM 5.2.2 is included on the Luna HSM 5.2.2 software DVD. The upgrade software is also available via download from the Technical Support Customer Portal.
Note
Authorization codes are required to install firmware. To obtain the authorization codes for your firmware, contact SafeNet Technical Support. The following packages are included in the upgrade software: Luna HSM 5.2.2 Client software Luna SA 5.2.2 appliance software Luna HSM 6.10.2 firmware PED firmware (Refer to the readme.txt file included on the Luna HSM 5.2.2 software DVD for more information)
Required Authentication Credentials You must be able to login to the HSM as the security officer (SO) to perform the upgrade. On PED-authenticated HSMs, you need the blue PED key(s). On password-authenticated HSMs, you need the SO password. On Luna SA, you also need to be able to login to the appliance using an admin-level account before you can login to the HSM as the SO.
Preparing Your HSMs For the Upgrade Perform the following tasks to prepare your HSM for the upgrade: 1. Ensure that your client and appliance software and firmware is at a version listed in "Upgrade Paths" on page 2. 2. Connect your HSM appliance or host computer to an uninterruptible power supply (UPS), if available. Although this is not a requirement, use of a UPS is strongly recommended to ensure a successful completion of all upgrade activities. 3. Ensure that your USB devices (Luna G5, Luna Backup HSM or Luna Remote PED) are connected, using a USB cable, to the computer on which you are installing the Luna software. If the USB devices are not connected to the host computer, the USB drivers do not install successfully. This issue applies to Windows 2008 only. 4. If the Secure Recovery Key (SRK) on the HSM is enabled, it must be disabled before you can upgrade the HSM firmware. The SRK is an external split of the HSM's Master Tamper Key (MTK) that is imprinted on the purple PED key. When you disable the SRK, the SRV (Secure Recovery Vector) portion of the MTK is returned to the HSM, so that the SRV is no longer external to the HSM. It is only in this state that you can upgrade the HSM firmware. After you upgrade the firmware, you can re-enable SRK, if desired, to re-imprint a purple PED key with the SRV. 5. Backup the content of your HSM or HSM partitions to Luna SA Backup HSMs (if you have the Backup option). 6. Copy the Luna HSM 5.2.2 upgrade software package (the downloaded tar file) to the client computer and use your favorite archiving program to untar the archive. 7. Stop all applications and services that are using the HSM. Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
4 of 11
Performing the Upgrade Depending on the product you are upgrading you may need to upgrade the client software, appliance software, and/or the HSM firmware, as specified in the following table: Product
Client software upgrade
Appliance software upgrade HSM firmware upgrade
Luna SA
X*
X
Luna PCI-E
X*
X
Luna G5
X*
X
X
*Except for upgrade from Luna HSM 5.2.1 You must upgrade the software/firmware in the following order: 1. Client software 2. Appliance software 3. HSM firmware
Upgrading the Client Software Note
You must upgrade the client software before upgrading the appliance software or HSM firmware.
Note
You do not need to upgrade the client software if you are upgrading from Luna HSM 5.2.1. The 5.2.1 and 5.2.2 client software is identical. Upgrading your client software consists of the following main steps: 1. Uninstall your old client software. When you uninstall your old Luna HSM client software, backups of your existing configuration file and certificates (Luna SA only) are retained so that they may be restored. Any other custom files/directories found in the client installation directory/folder that are not part of the standard client installation are also retained. 2. Uninstall the old Luna driver (Luna G5 and Luna PCI-E only). The method you use depends on your HSM, as follows: Luna PCI-E
Use the Windows uninstaller (Start > Control Panel > Programs and Features)
Luna G5
Use the Device Manager (My Computer > Properties > Device Manager)
3. (Luna G5 only): Delete the following file: C:\Windows\System32\Drivers\LunaUHD.sys 4. If you are using Luna KSP, uninstall it using Programs and Features 5. Install the Luna HSM 5.2 client software. On Linux/Unix, your backup configuration file and certificates are automatically restored. On Windows, your backup configuration file and certificates are not automatically restored, although a default Luna HSM 5.2 configuration file is added to the installation directory which you can edit later to restore your previous configuration. 6. (Windows Luna SA only): Restore your certificates. 7. (Windows only): Copy any configuration settings you wish to retain from the backup configuration file to the default Luna HSM 5.2.2 configuration file. 8. Upgrade the configuration file to conform with the new Luna HSM 5.2.2 client installation folder/directory. The new directory on Linux/Unix is /usr/safenet/lunaclient. The new folder on Windows is C:\Program Files\SafeNet\LunaClient. (These folder/directory designations were already in place if you are upgrading from Luna HSM 5.2.0 to 5.2.2).
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
5 of 11
To upgrade the client software to Luna HSM 5.2.2 1. Uninstall the currently installed Luna client software. The method you use is platform specific, as follows: Windows
Use the Windows uninstaller (Start > Control Panel > Programs and Features) to uninstall all of the Luna client software components.
Unix/Linux
Run the /uninstall.sh script.
Your existing configuration and certificates are retained for re-use with the upgraded client, as follows: — The Chrystoki.conf (Linux/Solaris/HP-UX) or crystoki.ini (Windows) file, which contains your configuration, is retained in the legacy installation folder/directory, as follows: Windows
C:\Program Files\\crystoki.ini
Linux
/etc/Chrystoki.conf.rpmsave
Solaris
/etc/Chrystoki.conf.dssave
HP-UX
/etc/Chrystoki.conf.depsave
AIX
/etc/Chrystoki.conf.bffsave
— Luna SA only: The cert folder/directory, which contains your certificates, is retained in the legacy installation folder/directory, as follows: Windows
C:\Program Files\\cert
Linux
/usr//cert
Solaris
/opt//cert
HP-UX
/opt//cert
AIX
/usr//cert
2. Install the Luna HSM 5.2.2 software. The method you use is platform specific, as follows: Windows
Run the .msi installation program and follow the installation instructions.
Linux/Unix
Run the install.sh installation script and follow the installation instructions.
Depending on your operating system, portions of your previous configuration may be automatically restored, as follows: Windows
The previous configuration file and certificates are not restored, but are left as is in the old Luna client folder.
Linux
The installer detects the presence of the /etc/Chrystoki.conf.rpmsave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
Solaris
The installer detects the presence of the /etc/Chrystoki.conf.dssave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
HP-UX
The installer detects the presence of the /etc/Chrystoki.conf.depsave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
AIX
The installer detects the presence of the /etc/Chrystoki.conf.bffsave backup configuration file, and the backup certificate directory and restores them to the new installation directory. It also adds any new statements introduced in Luna HSM 5.2.2 to the configuration file.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
6 of 11
3.
(Windows only): Copy any configuration setting you want to retain from the backup configuration file to the new Luna HSM 5.2.2 default configuration file. When copying the old settings, ensure that you overwrite the corresponding Luna HSM 5.2.2 default settings with the copied settings so that there is only a single instance of a particular keyword in the configuration file.
4. Edit the configuration file, as necessary, to change the any entries that include the old installation path to use the new path. OS
Old statement
Luna HSM 5.2.2 statement
Windows
Any statements that include the legacy Luna Change the path specifications so that they Client path (C:\Program adhere to the new structure (C:\Program Files\) Files\SafeNet\LunaClient)
Linux or AIX
Any statements that include the legacy Luna Change the path specifications so that they Client path (/usr/) adhere to the new structure (/usr/safenet/lunaclient)
Solaris or HP-UX
Any statements that include the legacy Luna Change the path specifications so that they Client path (/opt/) adhere to the new structure (/opt/safenet/lunaclient)
5. (Windows Luna SA only): Copy the folder containing your certificates (C:\Program Files\LunaSA\cert) folder to the Luna HSM 5.2.2 installation folder/directory (C:\Program Files\SafeNet\LunaClient\cert).
Upgrading the Luna SA Appliance Software Note
You must upgrade the Luna SA appliance software before you upgrade the Luna SA HSM firmware. The appliance software can only be applied to the Luna SA appliance.
To upgrade the Luna SA Appliance software to Luna HSM 5.2.2 1. Copy the Luna HSM 5.2.2 appliance package file (.spkg) to the Luna SA appliance you want to upgrade: Windows
pscp <path>\<partnum>.spkg admin@:
Unix/Linux
scp <path>/<partnum>.spkg admin@:
2. Stop all client applications that are connected to the Luna SA. 3. At the console, log in to the Luna SA appliance using an admin-level account (the default account is admin). 4. Log in to the Luna SA HSM as the HSM admin user: lunash :> hsm login For Luna SA with Trusted Path, the blue PED Key is required. For Luna SA with Password Authentication, you are prompted for the HSM Admin (SO) password. 5. Verify that the upgrade package file that you copied is present (optional): lunash :> package listfile 6. Verify the upgrade package (optional): lunash :> package verify <partnum>.spkg -authcode The verification process requires approximately 90 seconds. 7. Install the upgrade package: lunash :> package update <partnum>.spkg -authcode The installation/upgrade process takes approximately 90 seconds. During that time, a series of messages are displayed that detail the progress of the upgrade. At the end of this process, a message “Software upgrade completed!” is displayed.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
7 of 11
Upgrading the HSM Firmware Note
Upgrade the HSM firmware only after you have upgraded the client software and appliance software, if applicable. You do not needed to upgrade the client software if you are upgrading from Luna HSM 5.2.1). On Luna SA, you use lunash to upgrade the firmware. On Luna PCI-E and Luna G5, you use lunacm to upgrade the firmware.
To upgrade the Luna SA HSM firmware 1. Log in to the HSM as the HSM admin user if you are not already logged in. lunash :> hsm login 2. Run the firmware upgrade command. The HSM will reset when the upgrade is complete: lunash :> hsm update firmware 3. Use the hsm show command to verify that the firmware upgrade was successful: lunash :> hsm show If the upgrade was successful, the firmware version is displayed as 6.10.2.
Note
If you did not reboot the appliance before upgrading the firmware (remote PED case) the following error message is displayed: Error: Unable to communicate with HSM. Please run 'hsm supportInfo' and contact customer support. You can ignore the error message. 4. If you disabled the SRK prior to performing the firmware upgrade, re-enable it if desired. Refer to the Luna documentation for details. If you attempted to upgrade the firmware without disabling the SRK, the firmware upgrade fails with the following error: Error:
'hsm update firmware' failed. (10A0B : LUNA_RET_OPERATION_RESTRICTED)
5. If you logged into the HSM using a remote PED, ensure that all client connections are terminated and then enter the following command to reboot the appliance: sysconf appliance reboot
To upgrade the Luna PCI-E or Luna G5 HSM firmware To upgrade the firmware on a Luna PCI-E or Luna G5 HSM, you run a lunacm command on a Luna HSM 5.2.2 client computer that contains a copy of the firmware upgrade (.fuf) file and its associated firmware authentication code (.txt) file, and contains the Luna PCI-E HSM, or is connected to the Luna G5 HSM you want to upgrade. 1
Ensure that your client computer is running the Luna HSM 5.2.2 client software.
2
Copy the firmware file (.fuf) from the firmware folder on the software CD to the Luna HSM 5.2.2 client root directory (C:\Program Files\SafeNet\LunaClient on Windows; /usr/safenet/lunaclient/bin on Linux; /opt/safenet/lunaclient/bin on Solaris and HP-UX).
3
Obtain the firmware authorization code: a
Contact SafeNet Customer Support ([email protected]). The firmware authorization code is provided as a .txt file.
b
Copy the .txt file to the Luna HSM 5.2.2 client root directory (C:\Program Files\SafeNet\LunaClient on Windows; /usr/safenet/lunaclient/bin on Linux).
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
8 of 11
4
Launch the lunacm utility: Windows
Open a DOS window (Start > Programs > Accessories > Command Prompt). Change to the Luna Client root directory: cd C:\Program Files\SafeNet\LunaClient Enter the following command Lunacm
Linux
Open a terminal window and change to the Luna Client root directory: /usr/safenet/lunaclient/bin Enter the following command: ./lunacm
Solaris or HP-UX
Open a terminal window and change to the Luna Client root directory: /opt/safenet/lunaclient/bin Enter the following command: ./lunacm
5
Enter the following command to login to the HSM. Note that the password is not required on PED-based systems: hsm login [-password <password>]
6
Enter the following command to upgrade the firmware on the attached Luna HSM: hsm –updateFirmware –fuf .fuf –authcode .txt
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
9 of 11
Additional Tasks for CSP/KSP Users If you are using CSP/KSP, you must upgrade your Luna CSP/KSP configuration by performing the following tasks: 1. Launch the KSP (kspconfig.exe) or CSP (register.exe) configuration utility and perform the following tasks: a
Update the library path to point to C:\Program Files\SafeNet\LunaClient
b
Reregister the partition.
Additional Tasks for Java Users You must copy the Java library (LunaAPI.dll) and jar file (LunaProvider.jar) from the client installation folder/directory to the jre/lib/ext folder/directory.
Returning the HSM to Operation After performing the upgrade, you must reactivate the HSM partitions (if applicable) and re-register the Luna client, to return the HSM to operation.
To return the HSM to operation 1. Reactivate all partitions that were activated before the upgrade (applies to Luna SA with PED Authentication). 2. Re-register the Luna SA client. Refer to the WebHelp for details.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
10 of 11
Technical Support Information If you have questions or need additional assistance, contact Technical Support through the listings below: Contact method
Contact information
Address
SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA
Phone
United States
(800) 545-6608, (410) 931-7520
Australia and New Zealand
+1 410-931-7520
China
(86) 10 8851 9191
France
0825 341000
Germany
01803 7246269
India
+1 410-931-7520
United Kingdom
0870 7529200, +1 410 931-7520
[email protected]
Web
www.safenet-inc.com/Support
Support and Downloads
www.safenet-inc.com/Support Provides access to the SafeNet Knowledge Base and quick downloads for various products.
Technical Support https://serviceportal.safenet-inc.com Customer Portal Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.
Trademarks and Disclaimer Although we have attempted to make this document as complete, accurate, and useful as possible, we cannot guarantee its contents. Errors or omissions will be corrected, as they are identified, in succeeding releases of the product. Information is subject to change without notice. Copyright 2013. All rights reserved. Luna and the SafeNet logos are registered trademarks of SafeNet Inc.
Luna HSM 5.2.2 Customer Release Notes 007-012226-001 Revision E Copyright 2013 SafeNet Inc.
11 of 11
