Home >

Administration Guide > Backup and Restore HSMs and Partitions > Remote Application Partition Backup and Restore Using the Backup HSM

Remote Application-Partition Backup and Restore Using the Backup HSM

This section describes how to perform remote backup and restore operations using the SafeNet Remote Backup HSM (Backup HSM). It contains the following sections:

Overview

Configuring the Remote Backup Service (RBS)

Backing Up an Application Partition to a Remotely Located Backup HSM

Restoring an HSM Partition From a Remotely Located Backup HSM

Overview

Remote backups are enabled by the SafeNet Remote Backup Service (RBS). RBS is a utility, included with the SafeNet HSM client software, that runs as a service (Windows) or daemon (Unix/Linux) on a workstation used to host one or more remote Backup HSMs.

To use RBS, you do the following:

configure it to define which of the Backup HSMs connected to the workstation running RBS that you want to make available to other SafeNet HSM client workstations or SafeNet Network HSM appliances for performing remote backups.

register the workstation running RBS with any SafeNet HSM client workstations or SafeNet Network HSM appliances that you want to be able to use the remote Backup HSMs.

start the RBS service/daemeon.

Once RBS is configured and running, the SafeNet HSM client workstations or SafeNet Network HSM appliances registered with the workstation running RBS can see its available Backup HSMs as slots in LunaCM (SafeNet HSM client workstation) or LunaSH (SafeNet Network HSM appliance). To perform backup and restore operations using the remote Backup HSMs, you open a LunaCM or LunaSH session, as relevant, on the SafeNet HSM client workstation or SafeNet Network HSM appliance used to host the slot you want to backup, and specify the slot for the remote Backup HSM as the slot to use for the backup/restore operation.

The backup operation can go from a source partition (on a SafeNet HSM) to an existing partition on the SafeNet Remote Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation cannot create a target partition on a SafeNet Network HSM; it must already exist and have a registered NTLS link.

To back up PED-authenticated partitions, you can connect a remote PED to the Backup HSM host workstation, or you can use a separate computer to provide PED operations.

Note:  Remote PED (PEDServer) is supported on Windows only.

Configurations for Remote Backup of a SafeNet Client Workstation Slot

The possible configurations for performing a remote backup of a SafeNet HSM client workstation slot are illustrated in the following figures. Only PED-authenticated backup configurations are shown.

Figure 1: Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to the backup workstation

 

Figure 2: Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to a separate workstation

Configurations for Remote Backup of a SafeNet Network HSM Appliance

The possible configurations for performing a remote backup of a SafeNet Network HSM appliance are illustrated in the following figures. Only PED-authenticated backup configurations are shown.

Figure 3: Configuration for remote backup of a SafeNet Network HSM appliance with the remote PED connected to the backup workstation

 

Figure 4: Configuration for remote backup of a SafeNet Network HSM appliance with the remote PED connected to a separate workstation

Configuring the Remote Backup Service (RBS)

RBS is not a standalone feature. It is a service that facilitates certain scenarios when backing-up HSM partitions or restoring onto those partitions, using a backup HSM that is distant from the primary HSM and its host or client. RBS is run on the computer that hosts the SafeNet Remote Backup HSM, only. RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed. Running RBS also requires running PEDClient on that computer, as well as on the distant primary - the paired instances of PEDClient form the communications link that makes RBS possible.

RBS requires PEDClient on both the RBS client and RBS server ends.

The PEDClient is half of the PEDServer/PEDClient duo that enables Remote PED service.

However, PEDClient is also used in the communication component of Remote Backup Service. So, PEDClient should run on all the platforms that have HSMs - where a SafeNet USB HSM or SafeNet PCI-E HSM is installed (PEDClient is already inside SafeNet Network HSM 5.2 and newer...) - and also on any system with the RBS application.

The PEDServer is required only on a computer with the SafeNet Remote PED.

If you consolidate your HSM administration (including Remote PED) on the same computer with your SafeNet Remote Backup HSM, you would have both PEDClient and PEDServer installed there. We observe that a majority of customers combine administrative functions this way, on a laptop or a workstation that is used to administer one-or-many HSM hosts. The HSM host (with SafeNet USB HSM or SafeNet PCI-E HSM) or the SafeNet Network HSM appliance resides in a physically secure, possibly remote location, while the administrator works from a laptop in her/his office. Your security policy determines how you do it.

To configure RBS

1.Install the SafeNet HSM client software on the computer used to manage the HSMs/partitions you want to back up. If you use PED authentication, ensure that the Remote PED option is installed. You must also install the SafeNet Network HSM client software in addition to the SafeNet USB HSM or SafeNet PCI-E HSM software, because the SafeNet Network HSM client is the only one that includes the vtl utility, which is required to perform the certificate exchange that enables Remote Backup Service.


2.Install the SafeNet HSM client software on the workstation used to host your Backup HSM. Select the Remote Backup option. If the workstation is running Windows, and will be used to connect a Remote PED, install the Remote PED option here.


3.Run rbs --genkey to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file.

4.Run rbs --config to specify the devices to support.

5.Run rbs --daemon to launch the rbs daemon (Linux and UNIX) or the rbs console application (on Windows, it closes after every use) .

6.Create the client certificate (if not already done) :
vtl createCert -n <host_ip_address>

7.Use scp (Unix/Linux) or pscp (Windows) to copy the certificate generated earlier (server.pem) to your primary HSM host computer (or SafeNet Network HSM appliance).
# scp root@172.20.9.253:/usr/safenet/lunaclient/rbs/server/server.pem .   
root@172.20.9.253's password: *********   
server.pem | 1 kB | 1.2 kB/s | ETA: 00:00:00 | 100%

8.Run vtl on the host computer (or appliance) to add the RBS server to the server list.   
vtl add -n 172.20.9.253 -c server.pem
New server 192.20.9.253 successfully added to server list.
vtl list
Server: 192.20.9.82 HTL required: no
Server: 192.20.9.253 HTL required: no  

Note:  If you encounter problems, try changing the RBS and PEDClient ports from the default values. Check that your firewall is not blocking ports used by the service. (Refer to the command syntax pages for default values.)

Backing Up an Application Partition to a Remotely Located Backup HSM

This section describes how to backup an application partition to a remotely located Backup HSM using RBS.

Prerequisites

You will need the following components to perform a remote backup:

Quantity Description
1 SafeNet HSM 5.2 or newer
1 Windows computer with SafeNet Network HSM 5.2 (or newer) client software installed
1 SafeNet Remote Backup HSM
1 Set of PED Keys imprinted for the source HSM and partitions
1 SafeNet PED 2 (Remote PED with f/w 2.4.0 or later)*
1 Power cable for SafeNet PED 2 (Remote)
2 USB to mini USB cable for SafeNet PED 2 (Remote) and SafeNet Remote Backup HSM

Note:  The SafeNet PED that is connected to the Windows computer, in order to perform Remote PED operations with the distant SafeNet Network HSM appliance, must be a SafeNet PED 2 (remote-capable version) and is used in Remote mode and in local mode. You also have the option to connect a second SafeNet PED, which can be Remote capable or can be a local-only version, to the SafeNet Backup HSM. This allows you to leave the Remote capable SafeNet PED connected to the workstation in Remote mode.

Assumptions

The following examples assume that you have set up RBS, as described in Configuring the Remote Backup Service (RBS), and have prepared for the backup, as follows:

the Backup HSM and the HSMs/partitions you want to back up are initialized with appropriate keys (blue SO and black Partition Owner/User PED Keys, which can be the same for both devices, or can be different)

Both devices must share the same domain or RED key value.

The workstation (Windows computer) has Remote PED and SafeNet Remote Backup software package installed including the appropriate driver, if you are using it to

For SafeNet Network HSM, NTLS is established between your workstation computer, acting as a SafeNet Network HSM client, and the distant SafeNet Network HSM - that is, the workstation is registered as a client with the partition.   

A Remote PED session key (orange RPV key) has been created and associated with the distant SafeNet HSM.

To Backup an Application Partition to a Remotely Located Backup HSM

The following procedure provides an example illustrating how to remotely backup a PED-authenticated application partition. In this example a single remote PED, attached to the Windows workstation used to host the Backup HSM, is used.

Set up the remote PED

1.Ensure that your Windows workstation has the PED USB driver (from the /USBDriver folder on the software CD) installed, and that the PEDServer.exe file (the executable program file that makes Remote PED operation possible) has been copied to a convenient directory on your hard disk.

2.Connect all of the components as follows:

From Using To
Workstation USB Remote PED (SafeNet PED IIr in Remote mode)
DC power receptacle on Remote PED PED Power Supply Mains AC power (wall socket)
Workstation USB SafeNet Remote Backup HSM
SafeNet Remote Backup HSM Power Cord Mains AC power (wall socket)

3.At the Remote SafeNet PED (SafeNet PED 2 with remote capability, connected to the USB port of the workstation), do the following:

press < on the PED keypad to exit local mode.

press 7 to enter remote mode.

4.Run PEDServer to start the remote PED service on the administrative workstation (Windows) computer, as follows:

In a Command Prompt (DOS) window, change directory to the location of the PEDServer.exe file and run that file:

C:\>cd \Program Files\LunaCient
C:\Program Files\LunaClient>PEDServer -mode start

5.Open an administrative connection (SSH) to the distant SafeNet HSM (for SafeNet Network HSM appliance, log in as 'admin', for another HSM host, log in with the appropriate ID. Start the PED Client (the Remote PED enabling process on the appliance):
Example (substitute the actual IP address of your workstation computer)--
lunash:> hsm ped connect -ip 192.2.12.16 -port 1503
or
lunacm:> hsm ped connect -ip 192.2.12.16 -port 1503

Insert the orange RPV PED Key that matches the RPV of the distant SafeNet HSM.
The Remote PED Client in the SafeNet Network HSM appliance or in the SafeNet HSM client workstation establishes a connection with the listening PEDserver on your remote PED workstation.

Backup a slot to the remotely located backup HSM

Note:  The following steps apply to LunaCM only. For LunaSH, follow the procedure To backup a SafeNet Network HSM partition to a directly connected Backup HSM. Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible.

6.Start the LunaCM utility (in Windows, it resides at C:\Program Files\SafeNet\LunaClient - in Linux/UNIX, it resides at /usr/safenet/lunaclient/bin).

C:\Program Files\SafeNet\LunaClient>lunacm.exe

LunaCM V6.0.0 - Copyright (c) 2006-2015 SafeNet, Inc.


        Available HSM's:

        Slot Id ->              1
        HSM Label ->            SA82_P1
        HSM Serial Number ->    16298193222733
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.22.0
        HSM Configuration ->    Luna User Partition, With SO (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              2
        HSM Label ->            G5PKI
        HSM Serial Number ->    701968008
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    SafeNet Network HSM Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            G5backup
        HSM Serial Number ->    700101
        HSM Model ->            G5Backup
        HSM Firmware Version -> 6.10.1
        HSM Configuration ->    Remote Backup HSM (PED) Backup Device
        HSM Status ->           OK

        Current Slot Id: 1

 

7.If the current slot is not the slot that you wish to backup, use the slot set command to go to the correct slot.

lunacm:> slot set slot 1

        Current Slot Id: 1     (Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)

Command Result : No Error

 

8.Establish that the HSM is listening for the remote SafeNet PED at the correct location.

Note:  The PEDServer must already have been set up at that host.

lunacm:>ped get

        HSM slot 1 listening to local PED (PED id=0).

Command Result : No Error

lunacm:> ped connect ip 172.20.10.190

Command Result : No Error

lunacm:> ped get

        HSM slot 1 listening to remote PED (PED id=100).

Command Result : No Error

 

9.Skip this step if your source partition is activated.

Log into the partition (this takes place at the currently selected slot). This step is needed only if the partition you are about to backup is not already in the activated state.

Example for HSM with firmware 6.22.0 or newer:

lunacm:> role login -name Crypto Officer

        Option -password was not supplied.  It is required.

        Enter the password: *******

        User is activated, PED is not required.

Command Result : No Error

 

Example for HSM with firmware older than version 6.22.0:

lunacm:> par login

        Option -password was not supplied.  It is required.

        Enter the password: *******

        User is activated, PED is not required.

Command Result : No Error

 

10.Disconnect the PED connection from your source HSM (slot 1 in this example), and connect to the remote Backup HSM (slot 3 in this example).

lunacm:> ped disconnect

        Are you sure you wish to disconnect the remote ped?
        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error

lunacm:> ped connect ip 192.20.10.190 -slot 3

Command Result : No Error

lunacm:> ped get -slot 3

        HSM slot 3 listening to remote PED (PED id=100).

Command Result : No Error

 

11.Perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the remote Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.


lunacm:> partition archive backup -slot 3 -par SAbck1

        Logging in as the SO on slot 3.
        Please attend to the PED.

        Creating partition SAbck1 on slot 3.
        Please attend to the PED.

        Logging into the container SAbck1 on slot 3 as the user.
        Please attend to the PED.

        Creating Domain for the partition SAbck1 on slot 3.
        Please attend to the PED.

        Verifying that all objects can be backed up...

        85 objects will be backed up.

        Backing up objects...
        Cloned object 99 to partition SAbck1 (new handle 19).
        Cloned object 33 to partition SAbck1 (new handle 20).
        Cloned object 108 to partition SAbck1 (new handle 23).
        .
        .
        .
        Cloned object 78 to partition SAbck1 (new handle 128).
        Cloned object 88 to partition SAbck1 (new handle 129).
        Cloned object 40 to partition SAbck1 (new handle 130).

        Backup Complete.

        85 objects have been backed up to partition SAbck1
        on slot 3.

Command Result : No Error
 

12.The backup operation is complete.

Restoring an HSM Partition From a Remotely Located Backup HSM

This section describes how to restore an application partition from a remotely located Backup HSM using RBS.

To restore an application partition from a remotely located backup HSM

The following procedure provides an example of how to restore a partition from a remotely located Backup HSM. In this example, the partition is restored to a SafeNet Network HSM partition that is not in the activated state. A single remote PED is used to authenticate to the remote Backup HSM and the SafeNet Network HSM partition. If your primary HSM partition (the partition onto which you will restore the backed-up objects) is in the activated state, then only the Backup HSM needs PED activity for authentication during restore.

Note:  The following steps apply to LunaCM only. For LunaSH, follow the procedure To restore a SafeNet Network HSM partition from a directly connected Backup HSM. Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible.

1.In our test setup, we have each of several SafeNet HSM products. An easy way to see an updated summary of all HSMs and slot assignments is to exit LunaCM and restart the utility.

C:\Program Files\SafeNet\LunaClient>lunacm.exe

LunaCM v6.0.0 - Copyright (c) 2006-2015 SafeNet, Inc.


        Available HSMs:

         Slot Id ->              0
        Label ->
        Serial Number ->        16298193222733
        Model ->                LunaSA
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->
        Serial Number ->        16298193222735
        Model ->                LunaSA
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              2
        Label ->                legacypar1
        Serial Number ->        16298193222734
        Model ->                LunaSA
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition, No SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              3
        Label ->                SAbck1
        Serial Number ->        700101
        Model ->                G5Backup
        Firmware Version ->     6.10.4
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot


        Slot Id ->              5
        Tunnel Slot Id ->       7
        Label ->
        Serial Number ->        349297122734
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              6
        Tunnel Slot Id ->       7
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              8
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.4
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 0

 

2.Verify which slot is listening for PED and whether it is expecting local or remote.

lunacm:>ped get

        HSM slot 0 listening to local PED (PED id=0).

Command Result : No Error

 

3.Connect to Remote PED.

lunacm:> ped connect ip 192.20.10.190

Command Result : No Error
 

(Causes the currently selected slot in lunacm (still slot 0 in this example) to connect to the remote PED.)

4.Log into the partition to which you want to restore.

Note:  This would not be necessary if the partition was activated - we are demonstrating that if the partition was not in login state or activated state, it is straightforward to briefly switch the PED to the primary HSM partition before switching the PED back to the Backup HSM.

lunacm:> role login -n Crypto Officer

        enter password: *******

        Please attend to the PED.


Command Result : No Error

lunacm:> ped disconnect

        Are you sure you wish to disconnect the remote ped?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error


(The current selected slot in lunacm is still slot 0, and having ensured login status on that slot/partition we have just released the Remote PED connection there. The other end of the Remote PED pair, the PED-connected host computer running PedServer, is now free to accept a Remote PED link from another PedClient, which will be the host attached to the SafeNet Backup HSM.)

Note:  In this example, the SafeNet Network HSM partition, to which we will restore objects, is visible in lunacm at slot 0 because it is linked to this SafeNet HSM client by NTLS, while this Client is registered to that partition at the SafeNet Network HSM.

The SafeNet Remote Backup HSM is visible in lunacm, at slot 3 in this case, because it is linked by the RBS connection that you previously established (see "To Configure RBS" above in this chapter); that is, pedclient is running on this Client, and pedclient and rbs.exe are running on the Backup HSM's host, with each other identified as their partner in the RBS link.

5.Connect the Remote PED to the Backup HSM (which, in this example, is slot 3).

lunacm:> ped connect ip 192.20.10.190 slot 3

Command Result : No Error

lunacm:> ped get

        HSM slot 0 listening to local PED (PED id=0).

Command Result : No Error

lunacm:> ped get slot 3

        HSM slot 3 listening to remote PED (PED id=100).

Command Result : No Error


(The ped connect command specifies the slot (now the SafeNet Backup HSM) that makes a new Remote PED connection, because that slot indication is part of the command - and ped get verifies the new Remote PED-connected slot. But the focus of the library/lunacm has not changed from slot 0; any other lunacm commands that act on a slot will act on slot 0 until you change that with slot set. You could verify that current focus, if you wished, by running slot list again.)

6.Restore to the current slot (slot 0) from the slot that corresponds to the  Backup HSM (slot 3).

lunacm:> partition archive restore -slot 3 -par SAbck1

        Logging in to partition SAbck1 on slot 3 as the user.

        Please attend to the PED.

        Verifying that all objects can be restored...

        85 objects will be restored.

        Restoring objects...
        Cloned object 19 from partition SAbck1 (new handle 20).
        Cloned object 20 from partition SAbck1 (new handle 21).
        Cloned object 23 from partition SAbck1 (new handle 22).
        .
        . 
        .
        Cloned object 128 from partition SAbck1 (new handle 137).
        Cloned object 129 from partition SAbck1 (new handle 138).
        Cloned object 130 from partition SAbck1 (new handle 139).

        Restore Complete.

        85 objects have been restored from partition SAbck1 on slot 3.

Command Result : No Error


(Because the lunacm focus rests with the target partition in slot 0, your partition archive restore command must explicitly identify the slot from which backup source objects are to be cloned, slot 3 in this example, onto the target partition, current-slot 0 in this case. You also specified the backup partition name, because a SafeNet Backup HSM can contain more than one archived partition.)

7.Verify that the restored slot now looks like it did just before the backup was originally performed.

lunacm:> partition archive list -slot 3

        HSM Storage Information for slot 3:

           Total HSM Storage Space:      16252928
           Used HSM Storage Space:       43616
           Free HSM Storage Space:       16209312
           Number Of Allowed Partitions: 20
           Number Of Allowed Partitions: 1

        Partition list for slot 3

           Number of partition: 1

           Name:                      SAbck1
           Total Storage Size:        41460
           Used Storage Size:         41460
           Free Storage Size:         0
           Number Of Objects:         85

Command Result : No Error

lunacm:>


8.Remote restore from backup, using RBS, is complete.

To restore onto a different remote SafeNet HSM, the same arrangement is required:

the remote HSM must already have a suitable partition

if the restore-target HSM is a SafeNet Network HSM, the target partition can have any name - it does not need to match the name of the source partition on the backup device,

your workstation must be registered as a client to that partition.