Home > |
---|
You can use one HSM to verify the audit log files/entries that were created by another HSM. You can only verify the logs that are stored in the ready_for_archive folder; you cannot verify log files that are currently being written.
1.Export the secret on SafeNet HSM1 (audit secret export
)
2.Tar logs on SafeNet HSM1 host (audit log tar
)
3.Transfer the secret to SafeNet HSM2
(scp
)
4.Transfer the archive to SafeNet HSM2
(scp
)
5.Import the secret onto SafeNet HSM2 (audit secret import -f <SafeNetHSM1_SN>.lws -serialtarget <SafeNetHSM2_SN> -serialsource <SafeNetHSM1_SN>
)
Note: If you are verifying logs on a different HSM, you must provide the serialsource argument, as the SafeNet HSM will not look for other SafeNet HSM log files without it.
6.Untar logs on SafeNet HSM2 (audit log untarlogs -f audit-<SafeNetHSM1_SN>.tgz
)
7.Verify log file. (audit log verify -f <LOG_FILENAME>.log -serialtarget <SafeNetHSM2_SN> -serialsource <SafeNetHSM1_SN>
)
Note: You cannot pass in the full path to the log file on SafeNetSA, as the command does not parse the slashes, but it will look in all the subfolders under the HSM serial number that you specified with serialsource.