This is preventing the customer from upgrading to 5.5.x.
See http://leifj.people.sunet.se/007-011136-007_lunasa_5-4-1_docs_revC/Content/Home_sa.htm for details about the luna software. The problem is with the jwt session module, requiring the signing key to be extractable. The customer reports that this is not feasible to achieve with the luna software, the problem stated is this:
We did some research on SafeNet implementation, and seems like the only way to extract the HMAC key from HSM is to use SafeNet PKCS11 Java Wrapper library (which is NOT a PKCS11 impl library).
For that reason, implementing an extractable HMAC key might not be a feasible solution.
A possible workaround for the customer would be to allow reading the signing key from a separate keystore. The JWT session authentication configuration does allow to specify a keystore that is different from the main IDM keystore, however the signing key is still be retrieved from the main IDM keystore. This is addressed in