|
Home > |
Administration Guide > Backup and Restore HSMs and Partitions > Restoring HSM Partitions From Legacy Tokens
|
|---|
In order to provide a migration path from earlier Luna SA and removable-token format HSMs, it is possible to externally connect a Luna DOCK 2 card reader for Luna PCM, Luna CA4, or Luna HSM Backup Token directly to a Luna SA appliance. You can then use LunaSH to restore/migrate legacy token and partition contents to the current-generation Luna SA.
Keys (objects) from multiple Luna CA4 tokens, Luna PCM tokens (Key Export Signing, RA), or Luna HSM Backup Tokens (such as would be used to backup the contents of Luna SA 4.x partitions) with differing cloning domains can be consolidated onto one Luna SA 5.x HSM, where objects from every token HSM are restored onto a partition corresponding to each token (segregated by legacy cloning domain).
Alternatively, you could set up an HA group to include the legacy HSM(s) and the target HSM(s), and use the HA synchronization function. This still requires that the target HSM(s) must have their modern cloning domains associated with the legacy domains of the legacy source HSM(s) in the HA group.
Note: Restore from a legacy backup token is effectively a data migration, and is one-way only. Backups to a token-style HSM is not a supported operation for Luna SA 5.x
For detailed key migration procedures, go to the Support portal and search for Luna HSM Key Migration instructions.
1.Connect all the required components and open a terminal session to the Luna SA appliance.
2.Open a LunaSH session on the Luna SA appliance.
login as: admin
admin@192.20.10.202's password:
Last login: Tue Feb 28 16:03:46 2012 from 192.16.153.111
Luna SA 5.1.0-25 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved.
[myluna] lunash:>
3.Use the token backup update firmware command to upgrade the firmware on the backup token to the latest version. The firmware is included on the appliance.
4.Create a partition to restore to, if it does not already exist.
5.Use the partition restore command to restore a partition, adding to, or replacing the current partition contents:
[myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace
Please enter the password for the HSM partition:
> *******
CAUTION: Are you sure you wish to erase all objects in the
partition named: p1
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Warning: You will need to attach Luna PED to the Luna Backup HSM to complete this operation.
You may use the same Luna PED that you used for Luna SA.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition restore' successful.
Command Result : 0 (Success)
[myluna] lunash:>