Firmware update
Updating the firmware is an important part of the HSM's security; new versions are released frequently and it is recommended that the HSM is updated to the latest version whenever there is a change in the operation of the modules used, security, performance or problem correction.
You can follow releases and release notes via email notifications, see more information on the Downloads page.
The ST, XP and CD HSMs share the same firmware update file, called upack. It can be downloaded from the Downloads page.
Requirements
Info
Firmware versions prior to 5x do not have the console HTTP and you need to use the CLI (hsmcon) to update.
If you're on an older firmware version, go straight to the command line script.
- Physical access to the HSMs with the smart cards and PIN for each one.
- Keyboard and monitor.
- A workstation with connectivity via port 443 (if using HTTP console) or TCP 4433 (if using CLI console) to the HSM.
- HSM client software installed on the workstation (see Downloads), if the current firmware version does not have the HTTP console.
- Upack file downloaded.
- HSM service started.
Sending the upack(GUI)
-
To start the update, you need to connect to HSM using the console HTTP (more details in the HTTP console). To do this, simply connect to the HSM in https using a browser (example:
https://192.168.1.100).
HTTP Login Console -
Once connected, check the current version of the firmware and loaded modules by going to System Information and then Loaded Modules.
System information - Loaded modules -
Use the menu on the left and click on Settings and then Firmware update. Drag the upack file into the indicated field or click and navigate to indicate the file. Then click the Click to send button.
Firmware update screen -
Continue the process with HSM Local Reboot.
Sending the upack(CLI)
In cases where the console HTTP is not available, you can use the console CLI (hsmcon) to update.
Open a terminal (prompt/shell), type hsmcon to run the program and connect to the HSM.
On the main screen, type in the Firmware Update item number and press Enter.
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.152 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
Main Menu
Keys/Objects Users HSM
1 - Create... 17 - Create 33 - Info
2 - Remove 18 - Remove 34 - Logs...
3 - Attributes 19 - List 35 - Backup...
4 - Import... 20 - Attributes 36 - Monitoring...
5 - Export... 21 - Trust Relations 37 - Firmware update
6 - List 22 - Password Policy 38 - Replication...
7 - Permissions... 23 - My Password 39 - SPB...
8 - Backup 40 - EFT...
9 - Restore 41 - IP Filter...
42 - Tests...
43 - Dinamo Services...
44 - Tools...
0 - Exit
Option: 37
Key Y e Enter on the next screen:
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.152 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - Firmware update
*******************************************************************************
* *
* Warning *
* *
* Firmware update is a critical operation for the correct and safe *
* operation of the HSM. In case of doubt consult the technical support of *
* of your vendor. *
* *
*******************************************************************************
Continue updating firmware (y/[n]):
On the next screen hsmcon will ask for the file path upack.
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.152 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - Firmware update
*******************************************************************************
* *
* Warning *
* *
* Firmware update is a critical operation for the correct and safe *
* operation of the HSM. In case of doubt consult the technical support of *
* of your vendor. *
* *
*******************************************************************************
Continue updating firmware (y/[n]): y
Local file to read upack: c:/sec/hsm_dinamo-firmware_upgrade-v_5.0.23.0.upack
Confirm from the upack description that the file you sent was the correct one, press Y e Enter:
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.152 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - Firmware update
*******************************************************************************
* *
* Warning *
* *
* Firmware update is a critical operation for the correct and safe *
* operation of the HSM. In case of doubt consult the technical support of *
* of your vendor. *
* *
*******************************************************************************
Continue updating firmware (y/[n]): y
Local file to read upack: c:/sec/hsm_dinamo-firmware_upgrade-v_5.0.23.0.upack
Upack size: 72355387 bytes
Upack description: 'Dinamo HSM, full firmware upgrade to version 5.0.23.0'.
Confirm sending upack to HSM (y/[n]): y
Upack successfully sent. This upack will be processed by the HSM in the next restart.
Press ENTER key to continue..
HSM reboot
-
After sending the upack, you need to start a reboot. Using a monitor and keyboard, authenticate with the cards on the local console.
-
Before rebooting, you can check the pending upack by pressing the F6 key on the start screen.
Dinamo - Local Management Console ┌──────────────────┤ ├──────────────────┐ │ │ │ Pending operations: │ │ │ │ Backup => no │ │ Update package => Dinamo HSM, full │ │ firmware upgrade to version 5.0.23.0 │ │ │ │ ┌────┐ │ │ │ OK │ │ │ └────┘ │ │ │ │ │ └────────────────────────────────────────┘ Service running... Replication Domain: <none>Pendant upack screen -
On the start screen, choose Power Off, then Reboot and press Enter.
Dinamo - Local Management Console ┌─┤ Power Off ├──┐ │ ◂ │ │ Reboot │ │ Shutdown │ └────────────────┘ Service running... Replication Domain: <none>Local console home screen -
Choose Yes and press Enter.
Dinamo - Local Management Console ┌──────────────┤ ├───────────────┐ │ │ │ Are you sure you want to reboot │ │ the system? │ │ │ │ ┌────┐ ┌─────┐ │ │ │ No │ │ Yes │ │ │ └────┘ └─────┘ │ │ │ │ │ └─────────────────────────────────┘ Service running... Replication Domain: <none>Reboot confirmation -
If you see a message indicating that users are still connected, just wait.
Dinamo - Local Management Console ┌───────────────────┤ Active Sessions ├───────────────────┐ │ │ │ Total: 01 │ │ │ │ IP id tls duration user │ │ ------------------------------------------------------- │ │ 172.17.0.1 29 y 25 master │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────┘ Service stopping... / (4s)Waiting to close user connections -
When an update confirmation message appears, select Yes and press Enter.
Dinamo - Local Management Console ┌──────────────────────────┤ ├───────────────────────────┐ │ │ │ A request for update package processing was detected. │ │ │ │ Description: Dinamo HSM, full firmware upgrade to │ │ version 5.0.23.0 │ │ Size: 72355387 bytes. │ │ │ │ Do you want to confirm it? │ │ Warning: choosing No will discard it definitely. │ │ │ │ ┌────┐ ┌─────┐ │ │ │ No │ │ Yes │ │ │ └────┘ └─────┘ │ │ │ │ │ └─────────────────────────────────────────────────────────┘ Service stopped Replication Domain: <none>Update confirmation -
On the start screen, proceed to start the HSM service.
Note
The HSM reboot can also be commanded remotely via the Remote Management option on the Dinamocon console. See details in the Remote Management topic.
Verification
-
The first check can be done locally on the console by looking at the version on the about screen.
Dinamo - Local Management Console ┌─────────────────────────────┤ ├─────────────────────────────┐ │ │ │ Dinamo 5.0.23.0 (DXP) - TCA0000000 ↑ │ │ ░ │ │ Operation mode: NRM ▒ │ │ Hardware profile: 6.0BA.1.01.01.01F.5.15.146U ▒ │ │ SVMK fingerprint: 11:8E:02:8E:46:6E:F8:E1 ▒ │ │ TPOEM: 9C1531FF ▒ │ │ ▒ │ │ Includes thirdy-party software. All rights reserved. ▒ │ │ ▒ │ │ Copyright © Free Software Foundation, Inc. ▒ │ │ Copyright © 1998-2018 The OpenSSL Project. ▒ │ │ Copyright © 1997-2018 Red Hat Software, Inc. ▒ │ │ Copyright © 2002-2018 Aleksey Sanin. ↓ │ │ │ │ ┌────┐ │ │ │ OK │ │ │ └────┘ │ │ │ │ │ └──────────────────────────────────────────────────────────────┘ Service stopped Replication Domain: <none>Update check -
A second check can be made in the console HTTPTo do this, simply connect to the HSM in https using a browser (example:
https://192.168.1.100). -
Once connected, check the current version of the firmware and loaded modules by going to System Information and then Loaded Modules.
System information - Loaded modules