partition archive backup
Backup partition objects. Use this command to backup objects from the current user partition to a partition on a backup device. You must be logged in as the Crypto Officer to backup the partition.
NOTE If the domains of your source and target HSMs do not match or the policy settings do not permit backup, the partition archive backup command fails. No objects are cloned to the target HSM but the command creates an empty backup partition. In this circumstance, you must manually delete the empty backup partition.
Each object is cloned in a separate operation
When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.
If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.
This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.
Backup partition sizing
When you run the partition archive backup command, it compares the size of the source partition with the remaining free space on the backup HSM to ensure that there is enough space on the backup HSM to accommodate the backup. If there is not enough space, the backup operation is canceled, and an appropriate error message is displayed.
G7-based backup HSM partition re-sizing
On G7-based backup HSMs, when you create a new backup all of the available free space on the backup HSM is assigned to the new backup partition. Once all of the objects have been successfully cloned to the new backup partition, the new backup partition is automatically re-sized to the minimum size required to accommodate the backup objects, and any free space is reallocated.
If the backup partition becomes full before all of the objects have been successfully cloned, the backup is canceled and an error message is displayed. The new backup partition and all of the objects cloned to that point are deleted from the backup HSM and it reverts to the state it was in prior to the backup operation. In this case you will need to free up some space on the backup HSM or use another backup HSM with more available free space.
Syntax
If backup device is a slot in the current system:
partition archive backup -slot <backup_slot> [-partition <backup_partition>] -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]
If backup device is in a remote workstation:
partition archive backup -slot remote -hostname <hostname> -port <portnumber> [-partition <backup_partition>] -password <password> [-sopassword <sopassword>] [-commandtimeout <seconds>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]
If backup device is a USB-attached HSM:
partition archive backup -slot direct [-partition <backup_partition>] -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -append | -a | Append new objects to the existing partition. Do not overwrite existing objects that have the same OUID, even if their attributes differ (see -replace) |
| -commandtimeout <seconds> | -ct | The command timeout for network communication. The default timeout is 10 seconds. The maximum timeout is 3600. This option can be used to adjust the timeout value to account for network latency. |
| -debug | -deb | Turn on additional error information. (optional) |
| -defaultdomain | -def | Default domain for the specified partition. |
| -domain <domain> | -do | Domain for the specified partition. |
| -force | -f | Force action with no prompting. |
| -hostname <hostname> | -ho | Host name of remote workstation running remote backup server. (required when -s remote is used) |
| -partition <backup_partition> | -par |
Backup partition name. (maximum length of 32 characters) NOTE Optional on the G7-based backup HSM. If you omit this option the partition is assigned a default name (<source_partition_name>_<YYYYMMDD>). |
| -password <password> | -pas | Password for the specified partition. |
| -port <portnumber> | -po | Port number for remote backup server on remote workstation. (required when -s remote is used) |
| -replace | -rep | Delete the existing objects in the target backup partition and replace them with the contents of the source user partition. |
| -slot <see description> | -s |
Target slot containing the backup device. It can be specified by any of the following: > <slot number>, if the backup slot is in the current system. >remote -hostname <host name> -port <port number> if the backup device is in a remote work station. >direct to specify a USB-attached backup device. If you know the slot number that contains the USB-attached HSM, you can specify that slot number explicitly (for example, -s 5) |
| -sopassword <sopassword> | -sop | SO password for the backup device. |
Example with password in command line
lunacm:> partition archive backup -slot 2 -partition sa78backup -domain clientdomain -password newPa$$w0rd -sopassword backupSOpwd
Logging in as the SO on slot 2.
Creating partition sa78backup on slot 2.
Logging into the container sa78backup on slot 2 as the user.
Creating Domain for the partition sa78backup on slot 2.
Verifying that all objects can be backed up...
6 objects will be backed up.
Backing up objects...
Cloned object 70 to partition sa78backup (new handle 14).
Cloned object 69 to partition sa78backup (new handle 18).
Cloned object 53 to partition sa78backup (new handle 19).
Cloned object 54 to partition sa78backup (new handle 23).
Cloned object 52 to partition sa78backup (new handle 24).
Cloned object 47 to partition sa78backup (new handle 28).
Backup Complete.
6 objects have been backed up to partition sa78backup
on slot 2.
Command Result : No Error
Example with password prompt
lunacm:> partition archive backup -slot 2 -partition sa78backup Option -domain was not specified. It is required. Enter the domain name: *** Re-enter the domain name: *** Option -password was not supplied. It is required. Enter the user password for the target partition: *** Re-enter the user password for the target partition: *** Logging in as the SO on slot 2. Creating partition sa78backup on slot 2. Logging into the container sa78backup on slot 2 as the user. Creating Domain for the partition sa78backup on slot 2. Verifying that all objects can be backed up... 6 objects will be backed up. Backing up objects... Cloned object 70 to partition sa78backup (new handle 14). Cloned object 69 to partition sa78backup (new handle 18). Cloned object 53 to partition sa78backup (new handle 19). Cloned object 54 to partition sa78backup (new handle 23). Cloned object 52 to partition sa78backup (new handle 24). Cloned object 47 to partition sa78backup (new handle 28). Backup Complete. 6 objects have been backed up to partition sa78backup on slot 2. Command Result : No Error
Example if password mistyped
lunacm:>partition archive backup -slot 21 -partition bkpar3 Option -domain was not specified. It is required. Enter the domain name: *** Re-enter the domain name: *** Option -password was not supplied. It is required. Enter the user password for the target partition: *** Re-enter the user password for the target partition: *** The passwords are not the same. Command aborted. Command Result : 0xb (User Cancelled Operation)
