Home >

Appliance Administration Guide > Backing Up the Appliance Configuration > Backup and Restore Your Appliance Service Configuration

Backup and Restore Your Appliance Service Configuration  

SafeNet Network HSM stores details of your appliance's configuration settings for various services. Use the sysconf config commands to access and manage those settings. A file named "factoryInit_local_host_Config.tar.gz" preserves the original factory settings for all the configurable appliance services [ network, SSH, NTLS, syslog, NTP, SNMP, users, and system services ].

You can create a backup summary of the state of all those service parameters at any time with sysconf config backup -description <some_words_of_comment>, and you can list all such files, complete with the description you provided for each one with sysconf config list.

At any time, you can reset all the configurable appliance parameters back to factory state with sysconf config factoryReset, which applies the settings from "factoryInit_local_host_Config.tar.gz". When you run that command, the system first takes a snapshot of your current settings, in case you later wish to revert back from original factory settings to the settings you had just beforesysconf config factoryReset was issued.

Note:  If you upgrade your appliance, the original factory configuration no longer applies. Do not attempt to restore the original configuration: the configuration settings might not apply for the new appliance version.

Note:  Immediately after you upgrade your appliance, create a new configuration with the "sysconf config backup" command and make note of the backup file created. Later, if you wish to restore to this configuration, use the "sysconf config restore" command with the file created after upgrade.

The configuration settings file area will always contain the original factory file, and might additionally contain any number of intentionally created backups, and possibly one or more automatic backup files, similar to this example for a SafeNet Network HSM appliance named "sa5":

[sa5] lunash:>sysconf config list
Configuration backup files in file system:
Size		File Name     				Description.    
16641       |  sa5_Config_20120222_0556.tar.gz         |  testing-this                            
.7028       |  factoryInit_local_host_Config.tar.gz    |  Initial Factory Settings               
16588       |  sa5_Config_20120222_0558.tar.gz         |  Automatic Backup Before Restoring      
Command Result : 0 (Success) 
[sa5] lunash:>sysconf config restore

 

 

If you wish, you can keep only the backup files that you find useful, and individually delete any others with sysconf config delete -file <filename>.

Optionally, you clear away all the files with sysconf config clear.

Either way, the file "factoryInit_local_host_Config.tar.gz" is not touched.

Note that the configuration backup file area is a special-purpose location. You will not see those files listed if you run the command my file list.

Example of Backing Up and Restoring

If we factoryReset the configuration parameters, a snapshot backup is created automatically, but for this example we will explicitly create a config backup file.

Create a backup of current appliance configuration parameters.

[sa5] lunash:>sysconf config backup -description testing-this backup feature
Created configuration backup file: sa5_Config_20120222_0556.tar.gz
Command Result : 0 (Success) 
[sa5] lunash:>

 

Check the current state of a configuration parameter (users).

[sa5] lunash:>user list
Users 		Roles 		Status   	RADIUS 
admin 		admin 		enabled 	no 
bob 		monitor 	enabled 	no 
john 		admin 		enabled 	no 
monitor 	monitor 	enabled 	no 
operator  	operator  	enabled 	no 

 

Command Result : 0 (Success) 
[sa5] lunash:>

 

Perform the factory reset of the chosen configuration parameter (users).

[sa5] lunash:>sysconf config factoryReset -service users
This command restores the initial factory configuration of service: users. 
The HSM and Partition configurations are NOT included.
WARNING !!  This command restores the configuration backup file: factoryInit_local_host_Config.tar.gz. 
It first creates a backup of the current configuration before restoring: factoryInit_local_host_Config.tar.gz. 
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
> proceed 
Proceeding...
Created configuration backup file: sa5_Config_20120222_0800.tar.gz
Restore the users configuration: Succeeded
You must reboot the appliance for the changes to take effect. 
Please check the new configurations BEFORE rebooting or restarting the services. 
You can restore the previous configurations if the new settings are not acceptable.
Command Result : 0 (Success)
[sa5] lunash:>sysconf appliance reboot
WARNING !!  This command will reboot the appliance. 
           All clients will be disconnected. 
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed 
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named: 
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW! 
Reboot commencing
Command Result : 0 (Success)
[sa5] lunash:>

 

After the appliance returns from reboot, restart the SSH session and log in.

[sa5] lunash:>
login as: admin
admin@192.20.10.202's password:
Access denied
admin@192.20.10.202's password:
Last login: Wed Feb 22 05:44:39 2012 from 192.20.10.143
SafeNet Network HSM 5.1.0-25 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved.
*****************************************************
**                                                  ** 
**   For security purposes, you must change your    ** 
**   admin password.                                ** 
**                                                  ** 
**   Please ensure you store your new admin         ** 
**   password in a secure location.                 ** 
**                                                  ** 
**               DO NOT LOSE IT!                    ** 
**                                                  ** 
*****************************************************
Changing password for user admin.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters, 
digits, and other characters.  You can use an 8 character long 
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that 
ends it do not count towards the number of character classes used.
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
Password change successful.
[sa5] lunash:>

 

The reset to factory appliance settings for the "users" parameter seems to have worked. Our "admin" password was reset to the default password "PASSWORD", and we had to apply a non-default password.

With that done, we can verify if additional aspects of the "user" parameters were also reset to factory spec.

[sa5] lunash:>user list
Users 		Roles 		Status   	RADIUS 
admin 		admin 		enabled 	no 
monitor 	monitor 	enabled 	no 
operator    	operator    	enabled 	no 
Command Result : 0 (Success)
[sa5] lunash:>

 

Notice that created users "bob" and "john" are gone, but the system-standard users "admin", "operator", and "monitor" persist. Both "operator" and "monitor" will have had their passwords reset to the default, as well.

sa5] lunash:>sysconf config list
Configuration backup files in file system:
Size     	File Name     				Description.    
16641       |  sa5_Config_20120222_0556.tar.gz         |  testing-this                            
.7028       |  factoryInit_local_host_Config.tar.gz    |  Initial Factory Settings               
16588       |  sa5_Config_20120222_0558.tar.gz         |  Automatic Backup Before Restoring      
Command Result : 0 (Success) 
[sa5] lunash:>sysconf config restore

 

The list of configuration backup files is unchanged. We can choose one and restore it.

[sa5] lunash:>sysconf config restore -service users -file sa5_Config_20120222_0556.tar.gz
WARNING !!  This command restores the configuration backup file: sa5_Config_20120222_0556.tar.gz.
It first creates a backup of the current configuration before restoring: sa5_Config_20120222_0556.tar.gz. 
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
> proceed 
Proceeding...
Created configuration backup file: sa5_Config_20120222_0606.tar.gz
Restore the users configuration: Succeeded
You must reboot the appliance for the changes to take effect.
Please check the new configurations BEFORE rebooting or restarting the services. 
You can restore the previous configurations if the new settings are not acceptable.
Command Result : 0 (Success)
[sa5] lunash:>
[sa5] lunash:>sysconf appliance reboot
WARNING !!  This command will reboot the appliance. 
           All clients will be disconnected. 
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed 
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named: 
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW! 
Reboot commencing
Command Result : 0 (Success)
[sa5] lunash:>

 

After rebooting again, we are able to log in with our original "admin" password.

Once again we check the list of users.

[sa5] lunash:>user list
Users 		Roles 		Status   	RADIUS 
admin 		admin 		enabled 	no 
bob 		monitor 	enabled 	no 
john 		admin 		enabled 	no 
monitor 	monitor 	enabled 	no 
operator    	operator 	enabled 	no 

 

We see that users "bob" and "john" have returned. We could also log in as "operator" and "monitor" and find that their chosen passwords have been restored.

Finally, ask for the list of system configuration backup files one more time.

sa5] lunash:>sysconf config list
Configuration backup files in file system:
Size File Name Description.     
16641       | sa5_Config_20120222_0556.tar.gz         | testing-this                             
.7028       | factoryInit_local_host_Config.tar.gz  |  Initial Factory Settings                
16588       | sa5_Config_20120222_0558.tar.gz         | Automatic Backup Before Restoring       
16248       | sa5_Config_20120222_0606.tar.gz         | Automatic Backup Before Restoring       
Command Result : 0 (Success) 
[sa5] lunash:>sysconf config restore

 

We see that a new file was created (...0606.tar.gz...) before the restore operation, and the other files are intact.

Backup to HSM

You can protect a configuration setup against the possibility of appliance failure by moving a backup snapshot file into your HSM. The command sysconf config export allows you to place the configuration backup file onto an HSM and sysconf config import allows you to retrieve the file from that HSM, back to the appliance file system. The export command gives you two target options:

The internal HSM of your SafeNet Network HSM appliance. This could be useful if a component failed in the appliance, you sent the appliance back to SafeNet for rework under the RMA procedure, received it back repaired, and then retrieved the file from your HSM to restore your appliance settings.

An external HSM, such as a Backup HSM or token. This could be useful if the current appliance failed and you wished to install a replacement. Similarly, you could use system configuration backup files restored from a Backup HSM to uniformly configure multiple SafeNet appliances with a standard set of parameters applicable to your enterprise.

If you are exporting a configuration backup to a SafeNet Network HSM, please note the following file size restrictions:

There is no hard maximum size of individual config-backup files that can be stored in the appliance file system or in an external backup HSM.  

The maximum storage capacity of the Admin/SO partition is 256 KB

SafeNet Network HSM 6.3 Product Documentation
007-011136-015 Rev. A 14 July 2017 Copyright 2001-2017 Gemalto All rights reserved.