Transcription of Luna SA 4.4 - securedbysafenet.com
1 safenet Customer Support Contacts: Web: Email: luna SA CUSTOMER RELEASE NOTES. Document part number: 007-011327-001 Revision E. Release notes issued on: 25 July 2012. Note The most up-to-date version of this document is available at the following location: Product description safenet luna SA is a network-attached hardware security appliance providing cryptographic acceleration, hardware key management, and multiple configuration profiles. Reason for the appliance version patch release When HSM policy "SO can reset partition PIN" is set to off, an administrator should not be able to issue the command "partition resetpw." In fact, an administrator is able to reset the partition PIN. The correct behaviour is that if the policy is disabled, the SO must not be able to reset the Black key value, the Crypto Officer password or the Crypto User password.
2 To change any of those values, the partition owner must present the Black PED key. Patch release ( luna SA appliance) corrects the behavior, blocking attempts by the SO (Security Officer/HSM Admin blue PED Key holder) to reset the User (black PED Key) password. Changing the policy is a destructive action, meaning that the HSM is zeroized. The partition must be recreated. This prevents the SO from resetting the User authentication and accessing the partition contents. Component versions Note luna SA does not support legacy 2U appliances. luna SA is the last release to suppport the 2U. appliance. Do not attempt to upgrade 2U luna SA appliances to release The outcome would not be a tested or supported configuration.
3 Release applies to the current, RoHS-compliant 1U luna SA only. Component 1U. HSM: K5. Card Reader USB. HSM Firmware: or (see Note 1). G3 Backup Token , , or (see Note 2). G4 Backup Token , , or (see Note 2). luna CA4 Token luna PCM KE Token PED Workstation software (requires remote PED) [optional] PED I migration luna SA Customer Release Notes 007-011327-001 Revision E Copyright 2009-2012 safenet Inc. 1. Component 1U. PED I PED II PED IIr ( remote PED) (requires PED workstation s/w on PC) [optional]. IKey (for PED II) 1000. Client Note 1. You can use backup tokens at firmware with luna SA at firmware or , provided you do not use the ARIA. cipher (which was not supported in ). However, we generally recommend that you update to token firmware Note 2.
4 Appliance software requires installed HSM firmware or Both firmware versions are FIPS-validated. Software and firmware upgrade paths The following table lists the upgrade paths for 1U luna SA appliances running release or higher software. Component From Version To Version Client software Appliance software or HSM firmware or No change If your luna SA equipment is at any other starting point, please refer to the luna SA CRN and update instructions in order to bring your system to that approved (tested and supported) starting point before you begin the upgrade to luna SA and firmware or Otherwise, contact safenet Customer Support. Legacy 2U models of luna SA (with the orange front-panel-cover) are not supported for this release.
5 Do not attempt to update the old 2U models. For FIPS compliance, luna SA and firmware were your last stop. luna SA 4 hardware refresh Due to end-of-life or near end-of-life conditions on several components, a new hardware variant of the luna SA 4 platform was released in July 2011. As a result of the hardware refresh, you must use new part numbers when ordering the luna SA 4 product. The old part numbers are no longer valid. For more information, see "Hardware revisions and part numbers" below. The hardware refresh has introduced some minor changes to the operational behavior of the product, as described in the following sections: SNMP enabled by default SNMP is enabled by default on the hardware-refresh platform.
6 New network LED behavior The following table describes the behavior of the network status LEDs on the hardware-refresh platform. LED color LED state Ethernet link and activity Green Blinking 100 Mbps or 1000 Mbps link speed Steady on Link established. Communication activity not detected. Support added for gigabit Ethernet The Ethernet ports now support 10 Mbps, 100 Mbps, and 1000 Mbps link speeds. luna SA Customer Release Notes 007-011327-001 Revision E Copyright 2009-2012 safenet Inc. 2. Hardware revisions and part numbers safenet may occasionally make minor changes to the hardware components used to manufacture the appliance for cost or availability reasons. For example, if the supply of one the original components used to manufacture the appliance becomes limited, the original component may be replaced with an equivalent, but more widely available component.
7 Although these minor hardware changes do not affect how the appliance behaves or operates, any hardware change triggers a change in the product revision. A product may go through several hardware revisions during its lifecycle. Note, however, that for any given part number, all revisions of that part number are functionally equivalent. For example, there is no operational difference between revisions B and D of part number 808-000043-001. In general, the following rules apply: If the hardware change does not affect how the product behaves or operates, the part number remains the same. Only the revision is changed. If the hardware change affects how the appliance behaves or operates, the hardware is assigned a new part number.
8 Notes about this release Utilities and sample code The utilities and the code samples that are included with the SDK are provided for illustrative purposes only. They are intended as a starting point to assist you in developing your own applications. They are not intended for use in a production environment. [The following notes are unchanged from the CRN for versions and ]. New available A new file is available (part number 630-010150-001) as a patch that fixes a compatibility issue when used with Windows 2008 R2. Contact safenet Customer Support if you need it. (This note retained from luna SA CRN.). AIX and HP-UX client version number mismatch During installation of the update to luna SA Client, the software reports version Similarly, if you queried the system after installation, the installed software reports This occurs only in AIX and HP-UX systems.
9 If the installation proceeds smoothly (no stops for error messages), then version is actually installed. Ignore any reference to (This note retained from luna SA CRN this is an appliance patch and doesn't affect the Client software, which remains at version ). luna SA with luna SX with remote PED. luna SA provides a command-line administrative interface (lunash) via SSH or direct serial link. luna SX provides a GUI. overlay for common setup and administrative tasks. luna SX was developed before remote PED support was added to luna SA. luna SX has been tested with luna SA that uses remote PED, and the combination is supported. However, luna SX has no awareness of remote PED, and no specific functions supporting that feature.
10 Therefore: All appliance-side (PEDclient) setup for remote PED must be accomplished via luna SA command line - use an SSH. session or a direct-connect serial session, or use the command-line panel within luna SX. When luna SX indicates that a PED operation is needed, you must keep track of where that PED is located (local or remote ). luna SA with 100+ clients To register a large number of clients simultaneously with one luna SA appliance, register by IP address. (This note retained from luna SA CRN.). No Apache/OpenSSL support in Suse Linux Enterprise Server Porting to Novell s SUSE Linux Enterprise Server (SLES) 10 for PPC does not include Apache/OpenSSL. (This note retained from luna SA CRN.)
