Show the Table of Contents

Administration & Maintenance - Backup & Restore

Backup your HSM Partition Remotely

The options to backup a Partition on your Luna HSM are:

a) local backup

b) remote backup.

"Local" backup means that the Luna Remote Backup Device is co-located and physically connected to the Luna HSM whose contents are to be backed up (that could be a Luna PCI-E HSM card inside a host computer, a Luna G5 HSM that is USB-connected to the host computer, or a Luna SA appliance which is its own host for its internal HSM card).

In the case of Luna SA, you would most likely be using a laptop near the Luna SA appliance to run your admin session (either by network SSH session or by a local serial connection), and would use locally connected Luna PEDs to provide the necessary authentication.

"Remote" backup means that the Luna HSM in its host or appliance is at a remote location and you are working from a network connected computer where you open your SSH connection to the host (or Luna SA admin) shell, and you also have the Luna Remote Backup HSM connected to the computer, at least one Luna PED (which must be remote-capable), and the PED workstation software running.

Remote Backup

You will need -

* The Luna PED that is connected to the Windows computer, in order to perform Remote PED operations with the distant Luna SA appliance, must be a Luna PED 2 (remote-capable version) and is used in Remote mode and in local mode. You also have the option to connect a second Luna PED, which can be Remote capable or can be a local-only version, to the Luna Backup HSM. This allows you to leave the Remote capable Luna PED connected to the workstation in Remote mode.

Assumptions

The following examples assume that you have set up RBS, as described in "Prepare RBS to Support Backup / Restore"

Luna Remote Backup HSM and your primary (source) Luna HSM are initialized with appropriate keys (blue SO and black Partition Owner/User PED Keys, which can be the same for both devices, or can be different)

Both devices must share the same domain or RED key value.

The workstation (Windows computer) has Remote PED and Luna Remote Backup software package installed including the appropriate driver.

For Luna SA, NTLS is established between your workstation computer, acting as a Luna SA client, and the distant Luna SA - that is, the workstation is registered as a client with the partition.   

A Remote PED session key (orange RPV key) has been created and associated with the distant Luna HSM.

1. Ensure that your Windows workstation has the PED USB driver (from the /USBDriver folder on the software CD) installed, and that the PEDServer.exe file (the executable program file that makes Remote PED operation possible) has been copied to a convenient directory on your hard disk.
2. Connect all the components as follows–
   
   
   
   
   

From	Using	To
Workstation	USB	Remote PED (Luna PED IIr in Remote mode)
DC power receptacle on Remote PED	PED Power Supply	mains AC power (wall socket)
Workstation	USB	Luna Remote Backup HSM
Luna Remote Backup HSM	Power Cord	mains AC power (wall socket)
Luna Remote Backup HSM	Micro-D to Micro-D (local PED) cable	Luna PED (can be a separate local-or-Remote PED, or can be your single Remote PED set to operate in local mode for the local connection)

3. At the Remote Luna PED (Luna PED IIr connected to the USB port of the workstation,:
   - press [ < ] on the PED keypad to exit Local mode,
   - press [ 7 ] to enter Remote PED mode.
4. Start remote PED service on the administrative workstation (Windows) computer -. in a Command Prompt (DOS) window, change directory to the location of the PEDServer.exe file and run that file:
   C:\>cd \Program Files\LunaCient
   C:\Program Files\LunaClient>PEDServer -mode start
   
5. Open an administrative connection (SSH) to the distant Luna HSM (for Luna SA appliance, log in as 'admin', for another HSM host, log in with the appropriate ID. Start the PED Client (the Remote PED enabling process on the appliance):
   Example (substitute the actual IP address of your workstation computer)--
   lunash:> hsm ped connect -ip 192.2.12.16 -port 1503
   or
   lunacm:> hsm ped connect -ip 192.2.12.16 -port 1503
   
   Insert the orange RPV PED Key that matches the RPV of the distant Luna HSM.
   The Remote PED Client in the Luna SA HSM appliance or in the Luna PCI-E or Luna G5 host establishes a connection with the listening PEDserver on your workstation.
6. Proceed to the Backup and Restore examples, below.

RBS Remote Backup with Single Remote PED on Windows

Just to indicate the versatility, this example uses a Windows 2012 64-bit client. PED server is in Windows XP, Luna Backup HSM is connected to Linux centOS 5.7.

Backup from a Luna SA slot

This example assumes that you have already "Prepare RBS to Support Backup / Restore".

That is, briefly:

• You have LunaClient software installed for your primary HSM (source of objects to be backed up).
• You have LunaClient software installed with the RBS option on the host computer connected to your Backup HSM.
• You have run rbs to generate private key/certificate, run rbs again to configure (select device(s) to support), run rbs again to launch the daemon (Linux/UNIX) or the service (Windows).
• You have copied the certificate [server.pem] to your primary HSM host computer (or Luna SA appliance).
• You have run vtl on the host computer (or appliance) to add the RBS server to the server list.

1. Start the lunacm utility (in Windows, it resides at C:\Program Files\SafeNet\LunaClient - in Linux/UNIX, it resides at /usr/safenet/lunaclient/bin).

C:\Program Files\SafeNet\LunaClient>lunacm.exe

LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.


        Available HSM's:

        Slot Id ->              1
        HSM Label ->            SA82_P1
        HSM Serial Number ->    500409014
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              2
        HSM Label ->            G5PKI
        HSM Serial Number ->    701968008
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            G5backup
        HSM Serial Number ->    700101
        HSM Model ->            G5Backup
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    Remote Backup HSM (PED) Backup Device
        HSM Status ->           OK

        Slot Id ->              4
        Tunnel Slot Id ->       6
        HSM Label ->            PCI422
        HSM Serial Number ->    500422
        HSM Model ->            K6 Base
        HSM Firmware Version -> 6.2.1
        HSM Configuration ->    Luna PCI (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              5
        Tunnel Slot Id ->       7
        HSM Label ->            K6_328
        HSM Serial Number ->    155328
        HSM Model ->            K6 Base
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    Luna PCI (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              8
        HSM Label ->            G5180
        HSM Serial Number ->    700180
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    Luna G5 (PED) Signing With Cloning Mode
        HSM Status ->           OK


        Current Slot Id: 1

lunacm:> 

2. If the current slot is not the slot that you wish to backup, use the lunacm:> slot set command.

lunacm:> slot set slot 1

        Current Slot Id: 1     (Luna SA Slot 6.10.1 (PED) Signing With Cloning Mode)


Command Result : No Error

lunacm:> 

3. Establish that the HSM is listening for a Luna PED at the correct location (local or remote). In this example, we want the HSM to use a Luna PED that is not directly connected to the HSM - a Remote PED, at a specific location.

The pedserver must already have been set up at that host.

lunacm:>ped get

        HSM slot 1 listening to local PED (PED id=0).

Command Result : No Error

lunacm:> ped connect ip 172.20.10.190

Command Result : No Error

lunacm:> ped get

        HSM slot 1 listening to remote PED (PED id=100).

Command Result : No Error

lunacm:> 

4. [Skip this step if your source partition is Activated]
   Log into the partition (this takes place at the currently selected slot). This step is needed only if the partition you are about to backup is not already in Activated state.

lunacm:> par login

        Option -password was not supplied.  It is required.

        Enter the password: *******

        User is activated, PED is not required.

Command Result : No Error

lunacm:> 

5. Disconnect the PED connection from your source HSM (slot 1 in this example), and connect to the Luna [Remote] Backup HSM (slot 3 in this example).

lunacm:>
lunacm:> ped disconnect

        Are you sure you wish to disconnect the remote ped?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error

lunacm:> ped connect ip 192.20.10.190 -slot 3

Command Result : No Error

lunacm:> ped get -slot 3

        HSM slot 3 listening to remote PED (PED id=100).

Command Result : No Error
lunacm:>

6. Perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.

lunacm:> partition backup backup -slot 3 -par SAbck1

        Logging in as the SO on slot 3.

        Please attend to the PED.

        Creating partition SAbck1 on slot 3.

        Please attend to the PED.

        Logging into the container SAbck1 on slot 3 as the user.

        Please attend to the PED.

        Creating Domain for the partition SAbck1 on slot 3.

        Please attend to the PED.

        Verifying that all objects can be backed up...

        85 objects will be backed up.

        Backing up objects...
        Cloned object 99 to partition SAbck1 (new handle 19).
        Cloned object 33 to partition SAbck1 (new handle 20).
        Cloned object 108 to partition SAbck1 (new handle 23).
        Cloned object 134 to partition SAbck1 (new handle 24).
        Cloned object 83 to partition SAbck1 (new handle 25).
        Cloned object 117 to partition SAbck1 (new handle 26).
        Cloned object 126 to partition SAbck1 (new handle 27).
        Cloned object 65 to partition SAbck1 (new handle 28).
        Cloned object 140 to partition SAbck1 (new handle 29).
        Cloned object 131 to partition SAbck1 (new handle 30).
        Cloned object 94 to partition SAbck1 (new handle 31).
        Cloned object 109 to partition SAbck1 (new handle 35).
        Cloned object 66 to partition SAbck1 (new handle 36).
        Cloned object 123 to partition SAbck1 (new handle 39).
        Cloned object 74 to partition SAbck1 (new handle 40).
        Cloned object 50 to partition SAbck1 (new handle 44).
        Cloned object 43 to partition SAbck1 (new handle 45).
        Cloned object 52 to partition SAbck1 (new handle 46).
        Cloned object 124 to partition SAbck1 (new handle 47).
        Cloned object 115 to partition SAbck1 (new handle 48).
        Cloned object 98 to partition SAbck1 (new handle 49).
        Cloned object 42 to partition SAbck1 (new handle 50).
        Cloned object 48 to partition SAbck1 (new handle 51).
        Cloned object 29 to partition SAbck1 (new handle 52).
        Cloned object 54 to partition SAbck1 (new handle 53).
        Cloned object 112 to partition SAbck1 (new handle 56).
        Cloned object 69 to partition SAbck1 (new handle 57).
        Cloned object 46 to partition SAbck1 (new handle 58).
        Cloned object 116 to partition SAbck1 (new handle 59).
        Cloned object 101 to partition SAbck1 (new handle 60).
        Cloned object 122 to partition SAbck1 (new handle 61).
        Cloned object 21 to partition SAbck1 (new handle 62).
        Cloned object 45 to partition SAbck1 (new handle 63).
        Cloned object 139 to partition SAbck1 (new handle 64).
        Cloned object 127 to partition SAbck1 (new handle 65).
        Cloned object 84 to partition SAbck1 (new handle 66).
        Cloned object 30 to partition SAbck1 (new handle 70).
        Cloned object 105 to partition SAbck1 (new handle 71).
        Cloned object 132 to partition SAbck1 (new handle 72).
        Cloned object 136 to partition SAbck1 (new handle 73).
        Cloned object 28 to partition SAbck1 (new handle 74).
        Cloned object 44 to partition SAbck1 (new handle 75).
        Cloned object 26 to partition SAbck1 (new handle 76).
        Cloned object 120 to partition SAbck1 (new handle 77).
        Cloned object 104 to partition SAbck1 (new handle 78).
        Cloned object 137 to partition SAbck1 (new handle 79).
        Cloned object 61 to partition SAbck1 (new handle 80).
        Cloned object 110 to partition SAbck1 (new handle 81).
        Cloned object 125 to partition SAbck1 (new handle 82).
        Cloned object 129 to partition SAbck1 (new handle 83).
        Cloned object 53 to partition SAbck1 (new handle 84).
        Cloned object 130 to partition SAbck1 (new handle 85).
        Cloned object 73 to partition SAbck1 (new handle 86).
        Cloned object 41 to partition SAbck1 (new handle 87).
        Cloned object 135 to partition SAbck1 (new handle 88).
        Cloned object 114 to partition SAbck1 (new handle 89).
        Cloned object 22 to partition SAbck1 (new handle 90).
        Cloned object 57 to partition SAbck1 (new handle 91).
        Cloned object 79 to partition SAbck1 (new handle 92).
        Cloned object 121 to partition SAbck1 (new handle 96).
        Cloned object 34 to partition SAbck1 (new handle 97).
        Cloned object 103 to partition SAbck1 (new handle 98).
        Cloned object 89 to partition SAbck1 (new handle 99).
        Cloned object 128 to partition SAbck1 (new handle 103).
        Cloned object 119 to partition SAbck1 (new handle 104).
        Cloned object 107 to partition SAbck1 (new handle 105).
        Cloned object 118 to partition SAbck1 (new handle 106).
        Cloned object 111 to partition SAbck1 (new handle 107).
        Cloned object 133 to partition SAbck1 (new handle 108).
        Cloned object 138 to partition SAbck1 (new handle 109).
        Cloned object 93 to partition SAbck1 (new handle 110).
        Cloned object 49 to partition SAbck1 (new handle 111).
        Cloned object 100 to partition SAbck1 (new handle 112).
        Cloned object 25 to partition SAbck1 (new handle 113).
        Cloned object 47 to partition SAbck1 (new handle 114).
        Cloned object 62 to partition SAbck1 (new handle 115).
        Cloned object 51 to partition SAbck1 (new handle 118).
        Cloned object 113 to partition SAbck1 (new handle 119).
        Cloned object 106 to partition SAbck1 (new handle 120).
        Cloned object 58 to partition SAbck1 (new handle 121).
        Cloned object 102 to partition SAbck1 (new handle 124).
        Cloned object 70 to partition SAbck1 (new handle 125).
        Cloned object 78 to partition SAbck1 (new handle 128).
        Cloned object 88 to partition SAbck1 (new handle 129).
        Cloned object 40 to partition SAbck1 (new handle 130).

        Backup Complete.

        85 objects have been backed up to partition SAbck1
        on slot 3.

Command Result : No Error
lunacm:>

The backup operation is complete. See "Restore Your HSM Partition Remotely" for an example of restoring from backup.

To restate: the backup operation can go from a source partition (on a Luna HSM) to an existing partition on the Luna Remote Backup HSM, or if one does not exist, a new partition can be created during the backup -- but the restore operation cannot create a target partition on a Luna SA; it must already exist and have a registered NTLS link.

See Also

Show the Table of Contents