Customer Release Notes Luna SA 5.0.0 CRN Document #: 007-011137-001 Rev J Note Issued on: 2012-02-20 Product Description SafeNet Luna SA is a network attached hardware security appliance providing cryptographic acceleration, hardware key management, and multiple configuration profiles. The most up-to-date version of this Luna SA 5.0 Customer Release Notes document is at: http://www.securedbysafenet.com/releasenotes/luna/crn_luna_sa_5-0.pdf Component Versions Component Version HSM: K6 Appliance: 5.0 HSM Firmware: 6.0.8 * Luna Remote Backup HSM: 6.0.8 Luna G5 (for PKI bundle): 6.0.8 PED Workstation software (requires Remote PED) [optional] 1.0.5 PED II 2.4.0 PED IIr (Remote PED) (requires PED workstation s/w on PC) [optional] 2.4.0
Transcript
Customer Release Notes
Luna SA 5.0.0 CRN Document #: 007-011137-001 Rev J
Note Issued on: 2012-02-20
Product DescriptionSafeNet Luna SA is a network attached hardware security appliance providing cryptographic acceleration, hardware key management, and multiple configuration profiles. The most up-to-date version of this Luna SA 5.0 Customer Release Notes document is at:
Luna SA 5.x Customer documentation CD has been updated. The new version is shipping from the factory with new Luna SA 5.0 appliances. Customers who have already received the original documentation can
download the new version from the C3 (Customer Connection Center) website (http://c3.safenet-inc.com/secure.asp).
This version fixes inaccuracies and adds information.
A revised version of the Luna SA 5.0 Quick Start Guide is also available, which includes instruction to install the battery of a Luna Remote Backup HSM or a Luna G5 HSM, before installing and configuring those items of optional equipment. The same battery-install instructions are repeated in the Luna SA 5.0 Help.
Can't Set Time or ZoneLuna SA appliances were shipped for a time with the “-authtimeconfig” option set. That option imposes a requirement that the system's time, date and timezone cannot be modified unless the HSM SO is logged in. Customers attempting to configure their Luna SA 5 for the first time, and following the procedure in the Help, could encounter this message.
lunash:>sysconf timezone set Europe/London
This HSM has been initialized to require that the SO is logged in prior to running this command.
Verifying that the SO is logged in...
The SO is not currently logged in. Please login as SO and try again.
The workaround is to perform hsm init -label <yourlabeltext> first, which clears the -authtimeconfig flag. Then set the appliance timezone and time. Configuration procedures after that point are in correct order for everyone.
The procedures in production-test have been modified, so only a few early customers are effected. The problem was not a defect, but we do apologize for the inconvenience if you encounter it.
Duplicating Purple PED KeysThe Help states that you can duplicate purple PED Keys (the Secure Recovery Key) using Luna PED's Admin menu, just as you can any other PED Key. You cannot. This is being investigated. For the time being, if you need more than one copy of the Secure Recovery Vector, make those duplicates when the SRK is first being imprinted (at SRK enable or at SRK re-split).
Download the SafeNet SNMP MIBThe SafeNet SNMP MIB was inadvertently left off the Luna SA 5 Client/SDK Software CD. You can download
our MIB from the C3 website ( http://c3.safenet-inc.com/secure.asp ).
No Luna SXLuna SX is not tested or supported with the initial release of Luna SA 5.0.
Adjustment Needed after HP-UX InstallationTo use an application that requires libshim, such as ORACLE, with the Luna SA 5 client on HP-UX, copy the libshim.sl file from the /opt/lunasa/bin directory to /opt/lunasa/lib.
4 of 21
Utilities and Sample CodeUtilities and sample code are provided for example purposes only, and are not intended or supported for use in production environments.
If You Have OpenSSL 0.9.8x Installed...
1- Rename /usr/lib/libssl.0.9.8 and /usr/lib/libcrypto.0.9.8 (to be renamed back to their original names when the Luna client installation is completed).
2- Install the Luna client software.
3- When the client installation is complete, rename /usr/lib/libssl.0.9.8 and /usr/lib/libcrypto.0.9.8 back to their original names which will overwrite the links we created during our client installation.
4- Before running any client command from /usr/lunasa/bin set the library path to /usr/lunasa/lib
You can achieve this by running the following bash command (otherwise use the appropriate command in the shell of your choice):
Every time you open a new console, set the library if you wish to run our client commands.
(The above instructions apply to all UNIX and Linux installations, except Solaris, where a different directory structure is used.)
Remote PED and Backup Not VirtualFor the time being, the Luna SA Remote PED and Backup functions are not supported in virtualized environments (such as VMWare, XEN, Hyper-V, etc.). Remote PED, for example, is a USB device that must be controlled by a single instance of pedServer.exe. Efforts are ongoing with virtualization vendors to achieve standardized ways for connected USB devices that are not in the class HID (human interface device) to be alloted/shared/managed from a physical machine that hosts multiple virtual environments.
Backup and Restore – one external device onlyIf you are performing a local backup or restore operation, ensure that only the single external HSM (Luna Remote Backup HSM) is connected to the Luna SA. If you have additional external devices connected to your Luna SA 5.x (such as a Luna G5 or Luna DOCK 2 with token HSMs), your backup or restore operation might fail to complete.
Legacy HSM firmware Luna SA 5 includes firmware 4.8.6 image for token HSMs. If you intend to migrate the contents of your G4 token HSMs to Luna SA 5 partitions, first perform the firmware update of each token.
5 of 21
If you intend to continue using your G4 token HSMs (Luna CA4), then do not update their firmware, and instead leave them at firmware version 4.6.8.
Migration is a one-way operation. You cannot “restore” objects from a Luna SA 5 partition to a legacy token.
See also “M of N” below if you are migrating.
Driver for new USB/Serial adapterA USB/Serial adapter is included with Luna SA 5.x for use with computers that do not have a legacy serial connector. The original adapter unit (CABLES UNLIMITED USB-2920) has gone end-of-life and is replaced by the PROLIFIC TEUR101BX-00 which requires different drivers. That driver is part of current Linux kernels. For Windows, the driver file is available on the SafeNet C3 website as document ID 19065. The new driver works with both old and new adapters.
Upgrade PathsThis is the first release of the new generation of the Luna SA product line, with new hardware, new firmware, and new software – both appliance and client - and a new way of implementing MofN (split-knowledge multi-person access control). No upgrade path is provided from previous-generation Luna SA products.
Component From Version To Version
Client software none 5
Appliance software none 5
HSM firmware none 6.0.8
Key migration and interworking of Luna SA generations are separate issues.
Notes for Upgraders from Legacy VersionsAll of these concepts (below) are explained in much greater detail in the Luna SA Help (on the Documentation CD that came with your Luna SA 5 appliance.
DOMAINWhere, in earlier Luna SA versions, the cloning domain was a single HSM-wide secret, regulating cloning between HSMs with identical domains (same red PED Key), in Luna SA 5.x, it is possible to apply domains
6 of 21
independently to HSM Partitions. A Luna SA with 20 partitions could have twenty different domains. Twenty-one, if you count the domain of the SO space; however that space is not currently used to store objects.
MofNIn earlier Luna SA versions (as well as other legacy HSM products) MofN split-knowledge, multi-person access control was an additional secret, optionally applied at initialization time, and requiring a set of green PED Keys. The MofN secret (if invoked) applied to the entire HSM, and could be cached and cloned independently of the blue key (SO) and black key (Partition User/Owner) secrets. MofN was a command-line option for the HSM initialization command.
With Luna SA 5, MofN splitting is applied (optionally) to the individual authentication secrets (any of the blue, black, red, orange, or purple keys) and is an individual choice during PED interaction – no command-line involvement. Thus you can choose to split (MofN) any of the individual secrets associated with your HSM, and not others, at your discretion, on the same HSM. Because MofN is now a PED-only interaction, Luna SA 5.x no longer has the legacy concepts of separate MofN activation or of MofN cloning.
IF YOU ARE MIGRATING from legacy token HSMs, and IF YOUR HSM HAS MofN, you must take one of two actions to get past the difference between legacy and new authentication:
EITHER Backup/clone/move your token objects to a NON-MofN token HSM before migrating,
ORHave the target Luna SA 5.0 near the computer with the legacy card reader connected. On the legacy system, use lunacm to Activate the token (this takes the black PED Key and the green MofN PED Keys). Keep the token in the slot and the Luna DOCK 2 reader powered, while you move the Luna DOCK’s USB connection from the computer to the USB port on the Luna SA 5. In this way, the Luna SA sees the legacy HSM as a new slot, already logged in (Activated), and your transfer (migration) can take place as described below and elsewhere (legacy domain, etc.).
PKIYou can use a Luna CA4 token (in a Luna DOCK 2 card reader, connected to the USB port of the appliance) with Luna SA 5. From your client's perspective, it appears as another slot. You can migrate Luna CA4 token contents to a Luna SA 5.x partition by associating the domain of the token to the domain of the partition. This is a one-way transaction.
The new Luna SA HSM uses a new domain that employs larger key size. It is not compatible with the legacy domains on legacy HSMs and tokens. HSMs that do not share domains cannot clone objects from one to the other. To bridge the gap, Luna SA allows a legacy domain to be associated with a Luna SA 5.x HSM (or more accurately, with a Luna SA 5.x HSM Partition). This is a one-time operation for a partition. The partition retains its modern domain, but has the domain of a legacy HSM associated with it. Use the command "partition setLegacyDomain -partition <name of your HSM partition>". The system finds the first HSM in an attached Luna DOCK 2 reader, and associates its legacy cloning domain with the domain of the Luna SA partition that you named in the command.
Your HSMs must be all PED authenticated, or all Password authenticated. Mixing is not supported.
When a legacy domain is associated with a Luna SA partition, that association remains for the life of the partition. You cannot "disassociate" a legacy domain from a partition and associate another one. To break the association, you must delete the partition and its contents.
7 of 21
PerformanceLuna SA 5 requires that at least 50 software threads be run against the HSM for maximum performance. This differs from the previous generation Luna SA, which required only ten threads to fully exercise the HSM.
How to Apply an Advanced Configuration Upgrade If you have purchased a capability upgrade from SafeNet, you should have received the upgrade CUF (capability update file) and the authcode file. The filename convention is <prefix><part #>_<sales order number>. <extension>, and is applicable to all Luna HSMs whose serial numbers are included in your purchase order.
<prefix> is caupdateK3, in most cases.
<part number> is the 900-level price list part number – it begins with “9xx-”.
<sales order number> is a numeric value generated by our order-tracking system, and is unique for every order.
<extension> is one of “txt”, “auth”, “CUF”, or “spkg”, depending upon the part ordered.
This procedure covers upgrading (not updating) your Luna SA.
Luna appliances are shipped from the factory in specific configurations with specific sets of capabilities, to suit your requirements. It can happen that your requirements change over time. To future-proof your Luna appliance investment, you have the option to purchase Secure Capability Updates to enhance the performance or extend the capability of Luna systems already in your possession. The Secure Capability Update accomplishes system upgrades while safeguarding the integrity of your sensitive key material and of the system software.
A Secure Capability Upgrade is delivered to you as a downloaded file set. The procedure to perform the update is very similar to the procedure for Appliance Software Update or Firmware Update:
Preparing to Upgrade
Backup all Luna HSM Partitions to Luna Backup Tokens (if you have the Backup option).
On the Client computer, acquire the capability update software package.
-- first, follow the FTP instructions that are supplied in e-mail from SafeNet Customer Support ([email protected]),
-- then cd to the temporary “appliance” directory (that you created for ftp files),
-- then unzip the files (as directed in the ftp instructions).
Change (cd) to the location of the scp executable:
– on Unix Clients, open a terminal window and cd /usr/LunaSA/bin
(or, cd /opt/LunaSA/bin for HP-UX)
– on Windows Clients open a DOS/Command prompt window and
cd c:\Program Files\LunaSA).
Copy the Luna Appliance package file from the ftp directory to the Luna appliance, as follows:
Once the package has been transferred to the appliance, it is installed in two stages. First the package is unwrapped into its component files with the "package" command. Then the update is applied to the HSM with the "hsm update command"
Here are sample instructions to install a capability upgrade (substitute the package name in these steps with the name of the upgrade you are installing).
1. Open an SSH session or console session to the Luna SA appliance.
2. Log in to the appliance as "admin".
3. Verify that the package has arrived on the appliance :
[myluna] lunash:>package listf
7874 Dec 19 2011 16:46 caupdateK3908000139_100000.spkg
7874 Dec 19 2011 16:35 caupdateK3908000086_100000.spkg
Command Result : 0 (Success)
[myluna] lunash:>
4. Open the desired package:
[myluna] lunash:>package update caupdateK3908000139_100000.spkg -a XS9p7YbsW5WJp5PT
Command succeeded: decrypt package
Command succeeded: verify package certificate
Command succeeded: verify package signature
Preparing packages for installation...
908-000139-001_100000-1.0.0-0
Running update script
Command Result : 0 (Success)
[myluna] lunash:>
5. Check that the desired package is ready to be applied :
[myluna] lunash:>hsm update show
Capability Updates:
908000139_100000
9 of 21
Command Result : 0 (Success)
[myluna] lunash:>
6. Apply the new capability : [myluna] lunash:>hsm update capability -capability 908000139_100000 CAUTION: This command updates the HSM Capability. This process cannot be reversed. Any connected clients will have their connections closed. All clients should disconnect and the NTLS should be stopped before proceeding. Type 'proceed' to continue, or 'quit' to quit now. > proceed FwUpdate3 Application Version 2.2 SafeNet Firmware/Capability Update Utility for G5 and K6 modules Enter slot number (0 for the first slot found) : 0 This is a NON-destructive capability update Update Result : 0 (Success) Command Result : 0 (Success) [myluna] lunash:>
7. Check that the new capability is in place : [myluna] lunash:>hsm displayLicenses HSM CAPABILITY LICENSES License ID Description ================ ====================================== 621000002-000 K6 base configuration 621000021-001 Performance level 15 620127-000 Elliptic curve cryptography 620114-001 Key backup via cloning protocol 620124-000 Maximum 20 partitions 621000003-001 Enable government configuration 620109-000 PIN entry device (PED) enabled 621010089-001 Enable remote PED capability 621010358-001 Enable a split of the master tamper key to be stored externally 908000086-001 Enabled for 15.5 megabytes of object storage 908000139-001 Korean market cryptographic algorithms Command Result : 0 (Success) [myluna] lunash:>
8. Reboot the system to enable the new capability : [myluna] lunash:>sysconf appliance reboot -force Force option used. Proceed prompt bypassed. 'hsm supportInfo' successful. Use 'scp' from a client machine to get file named: supportInfo.txt
Broadcast message from root (pts/0) (Mon Dec 19 16:49:56 2011): The system is going down for reboot NOW! Reboot commencing Command Result : 0 (Success) [myluna] lunash:>
9. Done
10 of 21
New Features and Enhancements
Luna SA Version
Reason for Update
5.0 a. New internal HSM (the SafeNet Luna K6 card)
b. Completely new appliance, with redundant, "hot-swapable" power supplies, removable/replaceable chassis fans, Emergency Decommission button, Gigabit Ethernet, three USB ports
c. Secure Transport Mode – prevents interference while appliance is in transit
d. PKI and Key migration
e. All sensitive cryptographic operations (such as NTLS) can take place inside the HSM (user configurable)
f. Remote system logging – Luna SA can be configured to transfer all logs to another server for collection, parsing, and automatic notifications
Summary of Release Support
Luna SA 5.0 Client software:
O/S & version O/S kernel 32-bit library 64-bit library
AIX 5.3 32 Yes No
64 Yes Yes
AIX 6.1 32 No No
64 No Yes
RH Enterprise Linux 4 32 Yes No
64 Yes Yes
RH Enterprise Linux 5 32 Yes No
64 Yes Yes
HP-UX 11i PA-RISC 32 No No
64 Yes Yes
HP-UX 11i V2 Itanium 32 No No
64 Yes Yes
HP-UX 11i V3 Itanium 32 No No
64 Yes Yes
11 of 21
Solaris 9 SPARC 32 Yes No
64 Yes Yes
Solaris 10 SPARC 32 No No
64 Yes Yes
Solaris 10 x86 32 Yes No
64 Yes Yes
SUSE Linux Enterprise Server 10 Power PC
32 No No
64 Yes Yes
Windows Server 2003 SP2 32 Yes No
64 Yes Yes
Windows Server 2008 32 Yes No
64 Yes Yes
Windows Server 2008 R2 32 No No
64 No Yes
Any Windows or Linux version that is listed in the CRN table as supporting Luna SA 5 is also supported if used under VMWare, XEN, or Microsoft HyperV virtualizing environments. Other operating systems are not currently tested with Luna SA 5 client software under virtualization.
Remote PED Server OS Support
OS Driver App
Win2003Standard / Enterprise
32/64 32*
Windows Vista 32/64 32*
Windows 7 32/64 32*
Windows XP Professional 32 32*
* 32-bit app will run on 64-bit OS
Firmware VersionsSupported Firmware Versions
HSM/Token
Luna SA Version
5.0
Luna SA KeyCard
6.0.8
12 of 21
firmware
Luna Remote Backup HSMfirmware
6.0.8
* Backup tokens with firmware going back to version 4.5.3 can restore onto an HSM with firmware 4.8.6, but an HSM with firmware 4.8.6 can backup onto tokens with firmware 4.8.6 or newer, only.
Known IssuesThe following is the list of issues that were outstanding at the time of the current release.
Issue Priority Synopsis
(104337) Decommission button zeroizes the MTK
M Problem: The Emergency Decommission button destroys the KEK (rendering all HSM/Partition objects permanently impossible to decrypt), but the button also causes the MTK to be destroyed, as if the event were a tamper, which it is not.
This has no obvious effect if the customer has not created an external MTK split, as the MTK is automatically reconstituted upon reboot – the only evidence is a tamper event in the log.
If the customer has created an external MTK split (the SRK on the purple PED Key), then upon reboot, the HSM sends a PED prompt for the purple key, which must be presented before the HSM can be re-initialized.
Workaround: Provide the purple PED Key if required. The unwanted deletion of the MTK is fixed in the next firmware version of the HSM, but the Luna SA Help describes the incorrect behavior. A revised Help page is provided at the end of this document (below).
(101301) HA sync of 3rd member clones the keys properly but client vtl gives error of sync not completed
L Problem: In a 3-member HA group, when attempting to synchronize device C where devices A and B are already in sync, device A syncs to device C, then device B tries to sync with objects that now already exist from the synchronization with device A. The vtl error message LUNA_RET_OH_OBJECT_ALREADY_EXISTS", 68610 decimal is displayed.
This is due to different handling between previous generation Luna SA and Luna SA 5 – where formerly the duplication of objects on the HSM was permitted, now it is prevented due to unique Object IDs.
Workaround: Ignore the error.
(101190) uninstall.sh script doesn't uninstall JSP and SDK if uninstall script issued not from /usr/lunasa/bin on
M Problem: The uninstall.sh script on the linux client did not uninstall JSP and SDK if issuing uninstall script from any location other than /usr/lunasa/bin.
The problem is that the jsp and sdk uninstall scripts are run from the primary uninstall.sh script, but they do not
13 of 21
Issue Priority Synopsis
linux client inherit an explicit path that was used to launch the main script.
Workaround: If you run the uninstall.sh script, run it from /usr/lunasa/bin.
(101055) Luna SA 5.0: "java heap space" exception from jMutltioken and caused hsm communication lost
M Problem: During performance measurement with jMultitoken, when running symmetric algorithms and switching data unit from bytes to mbytes or kbytes, got "java heap spcace" memory exception in client side, and jMultitoken hang. Used ctrl+c to force exit from jMultitoken - hsm lost..
Workaround: Likely the heap size is being exceeded due to a large size of data for encryption and many threads. By default java will create a heap of 64MB and once you pass that you are out of memory and see that error. You can increase the heap size with a command line switch. To Set the initial heap size: -Xms#m To Set the maximum heap size: -Xmx#m So if you want a default of 64 but expandable to 1gb you would do: "java -jar -Xms64m -Xmx1024m jMultitoken.jar"
L Problem: The PrivateWrap Java sample app crashes the JVM when it's run against an HSM without the key wrapping capability. It should fail, but in a more controlled way.
Workaround: None- HSM’s without this capability should not be used for attempting these operations. In cases where these operations are attempted a segmentation fault will be returned rather than a more informative error message.
(99824) jMultitoken: RSA OAEP with 256 bit key produces CKR_GENERAL_ERROR
M Problem: C_Encrypt is returning CKR_GENERAL_ERROR. We no longer support 256 bit keys for RSA OAEP encryption (due to the overall move to larger minimum key sizes, for security reasons). The error message in the tool should be corrected, and the tool should no longer [appear to] provide the option to use keys that small.
Workaround: Avoid the less secure small key sizes to avoid this problem.
(99822) Unexpected ShortBufferException in JMultitoken for RSA OAEP 8k key cipher
M Problem: Get an Unexpected ShortBuffer exception trying to run RSA OAEP encryption with 1 thread for an 8K key size... data size = 16 bytes. This is a java message, not from the crypto library or the device. The C multitoken tool performs the same operation successfully.
Workaround: Do not use the demo tool jMultitoken for that operation. The API does support the operation.
M Problem: Trying to run a cipher test for AES CBC, CFB8, etc... (all except ECB) return a device error.
14 of 21
Issue Priority Synopsis
Workaround: Do not use the demo tool jMultitoken for that operation. The API does support the operation.
(99393) CSP 64-bit not registered during Install -- registry.exe /l needs to be run afterwards
L Problem: Luna CSP is not registered whether using register.exe or registerCSP64.exe. Can’t find CSP listed under HKLM -> Software -> Microsoft -> Cryptography -> Defaults -> Provider.
The issue here was traced to the fact that Installshield installers are treated as 32 bit apps, even with the 64 bit client. This means that Windows treats it as a 32 bit app for registration and the entry is going in, but in the 'mirrored’ section of the registry where 32 bit app entries are ‘redirected’ to. Details are here: http://msdn.microsoft.com/en-us/library/aa384232%28v=VS.85%29.aspx
Workaround: Register with /l option.
(99260) Java key generators should provide valid default key parameters
L Problem: Many of our Java key generators do not supply a default set of initialization parameters. When someone tries to use an uninitialized generator, they will get an exception of some kind. The Java crypto spec has this to say: "In case the client does not explicitly initialize the KeyGenerator (via a call to an init method), each provider must supply (and document) a default initialization.".
The classes that are affected are:
- all subclasses of LuneKeyGeneratorSecret - LunaKeyPairGeneratorDh - LunaKeyPairGeneratorEc
Workaround: Note the exception message and explicitly initialize the missing parameter.
(99065) Token PKI command result displays incorrect slot number
L Problem: The slot number displayed in PKI command result is always displayed as the actual slot number decreased by 1. See example below.
[myluna] lunash:>token pki changepin -s 777002
Please type "proceed" to continue, anything else to abort: proceed ********************************************** * * * About to change the partition password * * Please pay attention to the PED * * * ********************************************** Please enter the current user challenge: Please enter the new user challenge: Please re-enter the new user challenge: Success changing the user password for the slot 0 !
SHOULD BE slot 1 ! Command Result : 0 (Success)
Workaround: This is working as designed.
15 of 21
Issue Priority Synopsis
The logical slot numbers start at zero (0), similar to operating system dialogs that refer to ports (such as ethernet ports) starting at logical slot zero, which is equivalent to physical slot/device 1.
Simply be aware that this is how it works.
(98988) "vtl backup token factoryreset" command should not ask for SO login
M Problem: For remote backup, we provide customer the ability to manage the Luna Remote Backup HSM, including factory reset. However, the current "vtl backup token factoryreset" command asks for SO login, which would block the customer from zeroizing the backup HSM.
Workaround: Two options:
Attempt a login to the Backup HSM and present an invalid SO PED Key 3 times to force zeroization.
OR
Connect the Luna Remote Backup HSM to the Luna SA appliance and run the lunash command "token backup factoryReset".
(98785) Luna SA4 DSA tools fail on Luna SA5
M Problem: Signatures with data sizes less than 20 bytes are no longer supported in the product. This should not be a problem but smaller signatures may have been used for convenience of testing in laboratory situations..
Tools should be adjusted to conform with current firmware.
Workaround: Not supported - avoid.
(98654) Vague error message in lunash trying to add non-existant client to partition
M Problem: If you try to assign a non-existent client to a partition with lush, the error message is not informative.
NO SUCH CLIENT or similar would be more informative..
Workaround: None – just be aware of the situation.
(97984) no 8, 16 byte key size can be selected for DES algorithms on jMultitioken
M Problem: No 8 or 16 byte key size can be selected for DES algorithms on jMultitioken.
Workaround: Not supported in the jMultitoken tool for this release. The general Luna Java api still supports DES for 16 bytes – which is DES2.
(97966) RSA with MGF1 is missing from jMultitioken
M Problem: RSA with MGF1 algorithms were missing from jMultitoken cross all supported clients.
Workaround: RSA with MGF1 is not supported in the jMultitoken tool for this release. The general Luna Java api still supports RSA with MGF1 for key sizes larger than 1024-bit.
(97763) exception when doing DSA
M Problem: When trying to measure performance with jMultitoken tool on DSA signing, got the following
16 of 21
Issue Priority Synopsis
signing on jMultitoken exception:
C:\Program Files\LunaSA\JSP\bin>java -jar jMultitoken.jar Exception in thread "AWT-EventQueue-0" com.safenetinc.luna.LunaException: Caught exception while gen erating DSA params at com.safenetinc.luna.provider.keygen.LunaKeyPairGeneratorDsa.generateKeyPair(LunaKeyPairGe neratorDsa.java:78) at java.security.KeyPairGenerator$Delegate.generateKeyPair(Unknown Source) at com.safenetinc.tool.jMultitoken.mtWorkManager.generateKeyPair(Unknown Source).... <snip>
Workaround: DSA is not supported in jMultitoken tool for this release. In the general Luna Java api, DSA is supported.
(96051) configuration elements that do not get factoryReset to default settings
M Problem: A list of configs which do not get factoryReset to default:
- SNMP Users: [local_host] lunash:>sysconf snmp user list SNMP Users: ----------- snmpUser1 snmpUser2 snmpUser3 snmpUser4 snmpUser5 Command Result : 0 (Success) [local_host] lunash:>
- SNMP Trap: [local_host] lunash:>sysconf snmp trap show SNMP Trap is configured as the following: SNMP Trap Host : 172.20.10.135:162 SNMP Version : 3 SNMP v3 Security Name : trapUser4 SNMP v3 Engine ID :
- SNMP Service is running: [local_host] lunash:>sysconf snmp show SNMP is running SNMP is enabled Command Result : 0 (Success) [local_host] lunash:>
- NTP Service is running: [local_host] lunash:>sysconf ntp status NTP is running NTP is enabled
- Network name servers: [local_host] lunash:>network show Hostname: local_host Domain: <not set> Name Servers: 172.20.10.20 172.16.2.14 Search Domain(s): <not set> Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface Link status eth0: Not configured eth1: Not configured Command Result : 0 (Success)
- hsm init -label <somelabel> -authtimeconfig: The -authtimeconfig flag survives “hsm factoryReset”
Workaround: Be aware of the above items when performing 'factoryReset'.
(96038) restore objects from CA4 with no challenge doesn't work
M Problem: When performing object restore (migration) from a Luna CA4 token HSM to a Luna SA 5 partition, the operation fails if the token User objects were protected by black PED Key with no challenge.
Workaround: Go back to your Luna SA 4.x setup with PKI Bundle, create a challenge (this is a non-destructive operation, so your token objects are safely maintained. OR, backup the Luna CA4 contents to a backup token, on which you create a challenge secret, before returning to the Luna SA 5 to migrate your token contents onto a Luna
18 of 21
Issue Priority Synopsis
SA 5 partition.
(95992) Token related lunash commands assume that only one token is connected
M Problem: These token related lunash commands do not work properly when multiple tokens (G4/G5, backup/PKI) are connecting to the same Luna SA at the same time: - token backup - token pki update - partition restore - partition backup - hsm restore - hsm backup - sysconf config export - sysconf config import
Workaround: Connect only one external HSM (or reader) to the USB ports on Luna SA at one time, when using the above commands.
(95989) hardware tamper behaves like zeroize, hangs lush and requires a long wait or reboot
M Problem: Hardware tamper with either lid or fan behaves like zeroize - hangs lunash for roughly 10 minute whenever an hsm-related command is issued.
Workaround: Be aware that it takes that long for the system to resolve its state when a hardware tamper has occurred. Alternatively, you can power-cycle the appliance in order to start sooner on your Recover from Tamper procedure.
(95820) client ppc linux requires --force to install which would change system files
M Problem: From install dialog
...If you select 'yes' or 'y' you agree to be bound by all the terms and conditions set out in the License. If you select 'no' or 'n', this product will not be installed. (y/n) y
Installed configurator-5.0.0-29.ppc.rpm file /usr/lib/libcrypto.so.0.9.8 from install of libcryptoki-5.0.0-29 conflicts with file from package openssl-0.9.8a-18.26 file /usr/lib/libssl.so.0.9.8 from install of libcryptoki-5.0.0-29 conflicts with file from package openssl-0.9.8a-18.26 Failed to install libcryptoki-5.0.0-29.ppc.rpm mypc:/opt/LunaSA_5.0.0-29/linux/ppc/32 #.
Workaround: Before installing the client software:
1- Rename /usr/lib/libssl.0.9.8 and /usr/lib/libcrypto.0.9.8 (to later rename them back to their original names when our client installation is completed).
2- Install our client software
3- When done with the client installation rename /usr/lib/libssl.0.9.8 and /usr/lib/libcrypto.0.9.8 back to their original names which will overwrite the links we created during our client installation
19 of 21
Issue Priority Synopsis
4- Before running any client command from /usr/lunasa/bin set the library path to /usr/lunasa/lib.
Run the following bash command or equivalent: export LD_LIBRARY_PATH=/usr/lunasa/lib:$LD_LIBRARY_PATH
Every time you open a new console set the library path in order to run client commands..
(95529) if client is using hostname instead of ip, frequently client fails to see the partition
M Problem: When using Hostname instead of IP for a client, the client might not be able to access the partition.
Workaround: Ensure that DNS entries are correct, and restart NTLS after any DNS changes.
(95356) libssl and libcryptoki not installed on HP-UX
L Problem: libssl and libcryptoki are not installed along with libCryptoki2 as needed on the HP-UX RISC platforms.
Workaround: At install time, ensure that the standard library path /usr/lib is in the system's library search path. If it is not present, execute the following command to add it: export LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH.
(95101) there is no way to know if ntls keys used are in software or hardware
M Problem: It is not directly possible to know if NTLS keys being used are in “software” (on the appliance file system) or in “hardware” (on the HSM). Depending on an administrator's previous use of 'sysconf regenCert' and 'sysconf hwregenCert' and 'sysconf secureKeys' commands, NTLS keys could exist in both locations, but the command line does not provide a direct way to know which set of keys is used for NTLS
Workaround: If the 'partition list' command shows that a 'Cryptoki User” partition (containing NTLS keys, as seen with command 'partition show') exists on the HSM, and your clients are currently able to connect with their partitions (NTLS links), use 'partition deactivate' command to deactivate that partition. If your clients become unable to connect, then the keys-in-hardware were being used for NTLS – re-activate that partition so that your clients can resume. If you deactivate the partition and clients can still connect, then the NTLS keys in force are on the appliance file system, and those in the HSM are being ignored – you can safely delete the 'Cryptoki User' partition to avoid any further confusion.
(94993) Installer reboot
M Problem: When installing the client, if you choose to install more than one componant the setup should *not* prompt you to reboot following completion of installation of the client portion. If you do reboot the other items you selected are not installed.
20 of 21
Issue Priority Synopsis
Workaround: If you are installing more than one software component on a Windows computer, ignore the prompts to reboot, until all components have been installed. Once the installation is finished, be sure to reboot, to enable the driver.
(94987) PSU alarm L Problem: If just one power supply is connected to AC main power, the alarm sounds as though the other PS is defective.
Workaround: To use just the single power supply, pull the unused PS out of its connector/socket. The unused power supply can remain in its slot, as long as the connector on the PS does not contact the connector inside the Luna SA, and the alarm will be silent.
(93128) need large number of threads to push up performance for multitoken
M Problem: In Luna SA 5.0, in order to reach maximum performance during performance measurement, we need a large number of threads on multitoken (normally 50 or more threads). In previous releases only 10 threads were sufficient to get the system working near maximum performance.
Workaround: To ensure maximum performance, ensure that your clients invoke at least 50 threads on the HSM.
(91914) LunaSA 5.0: RemotePED requires both interfaces to have static ip address set
M Problem: Both interfaces require ip address set. Otherwise, RemotePED fails:
readIPFromConfigFile() : config file did not containan IP address.
Starting background process
Background process failed to start : 0xc0000303
RC_OPERATION_TIMED_OUT
Startup failed. : 0xc0000303
RC_OPERATION_TIMED_OUT
Command Result : 65535 (Luna Shell execution)
Workaround: Ensure that both network interfaces on the Luna SA appliance are configured before attempting to use Remote PED. A dummy or loopback address is fine, if you do not have a particular use for the second interface in your application.
Addressed IssuesThe first release of Luna SA 5.0 is a new product, so no pre-existing “Addressed Issues” are recorded.
21 of 21
Issue Priority Synopsis
N/A Problem:
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we
endeavor to correct them in succeeding releases of the product.
Information is subject to change without notice. Copyright 2010-2012. All rights reserved.Luna and the SafeNet logos are registered trademarks of SafeNet, Inc.
