|
Home > |
Administration Guide > Backup and Restore HSMs and Partitions > Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS)
|
|---|
This section describes how to use LunaCM and the Remote Backup Service (RBS) to backup and restore a partition from the client to a remotely located SafeNet Backup HSM (Backup HSM). In this case "remotely located" means that the Backup HSM is USB connected to its own workstation, and not to a Client workstation and not to the HSM that contains the source material being backed up. This section contains the following subsections:
•Configuring the Remote Backup Service (RBS)
•Backing Up an Application Partition to a Remotely Located Backup HSM
•Restoring an HSM Partition From a Remotely Located Backup HSM
Remote backups are enabled by the SafeNet Remote Backup Service (RBS). RBS is a utility, included with the SafeNet HSM client software, that runs as a service (Windows) or daemon (Unix/Linux) on a workstation used to host one or more remote Backup HSMs. The RBS service allows the Backup HSM (could be one of several) to be presented over an NTLS-like link and appear as a lunacm slot, alongside distant Network HSM partitions that also appear as lunacm slots. This lets you perform backup and restore operations among the application partition slots and the RBS slots, while all three entities are geographically separated.
You can add a fourth entity, which might be a laptop carried by a manager, who can remotely access the Client and the RBS station to perform configuration, backup/restore and other maintenance operations. In addition, if the HSMs are PED-authenticated, the manager's laptop can optionally serve as a PedServer workstation.
The usual scenario for the setup described in this section is that you have
•SafeNet Network HSM appliances in a datacenter, with NTLS (and if needed, Remote PED) links to application clients, management client(s), (and if needed, Remote PED Server)
•Application clients elsewhere (not relevant to the Backup/Restore operations)
•a dedicated Backup workstation, that can be located anywhere
–with Backup HSM connected to it locally via USB
–with the Remote Backup Server software, and an RBS connection to a client/management workstation
•A client/management workstation, running LunaClient software, with
–the remote Network HSM connected via NTLS and with one-or-more application partitions visible as slots in lunacm (at the management workstation)
•[optionally] a Remote PED workstation/laptop,
–with a Remote-capable PED, USB-connected, and in Remote mode
–with PedServer to serve PED operations, both to the distant application partitions (on the Network HSM) and to the Backup HSM (RBS), one at a time
–with SSH connection to the RBS station for command access, if needed
–with Remote PED link to the RBS station (when not serving PED to the Network HSM(s)
–with Remote PED link to the Network HSM(s) when not serving PED to the RBS station
–with Remote Desktop Protocol (RDP) or similar link to the Client workstation to run the lunacm instance that sees the Network HSM partitions and the RBS partition as slots
In other words, you perform some management functions at one location, but your Backup workstation is at a different location. That separation is what requires RBS. If you can have a direct connection of your Backup HSM to a client that sees the source HSM partitions and the Backup HSM as slots, then you don't need RBS.
Note: Remote Backup is not currently supported over IPv6 networks. To backup a SafeNet Network HSM on an IPv6 network, you must use one of the following methods instead:
Backup and Restore From the Appliance to an Appliance-connected Backup HSM (LunaSH)
Backup and Restore From the Client to a Client-Local Backup HSM (LunaCM)
1. Configure it to define which of the Backup HSMs connected to the workstation running RBS that you want to make available to other SafeNet HSM client workstations or SafeNet Network HSM appliances for performing remote backups. See Configuring the Remote Backup Service (RBS) below.
2.Register the workstation running RBS with any SafeNet HSM client workstations or SafeNet Network HSM appliances that you want to be able to use the Remote Backup HSMs.
3.Start the RBS service/daemon.
Once RBS is configured and running, the SafeNet HSM client workstations or SafeNet Network HSM appliances registered with the workstation running RBS can see its available Backup HSMs as slots in LunaCM (SafeNet HSM client workstation). To perform backup and restore operations using the Remote Backup HSMs, you open a LunaCM session, as relevant, on the SafeNet HSM client workstation or SafeNet Network HSM appliance used to host the slot you want to backup, and specify the slot for the Remote Backup HSM as the slot to use for the backup/restore operation.
The backup operation can go from a source partition (on a SafeNet HSM) to an existing partition on the SafeNet Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation cannot create a target partition on a SafeNet Network HSM; it must already exist and have a registered NTLS link.
To back up PED-authenticated partitions, you can connect a remote PED to the Backup HSM host workstation, or you can use a separate computer to provide PED operations.
Note: Remote PED (PED Server) is supported on Windows only.
Possible configurations for performing a remote backup of a SafeNet HSM client workstation slot are illustrated in the following figures. Only PED-authenticated backup configurations are shown.
Figure 1: Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to the client workstation
Note: In the scenario above, you would be working from the Client workstation. You need RBS on the Backup host, to serve the Backup HSM as RBS slots to be recognized by lunacm on the Client workstation.
Figure 2: Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to a separate workstation
Note: In the scenario above, you would be working from the laptop, with SSH or Remote Desktop connections to manage the Client and the Backup host, and with Remote PED connections to authenticate to the source and backup HSMs.
You need RBS on the Backup host, to serve the Backup HSM as RBS slots to be recognized by lunacm on the Client workstation.
RBS is not a standalone feature. It is a service that facilitates backing-up HSM partitions or restoring onto those partitions, using a backup HSM that is distant from the primary HSM and its host or its client.
If needed, RBS is run on the computer that hosts the SafeNet Backup HSM, only. RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed. Running RBS also requires running PEDClient on that host, as well as on the distant Client - the paired instances of PED Client form the communications link that makes RBS possible.
RBS requires PED Client on both the RBS client and RBS server ends. PedClient and PedServer are part of the Remote PED installation option in the LunaClient installer.
Some customers prefer to have Network HSMs or HSM hosts in secure locations, and administrative client hosts at another location, with Backup HSMs USB-connected to that administrative client host.
PedClient and PedServer are required only if HSMs are PED-authenticated. No RBS is required, because the Backup HSM is physically connected to the client host, where lunacm recognizes it as a local slot. See the diagram Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to the client workstation .
Many customers prefer to have Network HSMs or HSM hosts in secure locations, administrative client hosts at another location, and Backup HSMs and their hosts at a third location. Some customers find it useful to situate their admin personnel away from the administrative client host locations, at a fourth location, or mobile. The admin personnel use SSH or RDP (or similar) to remotely access the client, configure connections, run backups, etc.
If HSMs are PED-authenticated, PEDServer is installed on the admin laptop, and a Remote-capable PED is USB-connected. RBS is required on the Backup host, because the Backup HSM is physically remote from the administrative client station, such that the RBS connection is needed for lunacm to see the Backup HSM as a slot. See the diagram Configuration for remote backup of a SafeNet HSM client workstation slot with the remote PED connected to a separate workstation .
Your security policy or logistic constraints determine the approach(es) you choose.
The major actions required to prepare for RBS are:
•
Configure RBS (based on NTLS) between your Remote Backup HSM host and the administrative client.
•Launch the RBS service on the Remote Backup host.
•Configure Remote PED (for PED-authenticated HSMs)
–between your Network HSM(s) and the laptop/workstation with the PED connected via USB, and also
–between the Remote Backup host and the laptop/workstation with the PED connected via USB,
and launch Remote PED service.
When configuring RBS, it is assumed that you have previously configured your HSM.
It is also assumed that you have created application partitions and registered them to create NTLS links.
See the Configuration Guide About the Configuration Guide for instructions.
1.Install the SafeNet HSM client software on the computer used to manage the HSMs/partitions you want to back up. If you use PED authentication, ensure that the Remote PED option is installed. You must also install the SafeNet Network HSM client software even if you have installed the SafeNet PCIe HSM software, because the SafeNet Network HSM client is the only one that includes the vtl utility, which is required to perform the certificate exchange that enables Remote Backup Service.
2.Install the SafeNet HSM client software on the workstation used to host your Backup HSM. Select the Remote Backup option. If the workstation is running Windows, and will be used to connect a Remote PED, install the Remote PED option here.
For a Client connecting to Network HSM partitions, you should already have a Client certificate that you earlier exchanged with your Network HSM appliances to create NTLS links with partitions. If so, you should skip creating the certificate again, in the next step. If you do not already have a Client certificate created...
3.On the Client computer create the client certificate (if not already done) with vtl createCert -n <host_ip_address>.
4.On the Remote Backup HSM host, run rbs --genkey to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file. SCP or PSCP the RBS certificate to the Client computer.
5.On the client computer run vtl addserver to add the RBS server to the server list. vtl add -n 192.20.9.253 -c server.pem New server 192.20.9.253 successfully added to server list.vtl list Server: 192.20.9.82 Server: 192.20.9.253
6.On the Remote Backup host, run rbs --config for each Backup HSM that is USB-connected to the host.
7.Run rbs --daemon to launch the RBS daemon (Linux and UNIX) or the RBS console application (on Windows, it closes after every use).
Note: If you encounter problems, try changing the RBS and PED Client ports from the default values. Check that your firewall is not blocking ports used by the service. (Refer to the command syntax pages for default values.)
If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM.
Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation.
The default setting allows private key cloning, but you might have changed that to satisfy your security regime. This consequence of such a change in policy is sometimes overlooked.
This section describes how to backup an application partition to a remotely located Backup HSM using RBS.
You will need the following components to perform a remote backup:
| Quantity | Description |
|---|---|
| 1 | SafeNet HSM 5.2 or newer |
| 1 | Windows computer with SafeNet Network HSM 5.2 (or newer) client software installed |
| 1 | SafeNet Backup HSM |
| 1 | Set of PED keys imprinted for the source HSM and partitions |
| 1 | Luna PED (Remote PED with f/w 2.7.1 or later)* |
| 1 |
Power cable for Luna PED (Remote) |
| 2 | USB to mini USB cable for Luna PED (Remote) and SafeNet Backup HSM |
Note: The Luna PED that is connected to the Windows computer, in order to perform Remote PED operations with the distant SafeNet Network HSM appliance, must be a Luna PED (remote-capable version) and is used in Remote mode and in Local mode. You also have the option to connect a second Luna PED, which can be Remote capable or can be a Local-only version, to the SafeNet Backup HSM. This allows you to leave the Remote capable Luna PED connected to the workstation in Remote mode.
The following examples assume that you have set up RBS, as described in Configuring the Remote Backup Service (RBS), and have prepared for the backup, as follows:
•The Backup HSM and the HSMs/partitions you want to back up are initialized with appropriate keys (blue SO and black Partition Owner/User PED keys, which can be the same for both devices, or can be different).
•Both devices must share the same domain or red PED key value.
•The workstation (Windows computer) has Remote PED and SafeNet Remote Backup software package installed including the appropriate driver.
•For SafeNet Network HSM, NTLS is established between your workstation computer, acting as a SafeNet Network HSM client, and the distant SafeNet Network HSM - that is, the workstation is registered as a client with the partition.
•A Remote PED session key (orange RPV key) has been created and associated with the distant SafeNet HSM.
The following procedure provides an example illustrating how to remotely backup a PED-authenticated application partition. In this example a single remote PED, attached to the Windows workstation used to host the Backup HSM, is used.
Set up the remote PED
1.Ensure that your Windows workstation has the PED USB driver (from the /USBDriver folder in the installer archive) installed, and that the PEDServer.exe file (the executable program file that makes Remote PED operation possible) has been copied to a convenient directory on your hard disk.
2.Connect all of the components as follows:
| From | Using | To |
|---|---|---|
| Workstation | USB | Remote PED (Luna PED IIr in Remote mode) |
| DC power receptacle on Remote PED | PED Power Supply | Mains AC power (wall socket) |
| Workstation | USB | SafeNet Backup HSM |
| SafeNet Backup HSM | Power Cord | Mains AC power (wall socket) |
3.At the Remote Luna PED (Luna PED with remote capability, connected to the USB port of the workstation), do the following:
–Press < on the PED keypad to navigate to the main menu.
–Press 7 to enter Remote mode.
4.Run PedServer to start the Remote PED service on the administrative workstation (Windows) computer, as follows:
– In a Command Prompt (DOS) window, change directory to the location of the PEDServer.exe file and run that :
C:\>cd \Program Files\LunaCient
C:\Program Files\LunaClient>PEDServer -mode start
5.Open an administrative connection (SSH) to the distant SafeNet HSM (for SafeNet Network HSM appliance, log in as "admin." For another HSM host, log in with the appropriate ID. Start the PED Client (the Remote PED enabling process on the appliance):
lunash:> hsm ped connect -ip <workstation_ip_address> -port 1503
or
lunacm:> ped connect -ip <workstation_ip_address> -port 1503
Insert the orange RPV PED key that matches the RPV of the distant SafeNet HSM.
The Remote PED Client in the SafeNet Network HSM appliance or in the SafeNet HSM client workstation establishes a connection with the listening PedServer on your remote PED workstation.
Backup a slot to the remotely located backup HSM
Note: The following steps apply to LunaCM only. For LunaSH, follow the procedure To backup a SafeNet Network HSM partition to a directly connected Backup HSM:. Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible.
6.Start the LunaCM utility (in Windows, it resides at C:\Program Files\SafeNet\LunaClient - in Linux/UNIX, it resides at /usr/safenet/lunaclient/bin).
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM V7.0.0 - Copyright (c) 2006-2017 Gemalto, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> SA82_P1
HSM Serial Number -> 16298193222733
HSM Model -> LunaSA 6.26.0 HSM Firmware Version -> 7.0.1
HSM Configuration -> Luna User Partition, With SO (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> SA200_Par1
HSM Serial Number -> 701968008
HSM Model -> LunaSA
HSM Firmware Version -> 6.10.9
HSM Configuration -> SafeNet Network HSM Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 3
HSM Label -> G5backup
HSM Serial Number -> 700101
HSM Model -> G5Backup
HSM Firmware Version -> 6.26.01
HSM Configuration -> Luna HSM (PED) Backup Device
HSM Status -> OK
Current Slot Id: 1
7.If the current slot is not the slot that you wish to backup, use the slot set command to go to the correct slot.
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna User Slot 6.26.0 (PED) Signing With Cloning Mode)
Command Result : No Error
8.Establish that the HSM is listening for the remote Luna PED at the correct location:
Note: The PEDServer must already have been set up at that host.
lunacm:>ped get
HSM slot 1 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped connect ip 192.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No Error
9.Skip this step if your source partition is already in login state (activated).
Log into the partition (this takes place at the currently selected slot). This step is needed only if the partition you are about to backup is not already in the activated state.
lunacm:> role login -name Crypto Officer
Option -password was not supplied. It is required.
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error10.Disconnect the PED from your source HSM (slot 1 in this example), and connect to the remote Backup HSM (slot 3 in this example):
lunacm:> ped disconnect
Are you sure you wish to disconnect the remote ped? Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> ped connect ip 192.20.10.190 -slot 3
Command Result : No Error
lunacm:> ped get -slot 3
HSM slot 3 listening to remote PED (PED id=100).
Command Result : No Error
11.Perform the backup from the current slot to the partition that you designate on the Remote Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.
lunacm:> partition archive backup -slot 3 -par SAbck1
Logging in as the SO on slot 3. Please attend to the PED.
Creating partition SAbck1 on slot 3.
Please attend to the PED.
Logging into the container SAbck1 on slot 3 as the user.
Please attend to the PED.
Creating Domain for the partition SAbck1 on slot 3. Please attend to the PED.
Verifying that all objects can be backed up...
85 objects will be backed up.
Backing up objects...
Cloned object 99 to partition SAbck1 (new handle 19).
Cloned object 33 to partition SAbck1 (new handle 20).
Cloned object 108 to partition SAbck1 (new handle 23).
..
.
Cloned object 78 to partition SAbck1 (new handle 128).
Cloned object 88 to partition SAbck1 (new handle 129).
Cloned object 40 to partition SAbck1 (new handle 130).
Backup Complete.
85 objects have been backed up to partition SAbck1
on slot 3.
Command Result : No Error12.The backup operation is complete.
This section describes how to restore an application partition from a remotely located Backup HSM using RBS.
The following procedure provides an example of how to restore a partition from a remotely located Backup HSM. In this example, the partition is restored to a SafeNet Network HSM partition that is not in the activated state. A single remote PED is used to authenticate to the remote Backup HSM and the SafeNet Network HSM partition. If your primary HSM partition (the partition onto which you will restore the backed-up objects) is in the activated state, then only the Backup HSM needs PED activity for authentication during restore.
Note: The following steps apply to LunaCM only. For LunaSH, follow the procedure Backup and Restore From the Appliance to an Appliance-connected Backup HSM (LunaSH). Use the token backup list and token backup show commands to ensure that the Remote Backup HSM is visible.
1.In our test setup, we have each of several SafeNet HSM products. Launching lunacm shows what is available/connected in the slot list.
C:\Program Files\SafeNet\LunaClient>lunacm.exe
LunaCM v7.0.0 - Copyright (c) 2006-2017 Gemalto, Inc.
Available HSMs:
Slot Id -> 0
Label ->
Serial Number -> 16298193222733
Model -> LunaSA 7.0.0
Firmware Version -> 6.27.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label ->
Serial Number -> 16298193222735
Model -> LunaSA 7.0.0
Firmware Version -> 6.27.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 2
Label -> legacypar1
Serial Number -> 16298193222734
Model -> LunaSA
Firmware Version -> 6.22.0
Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 3
Label -> SAbck1
Serial Number -> 700101
Model -> G5Backup
Firmware Version -> 6.27.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 5
Tunnel Slot Id -> 7
Label ->
Serial Number -> 349297122734
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 6
Tunnel Slot Id -> 7
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 8
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.9
HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 0
2.Verify which slot is listening for PED and whether it is expecting local or remote.
lunacm:>ped get
HSM slot 0 listening to local PED (PED id=0).
Command Result : No Error
3.Connect to Remote PED with ped connect.
4.Log into the partition to which you want to restore.
Note: This would not be necessary if the partition was activated - we are demonstrating that if the partition was not in login state or activated state, it is straightforward to briefly switch the PED to the primary HSM partition before switching the PED back to the Backup HSM.
lunacm:> role login -n Crypto Officer
enter password: *******
Please attend to the PED.
Command Result : No Error
lunacm:> ped disconnect
Are you sure you wish to disconnect the remote ped?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
(The current selected slot in LunaCM is still slot 0, and having ensured login status on that slot/partition we have just released the Remote PED connection there. The other end of the Remote PED pair, the PED-connected host computer running PedServer, is now free to accept a Remote PED link from another PedClient, which will be the host attached to the SafeNet Backup HSM.)
Note: In this example, the SafeNet Network HSM partition, to which we will restore objects, is visible in LunaCM at slot 0 because it is linked to this SafeNet HSM client by NTLS, while this Client is registered to that partition at the SafeNet Network HSM.
The SafeNet Backup HSM is visible in LunaCM, at slot 3 in this case, because it is linked by the RBS connection that you previously established (see "To Configure RBS" above in this chapter); that is, PedClient is running on this Client, and PedClient and rbs.exe are running on the Backup HSM's host, with each other identified as their partner in the RBS link.
5.Connect the Remote PED to the Backup HSM (which, in this example, is slot 3).
lunacm:> ped connect ip 192.20.10.190 slot 3
Command Result : No Error
lunacm:> ped get
HSM slot 0 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped get slot 3
HSM slot 3 listening to remote PED (PED id=100).
Command Result : No Error
The ped connect command specifies the slot (now the SafeNet Backup HSM) that makes a new Remote PED connection, because that slot indication is part of the command - and ped get verifies the new Remote PED-connected slot. But the focus of the library/LunaCM has not changed from slot 0; any other LunaCM commands that act on a slot will act on slot 0 until you change that with slot set. You could verify that current focus, if you wished, by running slot list again.
6.Restore to the current slot from the slot that corresponds to the Backup HSM.
lunacm:> partition archive restore -slot 3 -par SAbck1
Logging in to partition SAbck1 on slot 3 as the user.
Please attend to the PED.
Verifying that all objects can be restored...
85 objects will be restored.
Restoring objects...
Cloned object 19 from partition SAbck1 (new handle 20).
Cloned object 20 from partition SAbck1 (new handle 21).
Cloned object 23 from partition SAbck1 (new handle 22).
.
.
.
Cloned object 128 from partition SAbck1 (new handle 137).
Cloned object 129 from partition SAbck1 (new handle 138).
Cloned object 130 from partition SAbck1 (new handle 139).
Restore Complete.
85 objects have been restored from partition SAbck1 on slot 3.
Command Result : No Error
Because the LunaCM focus rests with the target partition in slot 0, your partition archive restore command must explicitly identify the slot from which backup source objects are to be cloned, slot 3 in this example, onto the target partition, current-slot 0 in this case. You also specified the backup partition name, because a SafeNet Backup HSM can contain more than one archived partition.
7.Verify that the restored slot now looks like it did just before the backup was originally performed.
lunacm:> partition archive list -slot 3
HSM Storage Information for slot 3:
Total HSM Storage Space: 16252928
Used HSM Storage Space: 43616
Free HSM Storage Space: 16209312
Number Of Allowed Partitions: 20
Number Of Allowed Partitions: 1
Partition list for slot 3
Number of partition: 1
Name: SAbck1
Total Storage Size: 41460
Used Storage Size: 41460
Free Storage Size: 0
Number Of Objects: 85
Command Result : No Error
lunacm:>
8.Remote restore from backup, using RBS, is complete.
To restore onto a different remote SafeNet HSM, the same arrangement is required:
• The remote HSM must already have a suitable partition.
•If the restore-target HSM is a SafeNet Network HSM, the target partition can have any name - it does not need to match the name of the source partition on the backup device.
•Your workstation must be registered as a client to that partition.