Restoring From a Client-Connected G7-Based Backup HSM

Restoring objects from a backup is essentially the same as the backup procedure, except in reverse. That is, a Crypto Officer can restore the objects from a backup partition to a new or existing user partition, provided they have the credentials required to access the objects in the backup and user partitions, as detailed in Restoring From a Client-Connected G7-Based Backup HSM.

The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:

>Restoring a Multi-factor- (PED-) Authenticated Partition

>Restoring a Password-Authenticated Partition

Restoring a Multi-factor- (PED-) Authenticated Partition

You can restore the objects from a PED-authenticated backup partition to a PED-authenticated user partition. You can restore to an existing user partition, or you can create a new user partition and restore the objects to the new partition.

Summary

To restore the objects from a backup, you connect the backup HSM and a remote PED to the SafeNet Luna HSM Client workstation that hosts the slot for the user partition you want to restore from backup and perform the following tasks.

1.Log in to the user partition you want to restore to as the Crypto Officer (CO):

If the user partition is activated, you need to provide the challenge secret.

If the user partition is not activated, you need to open a remote PED connection to the HSM that hosts the user partition you want to restore to, and use the required PED keys to log in to the user partition as the Crypto Officer (CO).

2.Open a remote PED connection to the backup HSM.

3. Perform the restore operation and respond to the prompts for the HSM SO, partition SO (PO), crypto officer (CO), and domain PED keys for the backup HSM/partition. The backup HSM and the partition you want to restore to must be members of the same domain.

Prerequisites

Before beginning, ensure that you are familiar with the concepts in PED Authentication. You require the credentials listed in Restoring From a Client-Connected G7-Based Backup HSM.

TIP   To simplify the restore process and minimize interactions with the PED, it is recommended that you activate the CO role on the user partitions you want to restore to. See Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions for more information.

To restore a PED-authenticated partition

1.Configure your SafeNet Luna HSM Client workstation using one of the following configurations:

   

a.Install the required client software on the SafeNet Luna HSM Client workstation. See Restoring From a Client-Connected G7-Based Backup HSM for details.

b.Connect the backup HSM directly to the SafeNet Luna HSM Client workstation using the included USB cable.

NOTE   On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.

c.Connect the PED to the SafeNet Luna HSM Client workstation used to host the remote PED, using the PED USB cable.

NOTE   You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running pedserver.

2.Ensure that HSM policy 16: Enable network replication is set to 1 on the HSM that hosts the user partition you want to restore to. See HSM Capabilities and Policies for more information.

3.Start the pedserver service on the workstation used to host the remote PED:

Windows C:\Program Files\Safenet\LunaClient> pedserver mode start
Linux /usr/safenet/lunaclient> pedserver mode start

4.Launch LunaCM on the workstation that hosts the user and backup partition slots.

5.Identify the slot assignments for:

the user partition you want to restore to.

the backup HSM admin partition (where all backups are stored).

lunacm:> slot list

If you cannot see both slots, check your connections or configure your client as required.

6.Select the user partition you want to restore from backup:

lunacm:> slot set -slot <slot_id>

7.Authenticate as the Crypto Officer (CO) to the selected user partition:

If the partition is activated, proceed as follows:

i.Log in to the selected user partition as the Crypto Officer (CO):

lunacm:> role login -name co

If the partition is not activated, proceed as follows:

i.Connect to the SafeNet Luna HSM Client workstation that hosts the PED. If defaults are not ped set, specify an IP address (and port if required; 1503 is default).

lunacm:> ped connect [-ip <pedserver_host_ip>]

ii.Log in to the selected user partition as the Crytpo Officer (CO).

lunacm:> role login -name co

iii.Respond to the prompts on the PED to provide the the orange (PED vector) key(s) and PIN for the HSM that hosts the user partition you want to restore from backup and the black (CO) key(s) and PIN for the CO role on the user partition you want to restore from backup.

iv.Disconnect the PED session. Note that you will remain logged in to the selected user partition.

lunacm:> ped disconnect

8.Connect the PED to the backup HSM. If defaults are not ped set, specify an IP address (and port if required; 1503 is default):

lunacm:> ped connect [-ip <pedserver_host_ip>]

9.Initiate the restore operation. Respond to the prompts on the PED to insert the required PED keys, as detailed in Restoring From a Client-Connected G7-Based Backup HSM.

lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <target_partition_label>

The restore operation begins once you have completed the authentication process. Objects are restored one at a time.

Restoring a Password-Authenticated Partition

You can restore the objects from a password-authenticated backup partition to a password-authenticated user partition. You can restore to an existing user partition, or you can create a new user partition and restore the objects to the new partition.

Summary

To restore the objects from a backup, you connect the backup HSM to the SafeNet Luna HSM Client workstation that hosts the slot for the user partition you want to restore from backup and perform the following tasks.

1.Log in to the user partition you want to restore to as the Crypto Officer (CO):

2. Perform the restore operation. You are prompted for the HSM SO, partition SO (PO), crypto officer (CO), and domain passwords for the backup partition. The backup HSM and the partition you want to restore to must be members of the same domain.

Prerequisites

You require the credentials listed in Restoring From a Client-Connected G7-Based Backup HSM.

To restore a password-authenticated partition

1.Configure your SafeNet Luna HSM Client workstation as illustrated below:

a.Install the required client software on the SafeNet Luna HSM Client workstation and start LunaCM. See Restoring From a Client-Connected G7-Based Backup HSM for more information.

b.Connect the backup HSM directly to the SafeNet Luna HSM Client workstation using the included USB cable.

NOTE   On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.

2.Ensure that HSM policy 16: Enable network replication is set to 1 on the HSM that hosts the user partition you want to restore to. See HSM Capabilities and Policies for more information.

3. Identify the slots assigned to:

The user partition slot (to be restored).

The backup HSM admin slot (where all backups are stored).

lunacm:> slot list

If you cannot see both slots, check your connections or configure your client as required.

4.Select the user partition you want to restore to:

lunacm:> slot set -slot <slot_id>

5.Log in to the user partition as the Crypto Officer (CO):

lunacm:> role login -name co

6.Initiate the restore operation. Respond to the prompts to provide the required passwords, as detailed in Restoring From a Client-Connected G7-Based Backup HSM

lunacm:> partition archive restore -slot <backup_HSM_admin_slot> -partition <target_partition_label>

The restore operation begins once you have completed the authentication process. Objects are restored one at a time.


Customer Support Portal

SafeNet Luna Network HSM 10.1 Product Documentation  23 January 2020  Copyright 2001-2020 Thales Group. All rights reserved.