|
Home > |
|---|
This section describes how to perform local backup and restore operations using the SafeNet Luna Backup HSM (Backup HSM). A local backup is defined as one in which the Backup HSM is local to the HSM or to the SafeNet Luna HSM client workstation used to administer the HSM. To perform a local backup/restore, you can connect the Backup HSM:
•To a USB port on the SafeNet Luna Network HSM appliance. This method allows you use LunaSH to backup all of the SafeNet Luna Network HSM partitions on the appliance that are owned by you, the HSM SO. It does not allow you to backup partitions that have their own SO. See Partition Backup and Restore Using a Backup HSM Connected Directly to a SafeNet Luna Network HSM Appliance for details.
•To a USB port on the SafeNet Luna HSM client workstation. This method allows you use LunaCM to backup any SafeNet Luna Network HSM or SafeNet Luna PCIe HSM partitions that are visible as slots. See Partition Backup and Restore Using a Backup HSM Connected to a Local Client Workstation for details.
The backup operation can go from a source partition (on a SafeNet Luna Network HSM) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation, however, cannot create a target partition on a SafeNet Luna Network HSM; it must already exist.
You can restore a partition backup to the source HSM or to a different SafeNet Luna HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM.
You can connect the Backup HSM directly to the SafeNet Luna Network HSM appliance to backup some or all of the individual partitions it contains, using LunaSH. You require the Partition Crypto Officer (CO) credentials for each partition you want to backup.
Note: You cannot use this method to backup partitions configured to use STC (see Secure Trusted Channel (STC)). To backup a partition configured to use STC, you must use LunaCM, as described in Partition Backup and Restore Using a Backup HSM Connected to a Local Client Workstation.
To perform a backup/restore, open an SSH or serial connection from your workstation to the appliance, and use LunaSH to perform a backup to the Backup HSM connected to the appliance, as illustrated in the following figure:
Figure 1: Partition backup/restore using a Backup HSM connected directly to the appliance
The workstation is simply a display terminal for LunaSH running on the appliance. It requires an SSH client (ssh on Linux, PuTTY on Windows). It does not require the SafeNet Luna HSM client software.
The PEDs are required only if the SafeNet Luna Network HSM is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required. The Backup HSM and SafeNet Luna Network HSM must share the same domain (red) PED key value.
Although two PEDs are recommended (one connected to the SafeNet Luna Network HSM and one connected to the Backup HSM) you can use a single PED, if desired. If using a single PED, note that you can connect the PED to only one HSM at a time. You will need to disconnect it from the source (SafeNet Luna Network HSM) HSM and connect to the target (SafeNet Luna Backup HSM) when PED operations are needed at those HSMs respectively.
1.Connect all the required components and open a terminal session to the SafeNet Luna Network HSM appliance. See the following topics for details:
–Open a Connection in the Installation and Configuration Guide
–Backup HSM Installation, Storage, and Maintenance
Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See Changing Modes for instructions on changing modes on the Luna PED
2.Open a LunaSH session on the SafeNet Luna Network HSM appliance.
login as: admin
admin@192.20.11.184's password:
Last failed login: Fri Apr 7 15:15:01 EDT 2017 from 10.124.106.67 on ssh:notty
Last login: Fri Apr 7 15:00:11 2017 from 10.124.106.67
Luna SA 7.0.0-955 Command Line Shell - Copyright (c) 2001-2017 SafeNet, Inc. All rights reserved.
[myluna] lunash:>
3.Use the token backup list and token backup show commands to determine the serial number of the Backup HSM and to verify its partition and storage configuration:
[myluna] lunash:>token backup list
Token Details:
============
Token Label: myHSMbackup
Slot: 1
Serial #: 496771
Firmware: 6.26.0
HSM Model: G5Backup
Command Result : 0 (Success)
[myluna] lunash:>token backup show -serial 496771
Token Details:
============
Token Label: myHSMbackup
Serial #: 496771
Firmware: 6.26.0
HSM Model: G5Backup
Authentication Method: PED keys
Token Admin login status: Not Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 0
----------------------
There are no partitions.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 33554432
Space In Use (Bytes): 0
Free Space Left (Bytes): 33554432
License Information:
====================
001111-012 G5 Backup Config - 001111-012
004444-012 Test BackupToken RemotePed - 004444-012
004444-006 Test BackupToken Partitions 20 Update - 4444-006
004444-009 Test BackupToken HSM Storage 15.5 Meg - 004444-009
004444-008 Test BackupToken External MTK Update 2 - 004444-008
Command Result : 0 (Success)
4.Use the partition backup command to backup a specified partition and provide the PED keys as prompted, for example:
[myluna] lunash:>partition backup -serial 496771 -partition p1 -tokenPar bck1
Type 'proceed' to continue the backup, or 'quit'
to abort this operation.
> proceed
Please enter the password for the HSM partition:
> *******
Warning: You will need to attach Luna PED to the SafeNet Luna Backup HSM
to complete this operation.
You may use the same Luna PED that you used for SafeNet Luna Network HSM.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to token - use token Security Officer (blue) PED key.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
..
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition backup' successful.
Command Result : 0 (Success)
5.Use the token backup show command to verify the backup:
[myluna] lunash:> token backup show -serial 123456
Token Details:
============
Token Label: myHSMbackup
Serial #: 496771
Firmware: 6.26.0
HSM Model: G5Backup
Authentication Method: PED keys
Token Admin login status: Not Logged In
Token Admin login attempts left: 3 before Token zeroization!
Partition Information:
======================
Partitions licensed on token: 20
Partitions created on token: 1
----------------------
Partition: 7000179008, Name: bck1.
Token Storage Information:
==========================
Maximum Token Storage Space (Bytes): 16252928
Space In Use (Bytes): 43616
Free Space Left (Bytes): 16209312
License Information:
====================
001111-012 G5 Backup Config - 001111-012
004444-012 Test BackupToken RemotePed - 004444-012
004444-006 Test BackupToken Partitions 20 Update - 4444-006
004444-009 Test BackupToken HSM Storage 15.5 Meg - 004444-009
004444-008 Test BackupToken External MTK Update 2 - 004444-008
Command Result : 0 (Success)
To restore the partition contents from the SafeNet Remote Backup Device to the same local SafeNet Luna Network HSM, use the same setup described above, but use the partition restore command instead.
1.Connect all the required components and open a terminal session to the SafeNet Luna Network HSM appliance. See the following topics for details:
–Open a Connection in the Installation and Configuration Guide
–Backup HSM Installation, Storage, and Maintenance
Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See Changing Modes for instructions on changing modes on the Luna PED.
2.Open a LunaSH session on the SafeNet Luna Network HSM appliance.
login as: admin
admin@192.20.11.184's password:
Last failed login: Fri Apr 7 15:15:01 EDT 2017 from 10.124.106.67 on ssh:notty
Last login: Fri Apr 7 15:00:11 2017 from 10.124.106.67
Luna SA 7.0.0-955 Command Line Shell - Copyright (c) 2001-2017 SafeNet, Inc. All rights reserved.
[myluna] lunash:>
3.Use the partition restore command to restore a partition:
[myluna] lunash:>par restore -serial 496771 -tokenPar bck1 -par p1 -replace
Please enter the password for the HSM partition:
> *******
CAUTION: Are you sure you wish to erase all objects in the
partition named: p1
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Warning: You will need to attach Luna PED to the SafeNet Luna Backup HSM to complete this operation.
You may use the same Luna PED that you used for SafeNet Luna Network HSM.
Please hit <enter> when you are ready to proceed.
Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key.
Object "1-User DES Key1" (handle 17) cloned to handle 11 on target
Object "1-User DES Key2" (handle 18) cloned to handle 12 on target
Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target
.
.
.
Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target
Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target
Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target
'partition restore' successful.
Command Result : 0 (Success)
[myluna] lunash:>
You can connect the Backup HSM to a SafeNet Luna HSM client workstation to backup any SafeNet Luna Network HSM or SafeNet Luna PCIe HSM partitions that are visible as slots in LunaCM, as illustrated in the following figure:
Figure 2: Configuration for SafeNet Luna Network HSM/PCIe partition backup/restore using a Backup HSM connected to a local client workstation
In this configuration, you connect the Backup HSM and SafeNet Remote PED, via USB, to your SafeNet Luna HSM client workstation. The SafeNet Luna Network HSM appliance is remote to the SafeNet Luna HSM client workstation and is connected using NTLS. Any installed PCIe devices communicate with the SafeNet Luna HSM client over the PCI bus.
Any partitions you want to backup must be registered with the SafeNet Luna HSM client workstation, and be visible as slots in LunaCM. The Backup HSM most also be visible as a slot.
If you are backing up PED-authenticated partitions, you require a PED. If you want to backup SafeNet Luna Network HSM partitions, the PED must have remote capability (Remote PED). Remote PED uses the pedserver/pedclient processes running on the SafeNet Luna HSM client workstation and on the SafeNet Luna Network HSM appliance to provide remote PED services for the network-attached SafeNet Luna Network HSM appliance. The PED provides authentication for all of the attached HSMs (the USB-connected SafeNet Luna Backup HSM, the NTLS-connected SafeNet Luna Network HSM, and the PCI bus-connected SafeNet Luna PCIe HSM). Every slot on the backup must have same domain (red PED key) as the matching slot on the source HSMs.
Note: If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM. Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation.
1.Configure the remote PED, as described in Using Remote PED.
2.Start the LunaCM utility on the SafeNet Luna HSM client workstation.
LunaCM v7.0.0. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id -> 0
Label -> par1
Serial Number -> 154438865288
Model -> LunaSA 7.0.0
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 21
Label -> lunabackup
Serial Number -> 496771
Model -> G5Backup
Firmware Version -> 6.26.0
Configuration -> Luna HSM Admin Partition (PED) Backup Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED) Backup Device
HSM Status -> OK
HSM Certificates -> *** Test Certs ***
Current Slot Id: 0
3.Use the slot set command to go to the slot you want to back up:
lunacm:> slot set slot 0
Current Slot Id: 0 (Luna User Slot 7.0.1 (PED) Signing With Cloning Mode)
Command Result : No Error
4.Establish that the HSM is listening for a SafeNet Remote PED:
lunacm:>ped get
HSM slot 0 listening to local PED (PED id=0).
Command Result : No Error
lunacm:> ped connect -ip 192.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No Error
The SafeNet Luna Network HSM is now listening for PED interaction via the link between PedClient on the SafeNet Luna Network HSM appliance and PedServer on the workstation, and is not expecting a PED connected directly at the location of the SafeNet Luna Network HSM.
5.Login to the partition in the current slot as Crypto Officer. This is the partition that you want to back up:
lunacm:> role login -name co
Enter the password: *******
User is activated, PED is not required.Command Result : No Error
6.Disconnect the PED from your source HSM (slot 1 in this example), and connect to the Backup HSM (slot 2 in this example). The PED remains physically connected by USB cable to the SafeNet Luna HSM client workstation, and remains in Remote mode - you are merely changing slots that are in conversation with that PED.
a.First, tell the SafeNet Luna Network HSM to disconnect from Remote PED with the command ped disconnect.
b.Tell the Backup HSM to connect to Remote PED (it makes no difference that the PED and the Remote Backup HSM are USB-connected to the same workstation/laptop; when use of Remote PED is invoked by command ped connect and verified by ped get, all HSM-PED interaction takes place between PedClient running on that workstation and PedServer, also running on that workstation).
lunacm:> ped connect ip 192.20.10.189 -slot 2
Command Result : No Error
lunacm:> ped get -slot 2
HSM slot 2 listening to remote PED (PED id=100).
Command Result : No Error
7.Use the partition archive backup command to perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication.
lunacm:> partition archive backup -slot 21 -partition par1backup
Logging in as the SO on slot 21.
Please attend to the PED.
Creating partition par1backup on slot 21
Please attend to the PED.Logging into the container par1backup on slot 21 as the user.
Please attend to the PED.
Creating Domain for the partition SAbck1 on slot 21.
Please attend to the PED.
Verifying that all objects can be backed up...
12 objects will be backed up.
Backing up objects...
Cloned object 86 to partition par1backup (new handle 19).
Cloned object 85 to partition par1backup (new handle 26).
Cloned object 81 to partition par1backup (new handle 25).
Cloned object 80 to partition par1backup (new handle 48).
Cloned object 76 to partition par1backup (new handle 49).
Cloned object 75 to partition par1backup (new handle 53).
Cloned object 71 to partition par1backup (new handle 54).
Cloned object 70 to partition par1backup (new handle 58).
Cloned object 66 to partition par1backup (new handle 59).
Cloned object 65 to partition par1backup (new handle 63).
Cloned object 32 to partition par1backup (new handle 64).
Cloned object 27 to partition par1backup (new handle 68).
Backup Complete.
12 objects have been backed up to partition par1backup
on slot 21.
Command Result : No Error
8.Backup is complete, and can be verified if you like.
1.Create a target partition for the restore operation on the HSM you are restoring to, if it does not already exist, and register the partition with the SafeNet Luna HSM client workstation so that it is visible as a slot in LunaCM.
2.Start the LunaCM utility on the SafeNet Luna HSM client workstation. The partition on the Backup HSM appears as a slot in the system (slot 1 in the example below), but you must still specify the Backup HSM's slot number (slot 21) when restoring the partition objects.
LunaCM v7.0.0. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id -> 0
Label -> par1
Serial Number -> 154438865288
Model -> LunaSA 7.0.0
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> par1backup
Serial Number -> 1156634899930
Model -> G5Backup
Firmware Version -> 6.26.0
Configuration -> Luna User Partition, No SO (PED) Backup Mode
Slot Description -> User Token Slot
Slot Id -> 21
Label -> lunabackup
Serial Number -> 496771
Model -> G5Backup
Firmware Version -> 6.26.0
Configuration -> Luna HSM Admin Partition (PED) Backup Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED) Backup Device
HSM Status -> OK
HSM Certificates -> *** Test Certs ***
Current Slot Id: 0
3.Use the slot set command to go to the slot you want to restore to.
lunacm:> slot set slot 0
Current Slot Id: 0 (Luna User Slot 7.0.1 (PED) Signing With Cloning Mode)
Command Result : No Error
4.Open a remote PED session to the SafeNet Luna Network HSM you are restoring to:
lunacm:> ped connect ip 192.20.10.190
Command Result : No Error
lunacm:> ped get
HSM slot 1 listening to remote PED (PED id=100).
Command Result : No ErrorThe SafeNet Luna Network HSM is now listening for PED interaction via the link between PEDclient on the SafeNet Luna Network HSM appliance and PEDserver on the workstation, and is not expecting a PED connected directly at the location of the SafeNet Luna Network HSM.
5.Log into the partition in the current slot as the Crypto Officer. This is the partition that you want to restore to.
lunacm:> role login -name co
Enter the password: *******
User is activated, PED is not required.
Command Result : No Error6.Use the partition archive restore command restore the partition from the Backup HSM to the current slot, adding to, or replacing, the current partition contents. You must specify the Backup HSM's slot number and the name of the backup partition:
lunacm:> partition archive restore -slot 21 -partition par1backup -replace
Logging in to partition par1backup on slot 21 as the user.
Please attend to the PED.
Verifying that all objects can be restored...
12 objects will be restored.
Restoring objects...
Cloned object 59 from partition par1backup (new handle 27).
Cloned object 25 from partition par1backup (new handle 32).
Cloned object 49 from partition par1backup (new handle 65).
Cloned object 63 from partition par1backup (new handle 69).
Cloned object 68 from partition par1backup (new handle 70).
Cloned object 53 from partition par1backup (new handle 71).
Cloned object 26 from partition par1backup (new handle 72).
Cloned object 19 from partition par1backup (new handle 73).
Cloned object 64 from partition par1backup (new handle 77).
Cloned object 54 from partition par1backup (new handle 81).
Cloned object 58 from partition par1backup (new handle 85).
Cloned object 48 from partition par1backup (new handle 86).
Restore Complete.
12 objects have been restored from partition par1backup on slot 21.
Command Result : No Error
Note: In the command above, you can use -add instead of -replace. Adding might result in unwanted behaviors, such as having two keys with the same label, if one existed in the HSM Partition and one on the backup token. The two would be assigned different handles, however.