Transcription of Luna HSM 5.4 CRN - securedbysafenet.com
1 luna HSM Customer release notes 007-012225-003 Revision J Copyright 2015 SafeNet Inc. 1 of 30 luna HSM C U S T O M E R R E L E A S E N O T E S document part number: 007-012225-003 Rev J release notes issued on: 20 November 2015 The most up-to-date version of this document is at: Contents Product Description ..1 luna SA ..1 luna PCI-E ..2 luna G5 ..2 release Description ..2 New Features and Enhancements ..3 Advisory notes ..4 Compatibility and Upgrade Information ..6 Component Versions ( ) ..7 Upgrade Paths ..7 Supported Operating Supported APIs .. 10 Advanced Configuration Upgrades .. 10 PCI-E Server Compatibility .. 10 luna G5 Server Compatibility .. 11 Addressed Issues.
2 12 Known Issues .. 15 Technical Support Information .. 30 Product Description The luna family of hardware security modules (HSMs) provides FIPS-certified, PKCS#11-compliant cryptographic services in a high-performance, ultra-secure, and tamper-proof hardware package. By securing your cryptographic keys in hardware, luna HSMs provide robust protection for your secure transactions, identities, and applications. They also offer high-performance encryption, decryption, authentication, and digital signing services. luna HSMs are available in the following form factors which offer multiple levels of performance and functionality: luna SA luna SA a network-based, Ethernet-attached HSM appliance that offers up to 20 HSM partitions, high-availability configuration options, remote PED and backup, and dual hot-swappable power supplies.
3 luna SA provides cryptographic services for network clients that are authenticated and registered against HSM partitions. Two models of luna SA are available password authenticated and PED authenticated - in two performance variants, the luna SA-1700 and luna SA-7000, which are capable of 1700 and 7000 (RSA 1024-bit) signings per second respectively, and are otherwise functionally identical. luna HSM Customer release notes 007-012225-003 Revision J Copyright 2015 SafeNet Inc. 2 of 30 luna PCI-E luna PCI-E is an internal PCI-E form factor HSM that is installed directly into an application server to provide cryptographic services for the applications running on the server.
4 Two models of luna PCI-E are available password authenticated and PED authenticated - in two performance variants, the luna PCI-E-1700 or PCI-E-7000 which are capable of 1700 and 7000 (RSA 1024-bit) signings per second respectively, and are otherwise functionally identical. luna G5 luna G5 is a USB-attached external HSM that is attached directly to an application server, via USB, to provide cryptographic services for the applications running on the server. release Description This CRN addresses luna HSM releases. How you upgrade depends on your operating system. See Upgrade Paths on page 7 for more information. luna HSM is update only , meaning that luna HSM products continue to be shipped from the factory at version , and you have the option to update the software and firmware to version luna HSM Security Patch This firmware patch for luna G5 and luna PCI-E and luna SA to firmware version or or or , addresses a vulnerability described in security bulletin 150512-1.
5 We recommend that you install this patch immediately on all applicable HSMs. Find the update instructions in document 007-013037-001 luna HSM Firmware Vulnerability Update Sheet, accompanying the patch. See also the FIPS comments below, and the effects of the current patch on firmware update paths. luna HSM luna HSM is a luna SA-only release , 630-010165-024, which includes the previous releases and patches, as well as firmware BASH-related vulnerabilities addressed In light of the recent BASH-related vulnerabilities (known as Shellshock/Aftershock/Bashdoor) covered within CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, SafeNet has developed and tested luna SA software updates to address all of the listed vulnerabilities.
6 Other luna products do not use BASH and are not affected. See HSMAN-125 in the luna SA Addressed Issues table. NTLS lockout (intermittent shutdown) This release also fixes an issue where NTLS would intermittently stop after days of client application traffic. See LHSM-12955 in the luna SA Addressed Issues table. luna HSM Limited release . luna HSM Limited release . luna HSM luna HSM is a luna SA-only release , 630-010165-021, which includes the previous releases and patches, as well as firmware Fixing BASH-related vulnerabilities In light of the recent BASH-related vulnerabilities (known as Shellshock/Aftershock/Bashdoor) covered within CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, luna HSM Customer release notes 007-012225-003 Revision J Copyright 2015 SafeNet Inc.
7 3 of 30 SafeNet has developed and tested luna SA software updates to address all of the listed vulnerabilities. Other luna products do not use BASH and are not affected. See HSMAN-125 in the luna SA Addressed Issues table. luna HSM luna HSM was a patch for luna SA only, addressing OpenSSL vulnerability ( ). For more info see SafeNet Security Bulletin 140605-1 SSL/TLS MITM Vulnerability with SafeNet luna SA . luna HSM luna HSM solves a problem discovered in luna SA where C_Login was taking significantly longer than in previous releases, having an impact on the performance of short-lived applications. Windows/Linux/Solaris On Windows, Linux, and Solaris, luna HSM consists of a client patch (630-010370-001) and an appliance patch (630-010165-015) that are installed on top of luna HSM HP-UX/AIX On HP-UX and AIX, luna HSM is a single consolidated package that includes client software ( ), appliance software ( ), and HSM firmware for all models of the luna SA, luna PCI, and luna G5 HSMs.
8 Note luna HSM does not include the appliance patch (630-010165-015). You must install the appliance patch separately. UPDATE: See luna SA which includes all the previous releases and patches. luna HSM luna HSM replaces luna HSM , which is no longer available. It fixes a vulnerability in OpenSSL (CVE-2014-0160 - TLS heartbeat read overrun). Windows/Linux/Solaris luna HSM is a single consolidated package for Windows, Linux, and Solaris that includes client software, appliance software, and HSM firmware for all models of the luna SA, luna PCI, and luna G5 HSMs. luna HSM is update only , meaning that luna HSM products continue to be shipped from the factory at version , and you have the option to update the software and firmware to version New Features and Enhancements luna HSM introduces some new features and improvements, as follows: Features that do not require HSM firmware Improved Remote Management The default IP address and port for Remote PED are configurable through the lunacm utility.
9 Remote PED function has been adjusted to work reliably over VPN connections. Configurable SO Authorization Requirement for luna SA Admin Operations A forceSOlogin option now allows the luna SA HSM Security Officer to optionally enforce that the SO must be logged in when certain sysconf, ntls, htl, and client commands are run. Improved Product Documents Both HTML/Web and PDF versions of luna documentation are provided, with a combined navigation page to search or browse in either format, and to view or download individual component documents as separate PDF files. Enhanced monitoring and logging information is included. luna HSM Customer release notes 007-012225-003 Revision J Copyright 2015 SafeNet Inc.
10 4 of 30 Configurable luna SA Banner The session-start banner text that appears at the beginning of each new luna SA SSH session is configurable by uploading a text file and using the command sysconf banner to apply the file content as extended banner text. Features that require HSM firmware FIPS Certification Update luna HSMs updated to firmware implement conformity with the latest NIST interpretations of applicable FIPS standards, including enforcement of legacy-only status for some older mechanisms. With the HSM not in FIPS mode, you can use any algorithm in any manner. With the HSM set to FIPS mode, certain deprecated algorithms are restricted with respect to key-size range, or with respect to permissible operations.
