Upgrade the SafeNet Luna SA HSM Client from v5.4.1 to v7.2

This page was created to support the release of Luna SA HM Client v7.2 and the eventual deprecation of the v5.4.1 of that client.
The following information assumes that you are upgrading from Luna HSM client version 5.4.1 to version 7.2 for the
Layer7 API Gateway
to work with your Luna HSM appliance. The general process of uninstalling an older version of the client and then installing a newer version of the client from scratch should apply to all Luna HSM client upgrades.
About Luna HSM Client Procedures
The information on this page and any other CA Broadcom page regarding Luna HSM client configuration is derived from Thales documentation and is intended to provide a quick reference for
Layer7 API Gateway
customers that require integration with the Luna HSM product. Thales is a third-party vendor and is not affiliated with Broadcom Layer 7. If and whenever possible, We strongly recommend that you consult Thales' Luna HSM product documentation for comprehensive end-to-end guidance on the installation or configuration of the Luna HSM and its associated client software.
Disable the SafeNet HSM Keystore First
Prior to performing the following steps, ensure that SafeNet HSM is disabled as a keystore in the Policy Manager's Manage Keystore function. After disabling, stop or restart the Gateway so that the Gateway will default back to 'Software DB' as the keystore.
Uninstall Luna Client Software
  1. Go the following client installation directory:
    /usr/safenet/lunaclient/bin
    and run the following script:
    uninstall.sh
  2. Complete the following actions to ensure that all Luna HSM client artifacts have been removed from the Gateway server machine:
    • Remove all client and server certificates stored in
      /usr/safenet/lunaclient/cert
    • Remove any added lines in the
      /opt/SecureSpan/JDK/jre/lib/security/java.security
      file
      For example, remove
      security.provider.10=com.safenetinc.luna.provider.LunaProvider
      , which may have been added for Luna HSM client v5.4.1.
    • Remove all libraries copied from Luna (i.e., Luna .JAR files). You may use:
      rm /opt/SecureSpan/JDK/jre/lib/ext/*Luna*
    • Remove the Luna HSM client from the Luna appliance. For example, using the LunaSH command:
      client delete -client <clientname>
    • Remove all users that were added to the
      hsmusers
      group.
      HSMUSERS Group Remains After Client Removal
      The Luna-created
      hsmusers
      group is not automatically removed after the removal of the client software. Any users included in the group, including the 'gateway' user, shall remain in that group until deliberately removed by the root user. If you've added additional users to the group besides 'gateway' and if you plan to change access privileges for those users, you'll need to remove them from the group. To learn how to remove users and to ensure it takes into effect, refer to 'Removing users from the hsmusers group' section of the Luna HSM documentation.
Upgrade Luna Client Software
After uninstalling the previous version of the Luna HSM client software, follow the steps provided in this page for general guidance on installing and configuring the Luna HSM client software version 7.2. Some special-attention items worth noting include:
  • After uninstalling a previous Luna version, the client and server keys/certificates may still be available and can be used instead of generating new ones. To learn more, we strongly recommend that you consult Thales SafeNet Luna HSM documentation under 'Key Migration'.