Backup and Restore to a Remote Backup Service (RBS)-Connected G7-Based Backup HSM
The Remote Backup Service (RBS) is an optional Luna client component that allows you to connect one or more backup HSMs to a remote Luna client workstation to backup the slots on any local Luna HSM Client workstations that are registered with the RBS server. RBS is useful in deployments where backups are stored in a separate location from the SafeNet Luna PCIe HSM, to protect against catastrophic loss (fire, flood, etc).
RBS is a utility, included with the Luna HSM Client software, that runs on a workstation hosting one or more Backup HSMs. When RBS is configured and running, other clients or HSMs registered to it can see its Backup HSM(s) as slots in LunaCM.
Installing and Configuring the Remote Backup Service
RBS is installed using the Luna HSM Client installer. You must create a certificate for the RBS workstation and register it on all clients/appliances that will use the remote Backup HSMs. These instructions will allow you to install and configure RBS.
NOTE This feature requires minimum client version 10.1. See Version Dependencies by Feature for more information.
Prerequisites
>Install the following Luna HSM Client components on any SafeNet Luna PCIe HSM client workstation that hosts slots for the partitions you want to backup using RBS (see Luna HSM Client Software Installation):
•Network
•Remote PED: if you are backing up PED-authenticated partitions.
>Connect the backup HSM(s) directly to the Luna HSM Client workstation that will host RBS using the included USB cable.
NOTE On most workstations, the USB 3.0 connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply. It is recommended that you use the power supply for all backup HSMs connected to the RBS host workstation. If you are connecting multiple backup HSMs, you can use an external USB 3.0 hub if required.
>Initialize the backup HSMs if necessary. See Initializing a Client-Connected G7-Based Backup HSM.
>Ensure that HSM Policy 16: Enable Network Replication is allowed on the HSMs used to host the partitions you want to backup. This is the default setting.
To install and configure RBS
1.On the workstation hosting the Backup HSM(s), install the Backup component of the Luna HSM Client (see Luna HSM Client Software Installation). If this workstation will also host a Remote PED, install the Remote PED component as well (Windows only).
2.Navigate to the Luna HSM Client home directory (/usr/safenet/lunaclient/rbs/bin on Linux/Unix) and generate a certificate for the RBS host.
> rbs --genkey
You are prompted to enter and confirm an RBS password. The certificate is generated in:
•Linux/UNIX: <LunaClient_install_directory>/rbs/server/server.pem
•Windows: <LunaClient_install_directory>\cert\server\server.pem
3.Specify the Backup HSM(s) that RBS will make available to clients.
> rbs --config
RBS displays a list of Backup HSMs currently connected to the workstation. Select the ones you want to provide remote backup services. When you have specified your selection, enter X to exit the configuration tool.
4.Launch the RBS daemon (Linux/UNIX) or console application (Windows).
•Linux/UNIX: # rbs --daemon
•Windows: Double-click the rbs application. A console window will remain open.
You are prompted to enter the RBS password.
5.Securely transfer the RBS host certificate (server.pem) to your Luna HSM Client workstation using pscp or scp.
6.On the client workstation, register the RBS host certificate to the server list.
> vtl addServer -n <Backup_host_IP> -c server.pem
7.[Optional] Launch LunaCM on the client to confirm that the Backup HSM appears as an available slot.
NOTE If you encounter issues, try changing the RBS and PEDclient ports from their default values. Check that your firewall is not blocking ports used by the service.
You can now use the Backup HSM(s) as though they were connected to the client workstation locally, using Remote PED. See Backing Up to a Client-Connected G7-Based Backup HSM and Restoring From a Client-Connected G7-Based Backup HSM for detailed procedures.