Prepare RBS to Support Backup / Restore

Remote Backup uses the Remote Backup Service (RBS), which must be installed and configured before you use it.

RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed.

To prepare for RBS, do the following :

Install LunaClient software on the computer that will manage your primary HSM (could be the administrative client for Luna SA, or the host computer containing one or more Luna PCI-E HSMs, or connected to one or more Luna G5 HSMs). Probably you will want to include the Remote PED option.

If the primary HSM is other than Luna SA, install the Luna SA option in addition to the Luna G5 or Luna PCI-E software, because the Luna SA client is the only one that includes the "vtl" utility, necessary for the certificate exchange that enables Remote Backup Service.
Install LunaClient software for the host computer connected to your Backup HSM. Select the Remote Backup option.

You could also choose to install the Remote PED option here. It depends on how you intend to separate the functions and, other than the space it occupies on your hard disk, it doesn't hurt to have any of the LunaClient options installed and available.
Run "rbs --genkey" to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file.
Run "rbs --config" to specify devices to support.
Run "rbs --daemon" to launch the rbs daemon (Linux and UNIX) or the rbs console application (on Windows, it closes after every use) .
Create the client certificate (if not already done) :
vtl createCert -n <host_ip_address>
Copy the certificate generated earlier [server.pem] to your primary HSM host computer (or Luna SA appliance).
# scp root@172.20.9.253:/usr/safenet/lunaclient/rbs/server/server.pem .
root@172.20.9.253's password: *********
server.pem | 1 kB | 1.2 kB/s | ETA: 00:00:00 | 100%
Run "vtl" on the host computer (or appliance) to add the RBS server to the server list.
vtl add -n 172.20.9.253 -c server.pem
New server 192.20.9.253 successfully added to server list.
vtl list
Server: 192.20.9.82 HTL required: no
Server: 192.20.9.253 HTL required: no

RBS requires pedClient on both the RBS client and RBS server ends. See below.

If you encounter problems, try changing the RBS and pedClient ports from the default values. Check that your firewall is not blocking ports used by the service. (Refer to the command syntax pages for default values.)

Now go to "Backup your HSM Partition Remotely".

The pedClient is half of the pedServer/pedClient duo that enables Remote PED service.

However, pedClient is also used in the communication component of Remote Backup Service. So, pedClient should run on all the platforms that have HSMs - where a Luna G5 or Luna PCI-E is installed (pedClient is already inside Luna SA 5.2 and newer...) - and also on any system with the RBS application.

The pedServer is required only on a computer with the Luna Remote PED.

If you consolidate your HSM administration (including Remote PED) on the same computer with your Luna Remote Backup HSM, you would have both pedClient and pedServer installed there. We observe that a majority of customers combine administrative functions this way, on a laptop or a workstation that is used to administer one-or-many HSM hosts. The HSM host (with Luna G5 or Luna PCI-E) or the Luna SA appliance resides in a physically secure, possibly remote location, while the administrator works from a laptop in her/his office. Your security policy determines how you do it.