|
Home > |
Appliance Administration Guide > Backing Up the Appliance Configuration
|
|---|
This chapter describes how to back up and restore the appliance configuration. You can backup and restore the appliance configuration to a file, or to an HSM.
You can backup the configuration settings for the various services running on the SafeNet Luna Network HSM so that you can restore your configuration if necessary. The ability to backup and restore your appliance configuration assures that your clients will be able to connect to a restored appliance, and all services will function correctly, should that be required.
You can use the sysconf config backup command at any time to create a backup file that contains the current state of all service parameters configured on the appliance. You can create multiple backup files, and provide a description for each file, allowing you to backup and restore multiple different configurations. The backup files are stored on the file system by default. You can export them to the internal HSM or an external backup HSM. The following configuration settings are saved:
| Network | Network configuration |
| NTLS | NTLS configuration |
| NTP | Network Time Protocol configuration |
| SNMP | SNMP configuration |
| SSH | SSH configuration |
| Syslog | Syslog configuration |
| System | System configuration (keys and certificates) |
| Users | User accounts, passwords, and files |
| Webserver | Webserver configuration for REST API |
A configuration backup file named factoryInit_local_host_Config.tar.gz preserves the original factory settings for all the configurable appliance service. You can use the sysconf config factoryReset command to reset all the configurable appliance parameters back to factory state by applying the settings from the factoryInit_local_host_Config.tar.gz. When you run that command, the system first takes a snapshot of your current settings, in case you later wish to revert back from original factory settings to the settings you had just before you issued the sysconf config factoryReset command.
Note: If you upgrade your appliance, the original factory configuration no longer applies. Do not attempt to restore the original configuration: the configuration settings might not apply for the new appliance version.
A configuration backup file is generated automatically when you run the sysconf config restore or sysconf config factoryResetcommands. This allows you to revert to your current configuration if the restore operation did not achieve the expected results.
You can use the sysconf config list command to list all of your backup files, complete with the description you provided for each one, as shown in the following example. The configuration settings file area will always contain the original factory file, and might additionally contain any number of intentionally created backups, and possibly one or more automatic backup files:
[Net_HSM]lunash:>sysconf config list
Configuration backup files in file system:
Size File Name Description.
16641 | Net_HSM_Config_20120222_0556.tar.gz | Clients OracleTDE and WebSphere
.7028 | factoryInit_local_host_Config.tar.gz | Initial Factory Settings
16588 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring
Command Result : 0 (Success)
If you upgrade your appliance software, your configuration settings may be changed as part of the upgrade process and, as a result, the original factory configuration no longer applies. Immediately after you upgrade your appliance, create a new configuration backup file and make note of the backup file created. Later, if you wish to restore to this configuration, use the sysconf config restore command with the file created after upgrade.
If you wish, you can keep only the backup files that you find useful, and individually delete any others using the sysconf config delete command. You can also use the sysconf config clear command to delete all of your configuration files, if desired.
Note: You cannot delete the factoryInit_local_host_Config.tar.gz file.
Note that the configuration backup file area is a special-purpose location, accessible only using the sysconf config commands. You will not see those files listed if you run the command my file list.
There is no limit on the size of individual backup files or the number of backups that can be stored on the file system, other than the available space. This space is shared by other files, such as spkg and log files, so account for this when planning your backup and restore strategy. Some size restrictions apply if you plan to export a backup file into your HSM using sysconf config export. See Backing Up the Appliance Configuration to the HSM for details.
Use the sysconf config restore command to restore the configuration settings for a specific service, or for all services, from a configuration backup file. You must stop any services you wish to restore before performing the restore operation, and reboot the appliance for the changes to take effect. A new configuration backup file of the current configuration is created automatically when you perform a restore operation, allowing you to easily revert to the previous configuration, if necessary.
Note: Check the new configurations before rebooting or restarting the services.
If we factory reset the configuration parameters, a snapshot backup is created automatically, but for this example we will explicitly create a configuration backup file.
1.Create a backup of current appliance configuration parameters.
[Net_HSM] lunash:>sysconf config backup -description Example backup
Created configuration backup file: Net_HSM_Config_20120222_0556.tar.gz
Command Result : 0 (Success)
2.Check the current state of a configuration parameter (users).
[Net_HSM] lunash:>user list
Users Roles Status RADIUS
admin admin enabled no
bob monitor enabled no
john admin enabled no
monitor monitor enabled no
operator operator enabled no
Command Result : 0 (Success)
3.Perform the factory reset of the chosen configuration parameter (users).
[Net_HSM] lunash:>sysconf config factoryReset -service users
This command restores the initial factory configuration of service: users.
The HSM and Partition configurations are NOT included.
WARNING !! This command restores the configuration backup file: factoryInit_local_host_Config.tar.gz.
It first creates a backup of the current configuration before restoring: factoryInit_local_host_Config.tar.gz.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
> proceed
Proceeding...Created configuration backup file: Net_HSM_Config_20120222_0800.tar.gz
Restore the users configuration: Succeeded
You must reboot the appliance for the changes to take effect.
Please check the new configurations BEFORE rebooting or restarting the services.
You can restore the previous configurations if the new settings are not acceptable.
Command Result : 0 (Success)
[Net_HSM] lunash:>sysconf appliance reboot
WARNING !! This command will reboot the appliance.
All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named:
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success)
[Net_HSM] lunash:>
4. After the appliance returns from reboot, restart the SSH session and log in.
[Net_HSM] lunash:>
login as: admin
admin@192.20.10.202's password:
Last login: Wed Feb 22 05:44:39 2012 from 192.20.10.143
SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
*****************************************************
** **
** For security purposes, you must change your **
** admin password. **
** **
** Please ensure you store your new admin **
** password in a secure location. **
** **
** DO NOT LOSE IT! **
** **
*****************************************************
Changing password for user admin.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use an 8 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
Password change successful.
[Net_HSM] lunash:>
The reset to factory appliance settings for the users parameter seems to have worked. Our "admin" password was reset to the default password "PASSWORD", and we had to apply a non-default password.
5.With that done, we can verify if additional aspects of the users parameters were also reset to factory spec.
[Net_HSM] lunash:>user list
Users Roles Status RADIUS
admin admin enabled no
monitor monitor enabled no
operator operator enabled no
Command Result : 0 (Success)
Notice that created users "bob" and "john" are gone, but the system-standard users "admin", "operator", and "monitor" persist. Both "operator" and "monitor" will have had their passwords reset to the default, as well.
[Net_HSM] lunash:>sysconf config list
Configuration backup files in file system:
Size | File Name | Description
--------------------------------------------------------------------------------------------
16641 | Net_HSM_Config_20120222_0556.tar.gz | testing-this
.7028 | factoryInit_local_host_Config.tar.gz | Initial Factory Settings
16588 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring
Command Result : 0 (Success)
6.The list of configuration backup files is unchanged. We can choose one and restore it.
[Net_HSM] lunash:>sysconf config restore -service users -file Net_HSM_Config_20120222_0556.tar.gz
WARNING !! This command restores the configuration backup file: Net_HSM_Config_20120222_0556.tar.gz.
It first creates a backup of the current configuration before restoring: Net_HSM_Config_20120222_0556.tar.gz.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
> proceed
Proceeding...Created configuration backup file: Net_HSM_Config_20120222_0606.tar.gz
Restore the users configuration: Succeeded
You must reboot the appliance for the changes to take effect.
Please check the new configurations BEFORE rebooting or restarting the services.
You can restore the previous configurations if the new settings are not acceptable.
Command Result : 0 (Success)
[Net_HSM] lunash:>sysconf appliance reboot
WARNING !! This command will reboot the appliance.
All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named:
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success)
7.After rebooting again, we are able to log in with our original "admin" password.
Once again we check the list of users.
[Net_HSM] lunash:>user list
Users Roles Status RADIUS
admin admin enabled no
bob monitor enabled no
john admin enabled no
monitor monitor enabled no
operator operator enabled no
We see that users "bob" and "john" have returned. We could also log in as "operator" and "monitor" and find that their chosen passwords have been restored.
8.Finally, ask for the list of system configuration backup files one more time.
[Net_HSM] lunash:>sysconf config list
Configuration backup files in file system:
Size | File Name | Description
---------------------------------------------------------------------------------------------
16641 | Net_HSM_Config_20120222_0556.tar.gz | testing-this
.7028 | factoryInit_local_host_Config.tar.gz | Initial Factory Settings
16588 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring
16248 | Net_HSM_Config_20120222_0606.tar.gz | Automatic Backup Before Restoring
Command Result : 0 (Success)
[Net_HSM] lunash:>sysconf config restore
We see that a new file was created (Net_HSM_Config_20120222_0606.tar.gz) before the restore operation, and the other files are intact.
You can protect a configuration setup against the possibility of appliance failure by exporting a backup snapshot file into the internal HSM or an external backup HSM. The command sysconf config export allows you to place the configuration backup file onto an HSM and sysconf config import allows you to retrieve the file from that HSM, back to the appliance file system. The export command gives you two target options:
•The internal HSM of your SafeNet Luna Network HSM appliance. This could be useful if a component failed in the appliance, you sent the appliance back to SafeNet for rework under the RMA procedure, received it back repaired, and then retrieved the file from your HSM to restore your appliance settings.
•An external HSM, such as a Backup HSM or token. This could be useful if the current appliance failed and you wished to install a replacement. Similarly, you could use system configuration backup files restored from a Backup HSM to uniformly configure multiple SafeNet appliances with a standard set of parameters applicable to your enterprise.
If you are exporting a configuration backup to a SafeNet Luna Network HSM, please note the following file size restrictions:
•The maximum size of individual exportable files is 64 KB.
•The maximum storage capacity of the Admin/SO partition is 384 KB.