We installed the 10.1 Gateway using the steps in the installation guide to configure the Luna provider.  

After doing so we connected with a client using a variety of TLS cipher suites, both RSA and DSA that use Elliptic Curve Diffie Hellman key exchanges, both ECDSA and RSA,

for example  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. 

When we enable verbose debug using javax.net.debug=all

we see an exception that indicates the DH master secret derivation fails with an error indicating the JCE provider.

- maybe was SunEC that requires a "RAW Key Format" when accessing the key to perform the key derivation function.  Probably this is because the Sun Provider cannot correctly handle the Luna secret key. 

This worked in 8.4 with Java 7 or 8 but not with Java 11, I believe because one of the providers in the earlier version of Java was able to extract the Luna key to perform the function. 

Release : 10.1

Component :

If you are planning to use the default Luna partition policy settings, ensure the following two lines are included in the ssg.security file

Resolved by correctly setting the following two parameters which are documented in the L7 Luna installation guide. 

When using  automated installation they did not set them correctly in the deployment scripts.

com.safenetinc.luna.provider.createExtractablePrivateKeys=true
com.safenetinc.luna.provider.createExtractableSecretKeys=true

Ref: 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/install-configure-upgrade/configure-the-appliance-gateway/configure-hardware-security-modules-hsm/configure-safenet-luna-sa-hsm-parent/configure-the-safenet-luna-hsm-client-v102.html