|
Home > |
Administration Guide > Backup and Restore HSMs and Partitions > Remote Application Partition Backup and Restore Using the Backup HSM
|
|---|
This section describes how to perform remote backup and restore operations using the Luna Remote Backup HSM (Backup HSM). It contains the following sections:
•"Configuring the Remote Backup Service (RBS)"
•"Backing Up an Application Partition to a Remotely Located Backup HSM"
•"Restoring an HSM Partition From a Remotely Located Backup HSM"
Remote backups are enabled by the Luna Remote Backup Service (RBS). RBS is a utility, included with the Luna client software, that runs as a service (Windows) or daemon (Unix/Linux) on a workstation used to host one or more remote Backup HSMs.
To use RBS, you do the following:
• configure it to define which of the Backup HSMs connected to the workstation running RBS that you want to make available to other Luna client workstations or Luna SA appliances for performing remote backups.
•register the workstation running RBS with any Luna client workstations or Luna SA appliances that you want to be able to use the remote Backup HSMs.
•start the RBS service/daemeon.
Once RBS is configured and running, the Luna client workstations or Luna SA appliances registered with the workstation running RBS can see its available Backup HSMs as slots in LunaCM (Luna client workstation) or LunaSH (Luna SA appliance). To perform backup and restore operations using the remote Backup HSMs, you open a LunaCM or LunaSH session, as relevant, on the Luna client workstation or Luna SA appliance used to host the slot you want to backup, and specify the slot for the remote Backup HSM as the slot to use for the backup/restore operation.
The backup operation can go from a source partition (on a Luna HSM) to an existing partition on the Luna Remote Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation cannot create a target partition on a Luna SA; it must already exist and have a registered NTLS link.
To back up PED-authenticated partitions, you can connect a remote PED to the Backup HSM host workstation, or you can use a separate computer to provide PED operations.
Note: Remote PED (PEDServer) is supported on Windows only.
The possible configurations for performing a remote backup of a Luna client workstation slot are illustrated in the following figures. Only PED-authenticated backup configurations are shown.
Figure 1: Configuration for remote backup of a Luna client workstation slot with the remote PED connected to the backup workstation
Figure 2: Configuration for remote backup of a Luna client workstation slot with the remote PED connected to a separate workstation
The possible configurations for performing a remote backup of a Luna SA appliance are illustrated in the following figures. Only PED-authenticated backup configurations are shown.
Figure 3: Configuration for remote backup of a Luna SA appliance with the remote PED connected to the backup workstation
Figure 4: Configuration for remote backup of a Luna SA appliance with the remote PED connected to a separate workstation
RBS is not a standalone feature. It is a service that facilitates certain scenarios when backing-up HSM partitions or restoring onto those partitions, using a backup HSM that is distant from the primary HSM and its host or client. RBS is run on the computer that hosts the Luna Remote Backup HSM, only. RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed. Running RBS also requires running PEDClient on that computer, as well as on the distant primary - the paired instances of PEDClient form the communications link that makes RBS possible.
RBS requires PEDClient on both the RBS client and RBS server ends.
The PEDClient is half of the PEDServer/PEDClient duo that enables Remote PED service.
However, PEDClient is also used in the communication component of Remote Backup Service. So, PEDClient should run on all the platforms that have HSMs - where a Luna G5 or Luna PCI-E is installed (PEDClient is already inside Luna SA 5.2 and newer...) - and also on any system with the RBS application.
The PEDServer is required only on a computer with the Luna Remote PED.
If you consolidate your HSM administration (including Remote PED) on the same computer with your Luna Remote Backup HSM, you would have both PEDClient and PEDServer installed there. We observe that a majority of customers combine administrative functions this way, on a laptop or a workstation that is used to administer one-or-many HSM hosts. The HSM host (with Luna G5 or Luna PCI-E) or the Luna SA appliance resides in a physically secure, possibly remote location, while the administrator works from a laptop in her/his office. Your security policy determines how you do it.
1.Install the Luna client software on the computer used to manage the HSMs/partitions you want to back up. If you use PED authentication, ensure that the Remote PED option is installed. You must also install the Luna SA client software in addition to the Luna G5 or Luna PCI-E software, because the Luna SA client is the only one that includes the vtl utility, which is required to perform the certificate exchange that enables Remote Backup Service.
2.Install the Luna client software on the workstation used to host your Backup HSM. Select the Remote Backup option. If the workstation is running Windows, and will be used to connect a Remote PED, install the Remote PED option here.
3.Run rbs --genkey to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file.
4.Run rbs --config to specify the devices to support.
5.Run rbs --daemon to launch the rbs daemon (Linux and UNIX) or the rbs console application (on Windows, it closes after every use) .
6.Create the client certificate (if not already done) :
vtl createCert -n <host_ip_address>
7.Use scp (Unix/Linux) or pscp (Windows) to copy the certificate generated earlier (server.pem) to your primary HSM host computer (or Luna SA appliance). # scp root@172.20.9.253:/usr/safenet/lunaclient/rbs/server/server.pem . root@172.20.9.253's password: ********* server.pem | 1 kB | 1.2 kB/s | ETA: 00:00:00 | 100%
8.Run vtl on the host computer (or appliance) to add the RBS server to the server list. vtl add -n 172.20.9.253 -c server.pem New server 192.20.9.253 successfully added to server list.vtl list Server: 192.20.9.82 HTL required: no Server: 192.20.9.253 HTL required: no
Note: If you encounter problems, try changing the RBS and PEDClient ports from the default values. Check that your firewall is not blocking ports used by the service. (Refer to the command syntax pages for default values.)
This section describes how to backup an application partition to a remotely located Backup HSM using RBS.
You will need the following components to perform a remote backup:
| Quantity | Description |
|---|---|
| 1 | Luna HSM 5.2 or newer |
| 1 | Windows computer with Luna SA 5.2 (or newer) client software installed |
| 1 | Luna Remote Backup HSM |
| 1 | Set of PED Keys imprinted for the source HSM and partitions |
| 1 | Luna PED 2 (Remote PED with f/w 2.4.0 or later)* |
| 1 | Power cable for Luna PED 2 (Remote) |
| 2 | USB to mini USB cable for Luna PED 2 (Remote) and Luna Remote Backup HSM |
Note: The Luna PED that is connected to the Windows computer, in order to perform Remote PED operations with the distant Luna SA appliance, must be a Luna PED 2 (remote-capable version) and is used in Remote mode and in local mode. You also have the option to connect a second Luna PED, which can be Remote capable or can be a local-only version, to the Luna Backup HSM. This allows you to leave the Remote capable Luna PED connected to the workstation in Remote mode.
The following examples assume that you have set up RBS, as described in "Configuring the Remote Backup Service (RBS)", and have prepared for the backup, as follows:
•the Backup HSM and the HSMs/partitions you want to back up are initialized with appropriate keys (blue SO and black Partition Owner/User PED Keys, which can be the same for both devices, or can be different)
•Both devices must share the same domain or RED key value.
•The workstation (Windows computer) has Remote PED and Luna Remote Backup software package installed including the appropriate driver, if you are using it to
•For Luna SA, NTLS is established between your workstation computer, acting as a Luna SA client, and the distant Luna SA - that is, the workstation is registered as a client with the partition.
•A Remote PED session key (orange RPV key) has been created and associated with the distant Luna HSM.
The following procedure provides an example illustrating how to remotely backup a PED-authenticated application partition. In this example a single remote PED, attached to the Windows workstation used to host the Backup HSM, is used.
Set up the remote PED
1.Ensure that your Windows workstation has the PED USB driver (from the /USBDriver folder on the software CD) installed, and that the PEDServer.exe file (the executable program file that makes Remote PED operation possible) has been copied to a convenient directory on your hard disk.
2.Connect all of the components as follows:
| From | Using | To |
|---|---|---|
| Workstation | USB | Remote PED (Luna PED IIr in Remote mode) |
| DC power receptacle on Remote PED | PED Power Supply | Mains AC power (wall socket) |
| Workstation | USB | Luna Remote Backup HSM |
| Luna Remote Backup HSM | Power Cord | Mains AC power (wall socket) |
3.At the Remote Luna PED (Luna PED 2 with remote capability, connected to the USB port of the workstation), do the following:
–press < on the PED keypad to exit local mode.
–press 7 to enter remote mode.
4.Run PEDServer to start the remote PED service on the administrative workstation (Windows) computer, as follows:
– In a Command Prompt (DOS) window, change directory to the location of the PEDServer.exe file and run that file:
C:\>cd \Program Files\LunaCient
C:\Program Files\LunaClient>PEDServer -mode start
5.Open an administrative connection (SSH) to the distant Luna HSM (for Luna SA appliance, log in as 'admin', for another HSM host, log in with the appropriate ID. Start the PED Client (the Remote PED enabling process on the appliance):
Example (substitute the actual IP address of your workstation computer)--
lunash:> hsm ped connect -ip 192.2.12.16 -port 1503
or
lunacm:> hsm ped connect -ip 192.2.12.16 -port 1503
Insert the orange RPV PED Key that matches the RPV of the distant Luna HSM.
The Remote PED Client in the Luna SA appliance or in the Luna client workstation establishes a connection with the listening PEDserver on your remote PED workstation.
Backup a slot to the remotely located backup HSM
Note: The following steps apply to LunaCM only. For LunaSH, follow the procedure "To backup a Luna SA partition to a directly connected Backup HSM". Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible.
6.Start the LunaCM utility (in Windows, it resides at C:\Program Files\SafeNet\LunaClient - in Linux/UNIX, it resides at /usr/safenet/lunaclient/bin).
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM V6.0.0 - Copyright (c) 2006-2015 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> SA82_P1
HSM Serial Number -> 16298193222733
HSM Model -> LunaSA
HSM Firmware Version -> 6.22.0
HSM Configuration -> Luna User Partition, With SO (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> G5PKI
HSM Serial Number -> 701968008
HSM Model -> LunaSA
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 3
HSM Label -> G5backup
HSM Serial Number -> 700101
HSM Model -> G5Backup
HSM Firmware Version -> 6.10.1
HSM Configuration -> Remote Backup HSM (PED) Backup Device
HSM Status -> OK
Current Slot Id: 1
7.If the current slot is not the slot that you wish to backup, use the slot set command to go to the correct slot.
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)
Command Result : No Error
8.Establish that the HSM is listening for the remote Luna PED at the correct location.
Note: The PEDServer must already have been set up at that host.
lunacm:>ped get
HSM slot 1 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped connect ip 172.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No Error
9.Skip this step if your source partition is activated.
Log into the partition (this takes place at the currently selected slot). This step is needed only if the partition you are about to backup is not already in the activated state.
Example for HSM with firmware 6.22.0 or newer:
lunacm:> role login -name Crypto Officer
Option -password was not supplied. It is required.
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error
Example for HSM with firmware older than version 6.22.0:
lunacm:> par login
Option -password was not supplied. It is required.
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error
10.Disconnect the PED connection from your source HSM (slot 1 in this example), and connect to the remote Backup HSM (slot 3 in this example).
lunacm:> ped disconnect
Are you sure you wish to disconnect the remote ped? Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> ped connect ip 192.20.10.190 -slot 3
Command Result : No Error
lunacm:> ped get -slot 3
HSM slot 3 listening to remote PED (PED id=100).
Command Result : No Error
11.Perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the remote Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.
lunacm:> partition archive backup -slot 3 -par SAbck1
Logging in as the SO on slot 3. Please attend to the PED.
Creating partition SAbck1 on slot 3.
Please attend to the PED.
Logging into the container SAbck1 on slot 3 as the user.
Please attend to the PED.
Creating Domain for the partition SAbck1 on slot 3. Please attend to the PED.
Verifying that all objects can be backed up...
85 objects will be backed up.
Backing up objects...
Cloned object 99 to partition SAbck1 (new handle 19).
Cloned object 33 to partition SAbck1 (new handle 20).
Cloned object 108 to partition SAbck1 (new handle 23).
..
.
Cloned object 78 to partition SAbck1 (new handle 128).
Cloned object 88 to partition SAbck1 (new handle 129).
Cloned object 40 to partition SAbck1 (new handle 130).
Backup Complete.
85 objects have been backed up to partition SAbck1
on slot 3.
Command Result : No Error12.The backup operation is complete.
This section describes how to restore an application partition from a remotely located Backup HSM using RBS.
The following procedure provides an example of how to restore a partition from a remotely located Backup HSM. In this example, the partition is restored to a Luna SA partition that is not in the activated state. A single remote PED is used to authenticate to the remote Backup HSM and the Luna SA partition. If your primary HSM partition (the partition onto which you will restore the backed-up objects) is in the activated state, then only the Backup HSM needs PED activity for authentication during restore.
Note: The following steps apply to LunaCM only. For LunaSH, follow the procedure "To restore a Luna SA partition from a directly connected Backup HSM". Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible.
1.In our test setup, we have each of several Luna HSM products. An easy way to see an updated summary of all HSMs and slot assignments is to exit LunaCM and restart the utility.
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM v6.0.0 - Copyright (c) 2006-2015 SafeNet, Inc.
Available HSMs:
Slot Id -> 0
Label ->
Serial Number -> 16298193222733
Model -> LunaSA
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label ->
Serial Number -> 16298193222735
Model -> LunaSA
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 2
Label -> legacypar1
Serial Number -> 16298193222734
Model -> LunaSA
Firmware Version -> 6.22.0
Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 3
Label -> SAbck1
Serial Number -> 700101
Model -> G5Backup
Firmware Version -> 6.10.4
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 5
Tunnel Slot Id -> 7
Label ->
Serial Number -> 349297122734
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 6
Tunnel Slot Id -> 7
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 8
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> Luna G5 (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 0
2.Verify which slot is listening for PED and whether it is expecting local or remote.
lunacm:>ped get
HSM slot 0 listening to local PED (PED id=0).
Command Result : No Error
3.Connect to Remote PED.
lunacm:> ped connect ip 192.20.10.190 Command Result : No Error
(Causes the currently selected slot in lunacm (still slot 0 in this example) to connect to the remote PED.)
4.Log into the partition to which you want to restore.
Note: This would not be necessary if the partition was activated - we are demonstrating that if the partition was not in login state or activated state, it is straightforward to briefly switch the PED to the primary HSM partition before switching the PED back to the Backup HSM.
lunacm:> role login -n Crypto Officer
enter password: *******
Please attend to the PED.
Command Result : No Error
lunacm:> ped disconnect
Are you sure you wish to disconnect the remote ped?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
(The current selected slot in lunacm is still slot 0, and having ensured login status on that slot/partition we have just released the Remote PED connection there. The other end of the Remote PED pair, the PED-connected host computer running PedServer, is now free to accept a Remote PED link from another PedClient, which will be the host attached to the Luna Backup HSM.)
Note: In this example, the Luna SA partition, to which we will restore objects, is visible in lunacm at slot 0 because it is linked to this Luna client by NTLS, while this Client is registered to that partition at the Luna SA.
The Luna Remote Backup HSM is visible in lunacm, at slot 3 in this case, because it is linked by the RBS connection that you previously established (see "To Configure RBS" above in this chapter); that is, pedclient is running on this Client, and pedclient and rbs.exe are running on the Backup HSM's host, with each other identified as their partner in the RBS link.
5.Connect the Remote PED to the Backup HSM (which, in this example, is slot 3).
lunacm:> ped connect ip 192.20.10.190 slot 3
Command Result : No Error
lunacm:> ped get
HSM slot 0 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped get slot 3
HSM slot 3 listening to remote PED (PED id=100).
Command Result : No Error
(The ped connect command specifies the slot (now the Luna Backup HSM) that makes a new Remote PED connection, because that slot indication is part of the command - and ped get verifies the new Remote PED-connected slot. But the focus of the library/lunacm has not changed from slot 0; any other lunacm commands that act on a slot will act on slot 0 until you change that with slot set. You could verify that current focus, if you wished, by running slot list again.)
6.Restore to the current slot (slot 0) from the slot that corresponds to the Backup HSM (slot 3).
lunacm:> partition archive restore -slot 3 -par SAbck1
Logging in to partition SAbck1 on slot 3 as the user.
Please attend to the PED.
Verifying that all objects can be restored...
85 objects will be restored.
Restoring objects...
Cloned object 19 from partition SAbck1 (new handle 20).
Cloned object 20 from partition SAbck1 (new handle 21).
Cloned object 23 from partition SAbck1 (new handle 22).
.
.
.
Cloned object 128 from partition SAbck1 (new handle 137).
Cloned object 129 from partition SAbck1 (new handle 138).
Cloned object 130 from partition SAbck1 (new handle 139).
Restore Complete.
85 objects have been restored from partition SAbck1 on slot 3.
Command Result : No Error
(Because the lunacm focus rests with the target partition in slot 0, your partition archive restore command must explicitly identify the slot from which backup source objects are to be cloned, slot 3 in this example, onto the target partition, current-slot 0 in this case. You also specified the backup partition name, because a Luna Backup HSM can contain more than one archived partition.)
7.Verify that the restored slot now looks like it did just before the backup was originally performed.
lunacm:> partition archive list -slot 3
HSM Storage Information for slot 3:
Total HSM Storage Space: 16252928
Used HSM Storage Space: 43616
Free HSM Storage Space: 16209312
Number Of Allowed Partitions: 20
Number Of Allowed Partitions: 1
Partition list for slot 3
Number of partition: 1
Name: SAbck1
Total Storage Size: 41460
Used Storage Size: 41460
Free Storage Size: 0
Number Of Objects: 85
Command Result : No Error
lunacm:>
8.Remote restore from backup, using RBS, is complete.
To restore onto a different remote Luna HSM, the same arrangement is required:
• the remote HSM must already have a suitable partition
•if the restore-target HSM is a Luna SA, the target partition can have any name - it does not need to match the name of the source partition on the backup device,
•your workstation must be registered as a client to that partition.