Administration & Maintenance - Backup & Restore
The options to backup a Partition on your Luna appliance are:
a) local backup, co-located
b) local backup, distant
b) remote backup.
"Local backup co-located" means that the Luna Remote Backup Device is co-located and physically connected to the Luna SA appliance whose contents are to be backed up. You would most likely be using a laptop near the Luna SA appliance to run your admin session (either by network SSH session or by a local serial connection), and would use locally connected Luna PEDs to provide the necessary authentication.
"Local backup distant" means that the Luna Remote Backup Device is physically connected to the laptop or workstation that you are using to administer the backup operation (this might or might not be the same laptop that you use for other Luna SA administration tasks), while the Luna SA appliance whose contents are to be backed up is located at some distance from your admin station. You would have established a network client relationship between the Luna SA appliance and your admin computer (in addition to any SSH admin connection you might be using for other purposes. Your Luna SA partitions must see the backup admin computer as a client, so that your admin computer can see the Luna SA partitions as slots.
"Remote" backup means that the Luna SA appliance, and the computer that acts as a client and that sees the Luna SA as a slot, are at remote locations from where you and your admin laptop/workstation reside. In this situation, your admin laptop has no NTLS and no client relationship with Luna SA partitions. Instead, your admin workstation visits the distant client/host computer and instructs that computer to perform backup and restore operations with the Luna SA. The Luna Remote Backup HSM would be attached to your admin laptop/workstation, and must run RBS. The client/host computer in the middle sees both the Luna SA partitions and the Luna Remote Backu HSM as slots in its lunacm session. This scenario is treated separately at "Backup your HSM Partition Remotely" and "Restore Your HSM Partition Remotely".
You will need -
| Quantity | Description |
|---|---|
| 1 | Luna SA 5.x |
| 1 | Windows 32-bit computer with Luna SA 5.x 32-bit client software installed |
| 1 | Luna Remote Backup HSM** |
| 1 | Set of PED Keys imprinted for the source HSM and partitions |
| 1 | Luna PED2 ( with f/w 2.4.0-3 or later)* |
| 1 | Luna PED 2 cable for Luna Remote Backup HSM |
* The Luna PED2 can be either a local-only PED or. a Luna PED2 with Remote capability, but set to local mode for this operation.
** The backup HSM is called the "Luna Remote Backup HSM" only because it is capable of remote operation if needed. It works fine when connected locally to the source HSM, as in this case.
| From | Using | To |
|---|---|---|
| Workstation | either serial cable or network (SSH over Ethernet) link |
Luna SA appliance |
| Luna SA | USB | Luna Remote Backup HSM |
| Luna SA | Micro-D to Micro-D (local PED) cable | Luna PED (make this PED connection at the start,seat the connectors fully at both ends, but leave the securing thumbscrews loose at the HSM end) |
| Luna Remote Backup HSM | Micro-D to Micro-D (local PED) cable | Luna PED (move the unsecured cable end to this HSM later, when prompted) |
To restore the partition contents from the Luna Remote Backup Device to the same local Luna SA HSM, use the same setup as described in the above steps, but use the partition backup restore command instead
[myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace
Please enter the password for the HSM partition:
> *******
CAUTION: Are you sure you wish to erase all objects in the
partition named: p1
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Warning: You will need to attach Luna PED to the Luna Backup HSM to complete this operation.
You may use the same Luna PED that you used for Luna SA.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
Object "1-User Private RSA Key1-512" (handle 20) cloned to handle 14 on target
Object "1-User Public RSA Key2-512" (handle 21) cloned to handle 15 on target
Object "1-User Private RSA Key2-512" (handle 22) cloned to handle 16 on target
Object "1-User Public RSA Key3-512" (handle 23) cloned to handle 17 on target
Object "1-User Private RSA Key3-512" (handle 24) cloned to handle 18 on target
Object "1-User Public RSA Key4-512" (handle 25) cloned to handle 19 on target
Object "1-User Private RSA Key4-512" (handle 26) cloned to handle 20 on target
Object "1-User Public RSA Key5-512" (handle 27) cloned to handle 21 on target
Object "1-User Private RSA Key5-512" (handle 28) cloned to handle 22 on target
Object "1-User Public RSA Key1-1024" (handle 29) cloned to handle 23 on target
Object "1-User Private RSA Key1-1024" (handle 30) cloned to handle 24 on target
Object "1-User Public RSA Key2-1024" (handle 31) cloned to handle 25 on target
Object "1-User Private RSA Key2-1024" (handle 32) cloned to handle 26 on target
Object "1-User Public RSA Key3-1024" (handle 33) cloned to handle 27 on target
Object "1-User Private RSA Key3-1024" (handle 34) cloned to handle 28 on target
Object "1-User Public RSA Key4-1024" (handle 35) cloned to handle 29 on target
Object "1-User Private RSA Key4-1024" (handle 36) cloned to handle 30 on target
Object "1-User Public RSA Key5-1024" (handle 37) cloned to handle 31 on target
Object "1-User Private RSA Key5-1024" (handle 38) cloned to handle 32 on target
Object "1-User Public RSA Key1-2048" (handle 39) cloned to handle 33 on target
Object "1-User Private RSA Key1-2048" (handle 40) cloned to handle 34 on target
Object "1-User Public RSA Key2-2048" (handle 43) cloned to handle 37 on target
Object "1-User Private RSA Key2-2048" (handle 44) cloned to handle 38 on target
Object "1-User Public RSA Key3-2048" (handle 47) cloned to handle 41 on target
Object "1-User Private RSA Key3-2048" (handle 48) cloned to handle 42 on target
Object "1-User Public RSA Key4-2048" (handle 51) cloned to handle 45 on target
Object "1-User Private RSA Key4-2048" (handle 52) cloned to handle 46 on target
|
|[snip]
|
Object "1-User DES Key5" (handle 111) cloned to handle 105 on target
Object "1-User DES3 Key1" (handle 112) cloned to handle 106 on target
Object "1-User DES3 Key2" (handle 113) cloned to handle 107 on target
Object "1-User DES3 Key3" (handle 114) cloned to handle 108 on target
Object "1-User DES3 Key4" (handle 115) cloned to handle 109 on target
Object "1-User DES3 Key5" (handle 116) cloned to handle 110 on target
Object "1-User AES Key1" (handle 117) cloned to handle 111 on target
Object "1-User AES Key2" (handle 118) cloned to handle 112 on target
Object "1-User AES Key3" (handle 119) cloned to handle 113 on target
Object "1-User AES Key4" (handle 120) cloned to handle 114 on target
Object "1-User AES Key5" (handle 121) cloned to handle 115 on target
Object "1-User ARIA Key1" (handle 122) cloned to handle 116 on target
Object "1-User ARIA Key2" (handle 123) cloned to handle 117 on target
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition restore' successful.
Command Result : 0 (Success)
[myluna] lunash:>
To restore onto a different remote Luna SA HSM, the same arrangement is required, but that HSM must already have a suitable partition, which can have any name - it does not need to match the name of the source partition on the backup HSM.
To restate: the backup operation can go from a source partition (on a Luna SA) to an existing partition on the Luna Remote Backup HSM, or if one does not exist, a new partition can be created during the backup -- but the restore operation cannot create a target partition on a Luna SA; it must already exist.
In this scenario, Luna Remote Backup HSM and Luna Remote PED are both directly connected to your admin workstation/laptop by USB, and that workstation is also a registered client of the Luna SA partition that is being backed-up. The Luna SA appliance is not local to you. The only connection is an SSL/NTLS link. Lunacm is running on your admin workstation/laptop, along with pedserver and pedclient. Pedclient is also running on the distant Luna SA.
Thus, pedserver on the admin workstation is carrying on two conversations, providing PED iservices to two HSMs (the USB-connected Luna Remote Backup HSM sitting on the same table, and the NTLS-connected Luna SA HSM in a server farm somewhere).
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> SA52_P1
HSM Serial Number -> 500409014
HSM Model -> LunaSA
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> G5backup
HSM Serial Number -> 700101
HSM Model -> G5Backup
HSM Firmware Version -> 6.10.1
HSM Configuration -> Remote Backup HSM (PED) Backup Device
HSM Status -> OK
Current Slot Id: 1
lunacm:>
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna SA Slot 6.10.1 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:>
The pedserver must already have been set up.
lunacm:>ped get
HSM slot 1 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped connect ip 192.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No Error
lunacm:>
The distant Luna SA (seen as slot 1 from your workstation/laptop) is now listening for PED interaction via the link between pedclient on the Luna SA appliance, and pedserver on the workstation, if the need arises, and is not expecting a PED connected directly at the location of the Luna SA.
lunacm:> par login
Option -password was not supplied. It is required.
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error
lunacm:>
lunacm:>
lunacm:> ped disconnect
Are you sure you wish to disconnect the remote ped?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> ped connect ip 192.20.10.189 -slot 2
Command Result : No Error
lunacm:> ped get -slot 2
HSM slot 2 listening to remote PED (PED id=100).
Command Result : No Error
lunacm:>
lunacm:> partition backup backup -slot 2 -par SAbck1
Logging in as the SO on slot 2.
Please attend to the PED.
Creating partition SAbck1 on slot 2.
Please attend to the PED.
Logging into the container SAbck1 on slot 2 as the user.
Please attend to the PED.
Creating Domain for the partition SAbck1 on slot 2.
Please attend to the PED.
Verifying that all objects can be backed up...
85 objects will be backed up.
Backing up objects...
Cloned object 99 to partition SAbck1 (new handle 19).
Cloned object 33 to partition SAbck1 (new handle 20).
Cloned object 108 to partition SAbck1 (new handle 23).
Cloned object 134 to partition SAbck1 (new handle 24).
Cloned object 83 to partition SAbck1 (new handle 25).
Cloned object 117 to partition SAbck1 (new handle 26).
Cloned object 126 to partition SAbck1 (new handle 27).
Cloned object 65 to partition SAbck1 (new handle 28).
Cloned object 140 to partition SAbck1 (new handle 29).
Cloned object 131 to partition SAbck1 (new handle 30).
Cloned object 94 to partition SAbck1 (new handle 31).
Cloned object 109 to partition SAbck1 (new handle 35).
Cloned object 66 to partition SAbck1 (new handle 36).
Cloned object 123 to partition SAbck1 (new handle 39).
Cloned object 74 to partition SAbck1 (new handle 40).
Cloned object 50 to partition SAbck1 (new handle 44).
Cloned object 43 to partition SAbck1 (new handle 45).
Cloned object 52 to partition SAbck1 (new handle 46).
Cloned object 124 to partition SAbck1 (new handle 47).
Cloned object 115 to partition SAbck1 (new handle 48).
Backup Complete.
20 objects have been backed up to partition SAbck1
on slot 2.
Command Result : No Error
lunacm:>
Backup is complete, and can be verified if you like.
Again, the Luna SA source partition was physically distant from the workstation that combined admin and Remote Backup and Remote PED functions, but this was still considered a "local" backup scenario, because the workstation was configured and registered as a Client of the Luna SA partition.
If your organization's security and administrative protocols had required that the administrator performing backup not have client access to Luna SA partitions, then you would have used Remote Backup, instead, with an intermediary computer/host/client/server in the mix.