Home >

Administration Guide > Backup and Restore HSMs and Partitions > Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS)

Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS)

This section describes how to use LunaCM and the Remote Backup Service (RBS) to backup and restore a partition from the client to a remotely located SafeNet Backup HSM (Backup HSM). In this case "remotely located" means that the Backup HSM is USB connected to its own workstation, and not to a Client workstation and not to the HSM that contains the source material being backed up. This section contains the following subsections:

Overview

Configuring the Remote Backup Service (RBS)

Backing Up an Application Partition to a Remotely Located Backup HSM

Restoring an HSM Partition From a Remotely Located Backup HSM

Overview

Remote backups are enabled by the SafeNet Remote Backup Service (RBS). RBS is a utility, included with the SafeNet HSM client software, that runs as a service (Windows) or daemon (Unix/Linux) on a workstation used to host one or more remote Backup HSMs. The RBS service allows the Backup HSM (could be one of several) to be presented over an NTLS-like link and appear as a lunacm slot, alongside distant Network HSM partitions that also appear as lunacm slots. This lets you perform backup and restore operations among the application partition slots and the RBS slots, while all three entities are geographically separated.

You can add a fourth entity, which might be a laptop carried by a manager, who can remotely access the Client and the RBS station to perform configuration, backup/restore and other maintenance operations. In addition, if the HSMs are PED-authenticated, the manager's laptop can optionally serve as a PedServer workstation.

Scenario

The usual scenario for the setup described in this section is that you have

SafeNet Network HSM appliances in a datacenter, with NTLS (and if needed, Remote PED) links to application clients, management client(s), (and if needed, Remote PED Server)

Application clients elsewhere (not relevant to the Backup/Restore operations)

a dedicated Backup workstation, that can be located anywhere

with Backup HSM connected to it locally via USB

with the Remote Backup Server software, and an RBS connection to a client/management workstation

A client/management workstation, running LunaClient software, with

the remote Network HSM connected via NTLS and with one-or-more application partitions visible as slots in lunacm (at the management workstation)

[optionally] a Remote PED workstation/laptop,

with a Remote-capable PED, USB-connected, and in Remote mode

with PedServer to serve PED operations, both to the distant application partitions (on the Network HSM) and to the Backup HSM (RBS), one at a time

with SSH connection to the RBS station for command access, if needed

with Remote PED link to the RBS station (when not serving PED to the Network HSM(s)

with Remote PED link to the Network HSM(s) when not serving PED to the RBS station

with Remote Desktop Protocol (RDP) or similar link to the Client workstation to run the lunacm instance that sees the Network HSM partitions and the RBS partition as slots

In other words, you perform some management functions at one location, but your Backup workstation is at a different location. That separation is what requires RBS. If you can have a direct connection of your Backup HSM to a client that sees the source HSM partitions and the Backup HSM as slots, then you don't need RBS.

Note:  Remote Backup is not currently supported over IPv6 networks. To backup a SafeNet Network HSM on an IPv6 network, you must use one of the following methods instead:
Backup and Restore From the Appliance to an Appliance-connected Backup HSM (LunaSH)
Backup and Restore From the Client to a Client-Local Backup HSM (LunaCM)

To use RBS, do the following:

1. Configure it to define which of the Backup HSMs connected to the workstation running RBS that you want to make available to other SafeNet HSM client workstations or SafeNet Network HSM appliances for performing remote backups. See Configuring the Remote Backup Service (RBS) below.

2.Register the workstation running RBS with any SafeNet HSM client workstations or SafeNet Network HSM appliances that you want to be able to use the Remote Backup HSMs.

3.Start the RBS service/daemon.

Once RBS is configured and running, the SafeNet HSM client workstations or SafeNet Network HSM appliances registered with the workstation running RBS can see its available Backup HSMs as slots in LunaCM (SafeNet HSM client workstation). To perform backup and restore operations using the Remote Backup HSMs, you open a LunaCM session, as relevant, on the SafeNet HSM client workstation or SafeNet Network HSM appliance used to host the slot you want to backup, and specify the slot for the Remote Backup HSM as the slot to use for the backup/restore operation.

The backup operation can go from a source partition (on a SafeNet HSM) to an existing partition on the SafeNet Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation cannot create a target partition on a SafeNet Network HSM; it must already exist and have a registered NTLS link.

To back up PED-authenticated partitions, you can connect a remote PED to the Backup HSM host workstation, or you can use a separate computer to provide PED operations.

Note:  Remote PED (PED Server) is supported on Windows only.

Configurations for Remote Backup of a SafeNet Client Workstation Slot

Possible configurations for performing a remote backup of a SafeNet HSM client workstation slot are illustrated in the following figures. Only PED-authenticated backup configurations are shown.

Figure 1: Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to the client workstation

 

Note:  In the scenario above, you would be working from the Client workstation. You need RBS on the Backup host, to serve the Backup HSM as RBS slots to be recognized by lunacm on the Client workstation.

Figure 2: Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to a separate workstation

Note:  In the scenario above, you would be working from the laptop, with SSH or Remote Desktop connections to manage the Client and the Backup host, and with Remote PED connections to authenticate to the source and backup HSMs.

You need RBS on the Backup host, to serve the Backup HSM as RBS slots to be recognized by lunacm on the Client workstation.

Configuring the Remote Backup Service (RBS)

RBS is not a standalone feature. It is a service that facilitates backing-up HSM partitions or restoring onto those partitions, using a backup HSM that is distant from the primary HSM and its host or its client.

If needed, RBS is run on the computer that hosts the SafeNet Backup HSM, only. RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed. Running RBS also requires running PEDClient on that host, as well as on the distant Client - the paired instances of PED Client form the communications link that makes RBS possible.

RBS requires PED Client on both the RBS client and RBS server ends. PedClient and PedServer are part of the Remote PED installation option in the LunaClient installer.

How to determine that you need RBS

Some customers prefer to have Network HSMs or HSM hosts in secure locations, and administrative client hosts at another location, with Backup HSMs USB-connected to that administrative client host.

PedClient and PedServer are required only if HSMs are PED-authenticated. No RBS is required, because the Backup HSM is physically connected to the client host, where lunacm recognizes it as a local slot. See the diagram Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to the client workstation .  

Many customers prefer to have Network HSMs or HSM hosts in secure locations, administrative client hosts at another location, and Backup HSMs and their hosts at a third location. Some customers find it useful to situate their admin personnel away from the administrative client host locations, at a fourth location, or mobile. The admin personnel use SSH or RDP (or similar) to remotely access the client, configure connections, run backups, etc.

If HSMs are PED-authenticated, PEDServer is installed on the admin laptop, and a Remote-capable PED is USB-connected. RBS is required on the Backup host, because the Backup HSM is physically remote from the administrative client station, such that the RBS connection is needed for lunacm to see the Backup HSM as a slot. See the diagram Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to a separate workstation .  

Your security policy or logistic constraints determine the approach(es) you choose.

Preparing to use RBS

The major actions required to prepare for RBS are:

Configure NTLS between your Network HSM appliances and the administrative client host; this allows the application partitions on the Network HSM to be visible as slots in lunacm.
Configure RBS (based on NTLS) between your Remote Backup HSM host and the administrative client.

Launch the RBS service on the Remote Backup host.

Configure Remote PED (for PED-authenticated HSMs)

between your Network HSM(s) and the laptop/workstation with the PED connected via USB, and also

between the Remote Backup host and the laptop/workstation with the PED connected via USB,

and launch Remote PED service.

To configure NTLS with your Network HSM appliance

When configuring RBS, it is assumed that you have previously configured your HSM.

It is also assumed that you have created application partitions and registered them to create NTLS links.

See the Configuration Guide About the Configuration Guide for instructions.

To configure RBS:

1.Install the SafeNet HSM client software on the computer used to manage the HSMs/partitions you want to back up. If you use PED authentication, ensure that the Remote PED option is installed. You must also install the SafeNet Network HSM client software even if you have installed the SafeNet PCIe HSM software, because the SafeNet Network HSM client is the only one that includes the vtl utility, which is required to perform the certificate exchange that enables Remote Backup Service.


2.Install the SafeNet HSM client software on the workstation used to host your Backup HSM. Select the Remote Backup option. If the workstation is running Windows, and will be used to connect a Remote PED, install the Remote PED option here.


For a Client connecting to Network HSM partitions, you should already have a Client certificate that you earlier exchanged with your Network HSM appliances to create NTLS links with partitions. If so, you should skip creating the certificate again, in the next step. If you do not already have a Client certificate created...

3.On the Client computer create the client certificate (if not already done) with vtl createCert -n <host_ip_address>.

4.On the Remote Backup HSM host, run rbs --genkey to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file. SCP or PSCP the RBS certificate to the Client computer.

5.On the client computer run vtl addserver to add the RBS server to the server list.   
vtl add -n 192.20.9.253 -c server.pem
New server 192.20.9.253 successfully added to server list.
vtl list
Server: 192.20.9.82
Server: 192.20.9.253

6.On the Remote Backup host, run rbs --config for each Backup HSM that is USB-connected to the host.

7.Run rbs --daemon to launch the RBS daemon (Linux and UNIX) or the RBS console application (on Windows, it closes after every use).

Note:  If you encounter problems, try changing the RBS and PED Client ports from the default values. Check that your firewall is not blocking ports used by the service. (Refer to the command syntax pages for default values.)

Private Keys could be lost - procedural awareness issue

If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM.

Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation.

The default setting allows private key cloning, but you might have changed that to satisfy your security regime. This consequence of such a change in policy is sometimes overlooked.

Backing Up an Application Partition to a Remotely Located Backup HSM

This section describes how to backup an application partition to a remotely located Backup HSM using RBS.

Prerequisites

You will need the following components to perform a remote backup:

Quantity Description
1 SafeNet HSM 5.2 or newer
1 Windows computer with SafeNet Network HSM 5.2 (or newer) client software installed
1 SafeNet Backup HSM
1 Set of PED keys imprinted for the source HSM and partitions
1 Luna PED (Remote PED with f/w 2.7.1 or later)*
1

Power cable for Luna PED (Remote)

2 USB to mini USB cable for Luna PED (Remote) and SafeNet Backup HSM

Note:  The Luna PED that is connected to the Windows computer, in order to perform Remote PED operations with the distant SafeNet Network HSM appliance, must be a Luna PED (remote-capable version) and is used in Remote mode and in Local mode. You also have the option to connect a second Luna PED, which can be Remote capable or can be a Local-only version, to the SafeNet Backup HSM. This allows you to leave the Remote capable Luna PED connected to the workstation in Remote mode.

Assumptions

The following examples assume that you have set up RBS, as described in Configuring the Remote Backup Service (RBS), and have prepared for the backup, as follows:

The Backup HSM and the HSMs/partitions you want to back up are initialized with appropriate keys (blue SO and black Partition Owner/User PED keys, which can be the same for both devices, or can be different).

Both devices must share the same domain or red PED key value.

The workstation (Windows computer) has Remote PED and SafeNet Remote Backup software package installed including the appropriate driver.

For SafeNet Network HSM, NTLS is established between your workstation computer, acting as a SafeNet Network HSM client, and the distant SafeNet Network HSM - that is, the workstation is registered as a client with the partition.   

A Remote PED session key (orange RPV key) has been created and associated with the distant SafeNet HSM.

To Backup an Application Partition to a Remotely Located Backup HSM:

The following procedure provides an example illustrating how to remotely backup a PED-authenticated application partition. In this example a single remote PED, attached to the Windows workstation used to host the Backup HSM, is used.

Set up the remote PED

1.Ensure that your Windows workstation has the PED USB driver (from the /USBDriver folder in the installer archive) installed, and that the PEDServer.exe file (the executable program file that makes Remote PED operation possible) has been copied to a convenient directory on your hard disk.

2.Connect all of the components as follows:

From Using To
Workstation USB Remote PED (Luna PED IIr in Remote mode)
DC power receptacle on Remote PED PED Power Supply Mains AC power (wall socket)
Workstation USB SafeNet Backup HSM
SafeNet Backup HSM Power Cord Mains AC power (wall socket)

3.At the Remote Luna PED (Luna PED with remote capability, connected to the USB port of the workstation), do the following:

Press < on the PED keypad to navigate to the main menu.

Press 7 to enter Remote mode.

4.Run PedServer to start the Remote PED service on the administrative workstation (Windows) computer, as follows:

In a Command Prompt (DOS) window, change directory to the location of the PEDServer.exe file and run that :

C:\>cd \Program Files\LunaCient
C:\Program Files\LunaClient>PEDServer -mode start

5.Open an administrative connection (SSH) to the distant SafeNet HSM (for SafeNet Network HSM appliance, log in as "admin." For another HSM host, log in with the appropriate ID. Start the PED Client (the Remote PED enabling process on the appliance):

lunash:> hsm ped connect -ip <workstation_ip_address> -port 1503
            
or
lunacm:> ped connect -ip <workstation_ip_address> -port 1503

 

Insert the orange RPV PED key that matches the RPV of the distant SafeNet HSM.
The Remote PED Client in the SafeNet Network HSM appliance or in the SafeNet HSM client workstation establishes a connection with the listening PedServer on your remote PED workstation.

Backup a slot to the remotely located backup HSM

Note:  The following steps apply to LunaCM only. For LunaSH, follow the procedure To backup a SafeNet Network HSM partition to a directly connected Backup HSM:. Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible.

6.Start the LunaCM utility (in Windows, it resides at C:\Program Files\SafeNet\LunaClient - in Linux/UNIX, it resides at /usr/safenet/lunaclient/bin).

C:\Program Files\SafeNet\LunaClient>lunacm.exe

LunaCM V7.0.0 - Copyright (c) 2006-2017 Gemalto, Inc.

        Available HSM's:

        Slot Id ->              1
        HSM Label ->            SA82_P1
        HSM Serial Number ->    16298193222733
        HSM Model ->            LunaSA 6.26.0
        HSM Firmware Version -> 7.0.1
        HSM Configuration ->    Luna User Partition, With SO (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              2
        HSM Label ->            SA200_Par1
        HSM Serial Number ->    701968008
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    SafeNet Network HSM Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            G5backup
        HSM Serial Number ->    700101
        HSM Model ->            G5Backup
        HSM Firmware Version -> 6.26.01
        HSM Configuration ->    Luna HSM (PED) Backup Device
        HSM Status ->           OK

        Current Slot Id: 1
 

7.If the current slot is not the slot that you wish to backup, use the slot set command to go to the correct slot.

lunacm:> slot set slot 1

        Current Slot Id: 1     (Luna User Slot 6.26.0 (PED) Signing With Cloning Mode)

Command Result : No Error
 

8.Establish that the HSM is listening for the remote Luna PED at the correct location:

Note:  The PEDServer must already have been set up at that host.

lunacm:>ped get

        HSM slot 1 listening to local PED (PED id=0).

Command Result : No Error

lunacm:> ped connect ip 192.20.10.190

Command Result : No Error

lunacm:> ped get

        HSM slot 1 listening to remote PED (PED id=100).

Command Result : No Error
 

9.Skip this step if your source partition is already in login state (activated).

Log into the partition (this takes place at the currently selected slot). This step is needed only if the partition you are about to backup is not already in the activated state.

lunacm:> role login -name Crypto Officer

        Option -password was not supplied.  It is required.

        Enter the password: *******

        User is activated, PED is not required.

Command Result : No Error
 

10.Disconnect the PED from your source HSM (slot 1 in this example), and connect to the remote Backup HSM (slot 3 in this example):

lunacm:> ped disconnect

        Are you sure you wish to disconnect the remote ped?
        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error

lunacm:> ped connect ip 192.20.10.190 -slot 3

Command Result : No Error

lunacm:> ped get -slot 3

        HSM slot 3 listening to remote PED (PED id=100).

Command Result : No Error

 

11.Perform the backup from the current slot to the partition that you designate on the Remote Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.


lunacm:> partition archive backup -slot 3 -par SAbck1

        Logging in as the SO on slot 3.
        Please attend to the PED.

        Creating partition SAbck1 on slot 3.
        Please attend to the PED.

        Logging into the container SAbck1 on slot 3 as the user.
        Please attend to the PED.

        Creating Domain for the partition SAbck1 on slot 3.
        Please attend to the PED.

        Verifying that all objects can be backed up...

        85 objects will be backed up.

        Backing up objects...
        Cloned object 99 to partition SAbck1 (new handle 19).
        Cloned object 33 to partition SAbck1 (new handle 20).
        Cloned object 108 to partition SAbck1 (new handle 23).
        .
        .
        .
        Cloned object 78 to partition SAbck1 (new handle 128).
        Cloned object 88 to partition SAbck1 (new handle 129).
        Cloned object 40 to partition SAbck1 (new handle 130).

        Backup Complete.

        85 objects have been backed up to partition SAbck1
        on slot 3.

Command Result : No Error
 

12.The backup operation is complete.

Restoring an HSM Partition From a Remotely Located Backup HSM

This section describes how to restore an application partition from a remotely located Backup HSM using RBS.

To restore an application partition from a remotely located backup HSM:

The following procedure provides an example of how to restore a partition from a remotely located Backup HSM. In this example, the partition is restored to a SafeNet Network HSM partition that is not in the activated state. A single remote PED is used to authenticate to the remote Backup HSM and the SafeNet Network HSM partition. If your primary HSM partition (the partition onto which you will restore the backed-up objects) is in the activated state, then only the Backup HSM needs PED activity for authentication during restore.

Note:  The following steps apply to LunaCM only. For LunaSH, follow the procedure Backup and Restore From the Appliance to an Appliance-connected Backup HSM (LunaSH). Use the token backup list and token backup show commands to ensure that the Remote Backup HSM is visible.

1.In our test setup, we have each of several SafeNet HSM products. Launching lunacm shows what is available/connected in the slot list.

C:\Program Files\SafeNet\LunaClient>lunacm.exe

LunaCM v7.0.0 - Copyright (c) 2006-2017 Gemalto, Inc.


        Available HSMs:

        Slot Id ->              0
        Label ->
        Serial Number ->        16298193222733
        Model ->                LunaSA 7.0.0
        Firmware Version ->     6.27.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->
        Serial Number ->        16298193222735
        Model ->                LunaSA 7.0.0
        Firmware Version ->     6.27.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              2
        Label ->                legacypar1
        Serial Number ->        16298193222734
        Model ->                LunaSA
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition, No SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              3
        Label ->                SAbck1
        Serial Number ->        700101
        Model ->                G5Backup
        Firmware Version ->     6.27.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot


        Slot Id ->              5
        Tunnel Slot Id ->       7
        Label ->
        Serial Number ->        349297122734
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              6
        Tunnel Slot Id ->       7
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              8
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 0

 

2.Verify which slot is listening for PED and whether it is expecting local or remote.

lunacm:>ped get

        HSM slot 0 listening to local PED (PED id=0).

Command Result : No Error

 

3.Connect to Remote PED with ped connect.

4.Log into the partition to which you want to restore.

Note:  This would not be necessary if the partition was activated - we are demonstrating that if the partition was not in login state or activated state, it is straightforward to briefly switch the PED to the primary HSM partition before switching the PED back to the Backup HSM.

lunacm:> role login -n Crypto Officer

        enter password: *******

        Please attend to the PED.


Command Result : No Error

lunacm:> ped disconnect

        Are you sure you wish to disconnect the remote ped?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error


(The current selected slot in LunaCM is still slot 0, and having ensured login status on that slot/partition we have just released the Remote PED connection there. The other end of the Remote PED pair, the PED-connected host computer running PedServer, is now free to accept a Remote PED link from another PedClient, which will be the host attached to the SafeNet Backup HSM.)

Note:  In this example, the SafeNet Network HSM partition, to which we will restore objects, is visible in LunaCM at slot 0 because it is linked to this SafeNet HSM client by NTLS, while this Client is registered to that partition at the SafeNet Network HSM.

The SafeNet Backup HSM is visible in LunaCM, at slot 3 in this case, because it is linked by the RBS connection that you previously established (see "To Configure RBS" above in this chapter); that is, PedClient is running on this Client, and PedClient and rbs.exe are running on the Backup HSM's host, with each other identified as their partner in the RBS link.

5.Connect the Remote PED to the Backup HSM (which, in this example, is slot 3).

lunacm:> ped connect ip 192.20.10.190 slot 3

Command Result : No Error

lunacm:> ped get

        HSM slot 0 listening to local PED (PED id=0).

Command Result : No Error

lunacm:> ped get slot 3

        HSM slot 3 listening to remote PED (PED id=100).

Command Result : No Error


The ped connect command specifies the slot (now the SafeNet Backup HSM) that makes a new Remote PED connection, because that slot indication is part of the command - and ped get verifies the new Remote PED-connected slot. But the focus of the library/LunaCM has not changed from slot 0; any other LunaCM commands that act on a slot will act on slot 0 until you change that with slot set. You could verify that current focus, if you wished, by running slot list again.

6.Restore to the current slot from the slot that corresponds to the Backup HSM.

lunacm:> partition archive restore -slot 3 -par SAbck1

        Logging in to partition SAbck1 on slot 3 as the user.

        Please attend to the PED.

        Verifying that all objects can be restored...

        85 objects will be restored.

        Restoring objects...
        Cloned object 19 from partition SAbck1 (new handle 20).
        Cloned object 20 from partition SAbck1 (new handle 21).
        Cloned object 23 from partition SAbck1 (new handle 22).
        .
        . 
        .
        Cloned object 128 from partition SAbck1 (new handle 137).
        Cloned object 129 from partition SAbck1 (new handle 138).
        Cloned object 130 from partition SAbck1 (new handle 139).

        Restore Complete.

        85 objects have been restored from partition SAbck1 on slot 3.

Command Result : No Error


Because the LunaCM focus rests with the target partition in slot 0, your partition archive restore command must explicitly identify the slot from which backup source objects are to be cloned, slot 3 in this example, onto the target partition, current-slot 0 in this case. You also specified the backup partition name, because a SafeNet Backup HSM can contain more than one archived partition.

7.Verify that the restored slot now looks like it did just before the backup was originally performed.

lunacm:> partition archive list -slot 3

        HSM Storage Information for slot 3:

           Total HSM Storage Space:      16252928
           Used HSM Storage Space:       43616
           Free HSM Storage Space:       16209312
           Number Of Allowed Partitions: 20
           Number Of Allowed Partitions: 1

        Partition list for slot 3

           Number of partition: 1

           Name:                      SAbck1
           Total Storage Size:        41460
           Used Storage Size:         41460
           Free Storage Size:         0
           Number Of Objects:         85

Command Result : No Error

lunacm:>


8.Remote restore from backup, using RBS, is complete.

To restore onto a different remote SafeNet HSM, the same arrangement is required:

The remote HSM must already have a suitable partition.

If the restore-target HSM is a SafeNet Network HSM, the target partition can have any name - it does not need to match the name of the source partition on the backup device.

Your workstation must be registered as a client to that partition.