You are here: Administration & Maintenance Manual > HSM Administration > LunaCM utility - notes about using

Notes about using LunaCM utility

Lunacm is an administrative command-line utility that resides on a computer that is a client of Luna SA.

LunaCM does not replace Lunash, the onboard command shell of Luna SA, but does support many equivalent commands. When dealing with Luna SA, lunacm addresses only the HSM; lunacm is unaware of the surrounding appliance.

When lunacm is run on a computer that is a registered Luna SA client, lunacm sees that Luna SA partition as a crypto slot. Use lunacm when setting up and performing two kinds of backup operation where the backup HSM is distant from the Luna SA appliance, and not co-located.

[ By "co-located", we mean in the same room with a USB cable between the Luna SA appliance and the Backup HSM. In that situation, Luna Shell, lunash:> inside the Luna SA appliance, has "partition backup" commands. Our experience with our customers is that this would be a minority deployment scenario.

Instead, many/most Luna SA deployments are in server rooms, often in remote, locked-down, lights-out facilities, where no-one would be present to physically move a Backup HSM and Luna PED from Luna SA appliance to Luna SA appliance. For this reason, and for general convenience, distant or Remote Backup using lunacm are considered the preferable backup/restore methods. ]

Those operations are:

distant Backup where the Backup workstation (with Backup HSM) is a client of the Luna SA, and
Remote Backup, where the Backup workstation (with Backup HSM) is not a client.

For distant Backup, lunacm runs on the workstation that is physically connected to the Backup workstation (by USB cable) and is NTLS linked to the Luna SA (by network connection). That instance of lunacm sees the Backup HSM as one slot, and sees the Luna SA HSM as another slot, because the backup workstation is a registered client of that Luna SA. The Backup operation is a direct slot-to-slot cloning operation using lunacm backup commands. No other workstation or server is necessary.

For Remote Backup, the workstation with the Luna Remote Backup HSM attached is running RBS and pedClient, and does not need to run lunacm (for purposes of backup). Instead, backup or restore is a three-cornered operation among three separate computers. Lunacm on a separate client computer initiates backup between the Luna SA partition at one end and the RBS instance on the backup workstation at the other end. That is, the client computer is seeing a Luna SA partition as a slot in one direction, and is seeing the RBS instance on the Backup workstation in another direction. From the lunacm perspective on the client computer, the Backup operation is an operation between the partition slot and the RBS instance.

Features of the Luna Command-line utility (lunacm)

Command history is supported, using up/down arrows, [Home], [End], [Page Up], [Page Down].
Non-ambiguous command shortnames are supported. You must type the exact shortname that is listed in the syntax help, or else type the full command with no abbreviations.
Additionally, for syntax help, the alias “?” is available.
Commands and options are case-insensitive.
Limited scripting is possible

However, handling of return codes is not fully supported at this time. The utility is not a full-featured shell, so features like command-completion or parsing of partial commands are not supported.

Case Insensitivity

Commands and options entered by the user are not sensitive to case. If a user accidentally leaves the Caps-Lock key on, or by habit capitalizes some commands or options, they should not have to re-enter or edit the command line.

Command parameters, however, are passed to command executables with the same case as entered on the command line. Command executables must deal with case issues as appropriate for the command.

For example, you can type:

lunacm:> partition login -password mYpa55word!

lunacm:> partition LOGIN -PASSWorD mYpa55word!

and successfully login to your Partition. Note that the command and sub-commands can be any combination of uppercase and lowercase letters. The command parser interprets it correctly. However, the password string itself is passed on to the access-control handler, which is very particular about lettercase. Therefore, an item like a password must be typed letter-perfect with the appropriate case applied.

The above example is for Password Authenticated Luna HSMs.
For Trusted Path Authenticated HSM, do not type the password - you are directed to the Luna PED, which prompts for the required PED Key.

For Luna SA, you are unlikely to have a Luna PED connected to the appliance, so you would most likely be using Remote PED.

See "lunacm Commands".

Show the Table of Contents