|
Home > |
Administration Guide > Backup and Restore HSMs and Partitions > Local Application Partition Backup and Restore Using the Backup HSM
|
|---|
This section describes how to perform local backup and restore operations using the Luna Remote Backup HSM (Backup HSM). A local backup is defined as one in which the Backup HSM is local to the HSM or to the Luna client workstation used to administer the HSM. To perform a local backup/restore, you can connect the Backup HSM using one of the following methods:
•to a USB port on the Luna SA appliance. This method allows you use LunaSH to backup all of the Luna SA partitions on the appliance that are owned by you, the HSM SO. It does not allow you to backup partitions that have their own SO. See "Partition Backup and Restore Using a Backup HSM Connected Directly to a Luna SA Appliance" for details.
•to a USB port on the Luna client workstation. This method allows you use LunaCM to backup any Luna SA or Luna PCI-E partitions that are visible as slots. See "Partition Backup and Restore Using a Backup HSM Connected to a Local Client Workstation" for details.
The backup operation can go from a source partition (on a Luna SA) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup . The restore operation, however, cannot create a target partition on a Luna SA; it must already exist.
You can restore a partition backup to the source HSM or to a different Luna SA HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM.
The simplest way to backup your Luna SA is to connect the Backup HSM directly to the Luna SA appliance. To perform a backup/restore, you open an SSH or serial connection from your workstation to the appliance, and then launch LunaSH in a terminal session to perform the backup, as illustrated in the following figure:
Figure 1: Configuration for Luna SA partition backup/restore using a Backup HSM connected directly to the Luna SA appliance
The workstation is simply a display terminal for LunaSH running on the appliance. It does not require the Luna client software.
The PEDs are required only if the Luna SA is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required. The SO (blue), partition (black) PED keys can be the same for both devices, or can be different. Both devices must share the same domain (red) PED key value. Although two PEDs are recommended (one connected to the Luna SA and one connected to the Backup HSM) you can use a single PED, if desired. If using a single PED, note that you can connect the PED to only one HSM at a time. You will need to disconnect it from the source (Luna SA) HSM and connect to the target (Luna Remote Backup HSM) when PED operations are needed at those HSMs respectively.
Note: You can use this method to backup the partitions on the Luna SA appliance that are owned by you, the HSM SO. You cannot use this method to backup partitions configured with their own SO. To backup a partition with SO, you must use LunaCM, as described in "Partition Backup and Restore Using a Backup HSM Connected to a Local Client Workstation".
1.Connect all the required components and open a terminal session to the Luna SA appliance. See the following topics for details:
–"Open a Connection" in the Configuration Guide
–"Backup HSM Installation, Storage, and Maintenance"
As soon as the PED is connected to a powered HSM it starts up and defaults to Local mode with the Awaiting command... prompt.
2.Open a LunaSH session on the Luna SA appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Dec 30 16:03:46 2014 from 192.16.153.111
Luna SA 6.0.0-25 Command Line Shell - Copyright (c) 2001-2014 SafeNet, Inc. All rights reserved.
[myluna] lunash:>
3.Use the token backup list and token backup show commands to determine the serial number of the Backup HSM and to verify its partition and storage configuration:
[myluna] lunash:>token backup list
Token Details:
============
Token Label: BackupHSM
Slot: 6
Serial #: 7000179
Firmware: 6.22.0
Hardware Model: Luna G5
Command Result : 0 (Success)
[myluna] lunash:>
lunash:> token backup show -serial 700179
Token Details:
============
Token Label: BackupHSM
Serial #: 700179
Firmware: 6.22.0
Hardware Model: Luna G5
Authentication Method: PED keys
Token Admin login status: Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 0
----------------------
There are no partitions.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 0
Free Space Left (Bytes): 16252928
License Information:
====================
621010355-000 621-010355-000 G5 Backup Device Base
621000005-001 621-000005-001 Backup Device Partitions 20
621000006-001 621-000006-001 Backup Device Storage 15.5 MB
621000007-001 621-000007-001 Backup Device Store MTK Split Externally
621000008-001 621-000008-001 Backup Device Remote Ped Enable
Command result : 0 (Success)
lunash:>
4.Use the partition backup command to backup a specified partition and provide the PED keys as prompted, for example:
[myluna] lunash:>par backup -s 7000179 -par p1 -tokenPar bck1
Type 'proceed' to continue the backup, or 'quit'
to abort this operation.
> proceed
Please enter the password for the HSM partition:
> *******
Warning: You will need to attach Luna PED to the Luna Backup HSM
to complete this operation.
You may use the same Luna PED that you used for Luna SA.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to token - use token Security Officer (blue) PED key.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition backup' successful.
Command Result : 0 (Success)
[myluna] lunash:>
5.Use the token backup show command to verify the backup:
lunash:> token backup show -serial 667788
Token Details:
============
Token Label: BackupHSM
Serial #: 700179
Firmware: 6.22.0
Hardware Model: Luna G5
Authentication Method: PED keys
Token Admin login status: Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 1
----------------------
Partition: 7000179008, Name: bck1.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 43616
Free Space Left (Bytes): 16209312
License Information:
====================
621010355-000 621-010355-000 G5 Backup Device Base
621000005-001 621-000005-001 Backup Device Partitions 20
621000006-001 621-000006-001 Backup Device Storage 15.5 MB
621000007-001 621-000007-001 Backup Device Store MTK Split Externally
621000008-001 621-000008-001 Backup Device Remote PED Enable
Command result : 0 (Success)
lunash:>
To restore the partition contents from the Luna Remote Backup Device to the same local Luna SA HSM, use the same setup described above, but use the partition backup restore command instead .
1.Connect all the required components and open a terminal session to the Luna SA appliance. See the following topics for details:
–"Open a Connection" in the Configuration Guide
–"Backup HSM Installation, Storage, and Maintenance"
As soon as the PED is connected to a powered HSM it starts up and defaults to Local mode with the Awaiting command... prompt.
2.Open a LunaSH session on the Luna SA appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Feb 28 16:03:46 2012 from 192.16.153.111
Luna SA 5.1.0-25 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved.
[myluna] lunash:>
3.Use the partition restore command to restore a partition:
[myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace
Please enter the password for the HSM partition:
> *******
CAUTION: Are you sure you wish to erase all objects in the
partition named: p1
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Warning: You will need to attach Luna PED to the Luna Backup HSM to complete this operation.
You may use the same Luna PED that you used for Luna SA.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition restore' successful.
Command Result : 0 (Success)
[myluna] lunash:>
You can connect the Backup HSM to a Luna client workstation to backup any Luna SA or Luna PCI partitions that are visible as slots in LunaCM, as illustrated in the following figure:
Figure 2: Configuration for Luna SA/PCI-E partition backup/restore using a Backup HSM connected to a local client workstation
In this configuration, you connect the Backup HSM and Luna Remote PED, via USB, to your Luna client workstation. The Luna SA appliance is remote to the Luna client workstation and is connected using NTLS. Any installed PCI-E devices communicate with the Luna client over the PCI bus.
Any partitions you want to backup must be registered with the Luna client workstation, and be visible as slots in LunaCM. The Backup HSM most also be visible as a slot.
If you are backing up PED-authenticated partitions, you require a PED. If you want to backup Luna SA partitions, the PED must have remote capability (Remote PED). Remote PED uses the pedserver/pedclient processes running on the Luna client workstation and on the Luna SA appliance to provide remote PED services for the network-attached Luna SA appliance. The PED provides authentication for all of the attached HSMs (the USB-connected Luna Remote Backup HSM, the NTLS-connected Luna SA HSM, and the PCI bus-connected Luna PCI-E HSM). Every slot on the backup must have same domain (red PED Key) as the matching slot on the source HSMs.
Note: If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM. Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation.
1.Configure the remote PED, as described in "Remote PED".
2.Start the LunaCM utility on the Luna client workstation.
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM V2.3.3 - Copyright (c) 2006-2014 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> SA52_P1
HSM Serial Number -> 500409014
HSM Model -> LunaSA
HSM Firmware Version -> 6.22.0
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> BackupHSM
HSM Serial Number -> 700101
HSM Model -> G5Backup
HSM Firmware Version -> 6.22.0
HSM Configuration -> Remote Backup HSM (PED) Backup Device
HSM Status -> OK
Current Slot Id: 1
3.Use the slot set command to go to the slot you want to back up.
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna SA Slot 6.10.1 (PED) Signing With Cloning Mode)
Command Result : No Error
4.Establish that the HSM is listening for a Luna Remote PED.
lunacm:>ped get
HSM slot 1 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped connect ip 192.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No Error
lunacm:>The Luna SA is now listening for PED interaction via the link between PEDclient on the Luna SA appliance and PEDserver on the workstation, and is not expecting a PED connected directly at the location of the Luna SA.
5.Log into the partition in the current slot. This is the partition that you want to back up.
lunacm:> par login
Option -password was not supplied. It is required.
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error
lunacm:> 6.Disconnect the logical PED connection from your source HSM (slot 1 in this example), and connect to the Backup HSM (slot 2 in this example). The PED remains physically connected by USB cable to the Luna client workstation, and remains in Remote mode - you are merely changing slots that are in conversation with that PED.
a.First, tell the Luna SA to disconnect from Remote PED.
lunacm:> ped disconnect
Are you sure you wish to disconnect the remote ped?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
b.Then tell the Backup HSM to connect to Remote PED (it makes no difference that the PED and the Remote Backup HSM are USB-connected to the same workstation/laptop; when use of "Remote PED" is invoked by command "ped connect" and verified by "ped get", all HSM-PED interaction takes place between "pedclient" running on that workstation and "pedserver", also running on that workstation).
lunacm:> ped connect ip 192.20.10.189 -slot 2
Command Result : No Error
lunacm:> ped get -slot 2
HSM slot 2 listening to remote PED (PED id=100).
Command Result : No Error
7.Use the partition archive backup command to perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.
lunacm:> partition archive backup -slot 2 -par SAbck1
Logging in as the SO on slot 2.
Please attend to the PED.
Creating partition SAbck1 on slot 2.
Please attend to the PED.
Logging into the container SAbck1 on slot 2 as the user.
Please attend to the PED.
Creating Domain for the partition SAbck1 on slot 2.
Please attend to the PED.
Verifying that all objects can be backed up...
85 objects will be backed up.
Backing up objects...
Cloned object 99 to partition SAbck1 (new handle 19).
Cloned object 33 to partition SAbck1 (new handle 20).
Cloned object 108 to partition SAbck1 (new handle 23).
Cloned object 134 to partition SAbck1 (new handle 24).
Cloned object 83 to partition SAbck1 (new handle 25).
Cloned object 117 to partition SAbck1 (new handle 26).
Cloned object 126 to partition SAbck1 (new handle 27).
Cloned object 65 to partition SAbck1 (new handle 28).
Cloned object 140 to partition SAbck1 (new handle 29).
Cloned object 131 to partition SAbck1 (new handle 30).
Cloned object 94 to partition SAbck1 (new handle 31).
Cloned object 109 to partition SAbck1 (new handle 35).
Cloned object 66 to partition SAbck1 (new handle 36).
Cloned object 123 to partition SAbck1 (new handle 39).
Cloned object 74 to partition SAbck1 (new handle 40).
Cloned object 50 to partition SAbck1 (new handle 44).
Cloned object 43 to partition SAbck1 (new handle 45).
Cloned object 52 to partition SAbck1 (new handle 46).
Cloned object 124 to partition SAbck1 (new handle 47).
Cloned object 115 to partition SAbck1 (new handle 48).
Backup Complete.
20 objects have been backed up to partition SAbck1
on slot 2.
Command Result : No Error8.Backup is complete, and can be verified if you like.
1.Create a target partition for the restore operation on the HSM you are restoring to, if it does not already exist, and register the partition with the Luna client workstation so that it is visible as a slot in LunaCM.
2.Start the LunaCM utility on the Luna client workstation.
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM V2.3.3 - Copyright (c) 2006-2014 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> SA52_P1
HSM Serial Number -> 500409014
HSM Model -> LunaSA
HSM Firmware Version -> 6.22.0
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> BackupHSM
HSM Serial Number -> 700101
HSM Model -> G5Backup
HSM Firmware Version -> 6.22.0
HSM Configuration -> Remote Backup HSM (PED) Backup Device
HSM Status -> OK
Current Slot Id: 1
3.Use the slot set command to go to the slot you want to restore to.
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna SA Slot 6.22.0 (PED) Signing With Cloning Mode)
Command Result : No Error
4.Open a remote PED session to the Luna SA you are restoring to.
lunacm:> ped connect ip 192.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No Error
lunacm:>The Luna SA is now listening for PED interaction via the link between PEDclient on the Luna SA appliance and PEDserver on the workstation, and is not expecting a PED connected directly at the location of the Luna SA.
5.Log into the partition in the current slot. This is the partition that you want to restore to.
lunacm:> par login
Option -password was not supplied. It is required.
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error
lunacm:> 6.Use the partition archive restore command restore the partition from the Backup HSM to the current slot, adding to, or replacing, the current partition contents.
partition archive restore -slot <backup-hsm-slotnumber> -partition LunaSAPartitionname -password ClientPassword -replace
Note: In the command above, you could have used -add instead of -replace. Adding might result in unwanted behaviors, such as having two keys with the same label, if one existed in the HSM Partition and one on the backup token. The two would be assigned different handles, however.