partition archive backup
Backup partition objects. Use this command to backup objects from the current user partition to a partition on a backup device. You must be logged in as the Crypto Officer to backup the partition.
NOTE If the domains of your source and target HSMs do not match or the policy settings do not permit backup, the partition archive backup command fails. No objects are cloned to the target HSM but the command creates an empty backup partition. In this circumstance, you must manually delete the empty backup partition.
Cloning is a repeating atomic action
When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.
If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.
This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.
Syntax
If backup device is a slot in the current system:
partition archive backup -slot <backup_slot> -partition <backup_partition> -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]
If backup device is in a remote workstation:
partition archive backup -slot remote -hostname <hostname> -port <portnumber> -partition <backup_partition> -password <password> [-sopassword <sopassword>] [-commandtimeout <seconds>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]
If backup device is a USB-attached HSM:
partition archive backup -slot direct -partition <backup_partition> -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]
Option | Shortcut | Description |
---|---|---|
-append | -a | Append the objects to the existing partition. |
-commandtimeout <seconds> | -ct | The command timeout for network communication. The default timeout is 10 seconds. The maximum timeout is 3600. This option can be used to adjust the timeout value to account for network latency. |
-debug | -deb | Turn on additional error information. (optional) |
-defaultdomain | -def | Default domain for the specified partition. |
-domain <domain> | -do | Domain for the specified partition. |
-force | -f | Force action with no prompting. |
-hostname <hostname> | -ho | Host name of remote workstation running remote backup server. (required when -s remote is used) |
-partition <backup_partition> | -par | Partition on the backup device. (maximum length of 64 characters) |
-password <password> | -pas | Password for the specified partition. |
-port <portnumber> | -po | Port number for remote backup server on remote workstation. (required when -s remote is used) |
-replace | -rep | Allow objects with same OUID on backup device to be deleted and replaced. |
-slot <see description> | -s |
Target slot containing the backup device. It can be specified by any of the following: > <slot number>, if the backup slot is in the current system. >remote -hostname <host name> -port <port number> if the backup device is in a remote work station. >direct to specify a USB-attached backup device. If you know the slot number that contains the USB-attached HSM, you can specify that slot number explicitly (for example, -s 5) |
-sopassword <sopassword> | -sop | SO password for the backup device. |
Example with password in command line
lunacm:> partition archive backup -slot 2 -partition sa78backup -domain clientdomain -password newPa$$w0rd -sopassword backupSOpwd
Logging in as the SO on slot 2.
Creating partition sa78backup on slot 2.
Logging into the container sa78backup on slot 2 as the user.
Creating Domain for the partition sa78backup on slot 2.
Verifying that all objects can be backed up...
6 objects will be backed up.
Backing up objects...
Cloned object 70 to partition sa78backup (new handle 14).
Cloned object 69 to partition sa78backup (new handle 18).
Cloned object 53 to partition sa78backup (new handle 19).
Cloned object 54 to partition sa78backup (new handle 23).
Cloned object 52 to partition sa78backup (new handle 24).
Cloned object 47 to partition sa78backup (new handle 28).
Backup Complete.
6 objects have been backed up to partition sa78backup
on slot 2.
Command Result : No Error
Example with password prompt
lunacm:> partition archive backup -slot 2 -partition sa78backup Option -domain was not specified. It is required. Enter the domain name: *** Re-enter the domain name: *** Option -password was not supplied. It is required. Enter the user password for the target partition: *** Re-enter the user password for the target partition: *** Logging in as the SO on slot 2. Creating partition sa78backup on slot 2. Logging into the container sa78backup on slot 2 as the user. Creating Domain for the partition sa78backup on slot 2. Verifying that all objects can be backed up... 6 objects will be backed up. Backing up objects... Cloned object 70 to partition sa78backup (new handle 14). Cloned object 69 to partition sa78backup (new handle 18). Cloned object 53 to partition sa78backup (new handle 19). Cloned object 54 to partition sa78backup (new handle 23). Cloned object 52 to partition sa78backup (new handle 24). Cloned object 47 to partition sa78backup (new handle 28). Backup Complete. 6 objects have been backed up to partition sa78backup on slot 2. Command Result : No Error
Example if password mistyped
lunacm:>partition archive backup -slot 21 -partition bkpar3 Option -domain was not specified. It is required. Enter the domain name: *** Re-enter the domain name: *** Option -password was not supplied. It is required. Enter the user password for the target partition: *** Re-enter the user password for the target partition: *** The passwords are not the same. Command aborted. Command Result : 0xb (User Cancelled Operation)