Backing Up the Appliance Configuration

This chapter describes how to back up and restore the appliance configuration. You can backup and restore the appliance configuration to a file, or to an HSM.

Backing Up and Restoring Your Appliance Service Configuration

You can backup the configuration settings for the various services running on the SafeNet Luna Network HSM so that you can restore your configuration if necessary. The ability to backup and restore your appliance configuration assures that your clients will be able to connect to a restored appliance, and all services will function correctly, should that be required.

Backing up your current configuration

You can use the sysconf config backup command at any time to create a backup file that contains the current state of all service parameters configured on the appliance. You can create multiple backup files, and provide a description for each file, allowing you to backup and restore multiple different configurations. The backup files are stored on the file system by default. You can export them to the internal HSM or an external backup HSM. The following configuration settings are saved:

Network Network configuration
NTLS NTLS configuration
NTP Network Time Protocol configuration
SNMP SNMP configuration
SSH SSH configuration
Syslog Syslog configuration
System System configuration (keys and certificates)
Users User accounts, passwords, and files
Webserver Webserver configuration for REST API

Automatically generated configuration backup files

A configuration backup file is generated automatically when you run the sysconf config restore or sysconf config factoryResetcommands. This allows you to revert to your current configuration if the restore operation did not achieve the expected results.

Listing your configuration backup files

You can use the sysconf config list command to list all of your backup files, complete with the description you provided for each one, as shown in the following example. The configuration settings file area will always contain the original factory file, and might additionally contain any number of intentionally created backups, and possibly one or more automatic backup files:

[Net_HSM]lunash:>sysconf config list
 
 
Configuration backup files in file system:
 
Size        |  File Name                                      |  Description
--------------------------------------------------------------------------------------------------
16641       |  Net_HSM_Config_20120222_0556.tar.gz            |  Clients OracleTDE and WebSphere
16588       |  Net_HSM_Config_20120222_0558.tar.gz            |  Automatic Backup Before Restoring
 
Command Result : 0 (Success)

Upgrading the appliance software changes your configuration settings

If you upgrade your appliance software, your configuration settings may be changed as part of the upgrade process and, as a result, the original factory configuration no longer applies. Immediately after you upgrade your appliance, create a new configuration backup file and make note of the backup file created. Later, if you wish to restore to this configuration, use the sysconf config restore command with the file created after upgrade.

Managing your configuration backup files

If you wish, you can keep only the backup files that you find useful, and individually delete any others using the sysconf config delete command. You can also use the sysconf config clear command to delete all of your configuration files, if desired.

Note that the configuration backup file area is a special-purpose location, accessible only using the sysconf config commands. You will not see those files listed if you run the command my file list.

There is no limit on the size of individual backup files or the number of backups that can be stored on the file system, other than the available space. This space is shared by other files, such as spkg and log files, so account for this when planning your backup and restore strategy. Some size restrictions apply if you plan to export a backup file into your HSM using sysconf config export. See Backing Up the Appliance Configuration to the HSM for details.

Restoring configuration settings from a backup file

Use the sysconf config restore command to restore the configuration settings for a specific service, or for all services, from a configuration backup file. You must stop any services you wish to restore before performing the restore operation, and reboot the appliance for the changes to take effect. A new configuration backup file of the current configuration is created automatically when you perform a restore operation, allowing you to easily revert to the previous configuration, if necessary.

NOTE   Check the new configurations before rebooting or restarting the services.

Example of Backing Up and Restoring Your Appliance Configuration

If we factory reset the configuration parameters, a snapshot backup is created automatically, but for this example we will explicitly create a configuration backup file.

1.Create a backup of current appliance configuration parameters.

[Net_HSM] lunash:>sysconf config backup -description Example backup
 
Created configuration backup file: Net_HSM_Config_20120222_0556.tar.gz
 
Command Result : 0 (Success) 

2.Check the current state of a configuration parameter (users).

[Net_HSM] lunash:>user list
Users 		Roles 		Status   	RADIUS 
admin 		admin 		enabled 	no 
bob 		monitor 	enabled 	no 
john 		admin 		enabled 	no 
monitor 	monitor 	enabled 	no 
operator  	operator  	enabled 	no 
 
Command Result : 0 (Success) 

3.Perform the factory reset of the chosen configuration parameter (users).

[Net_HSM] lunash:>sysconf config factoryReset -service users

WARNING !! This command resets the configuration of the selected service(s) to factory defaults.
 Resetting services to factory defaults can affect connectivity and the operation of the HSM.
 If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.

> proceed
 Proceeding...
 Resetting service(s) to factory defaults:
 -----------------------------------------
 users : succeeded

Command Result : 0 (Success)
 
 
[Net_HSM] lunash:>sysconf appliance reboot
 
WARNING !!  This command will reboot the appliance. 
           All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed 
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named: 
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW! 
Reboot commencing
 
Command Result : 0 (Success)

4. After the appliance returns from reboot, restart the SSH session and log in.

[Net_HSM] lunash:>
login as: admin
admin@192.20.10.202's password:
Last login: Wed Feb 22 05:44:39 2012 from 192.20.10.143
SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
*****************************************************
**      **
** For security purposes, you must change your    **
** admin password.                                **
**                                                 **
** Please ensure you store your new admin    **
** password in a secure location.                **
**  **
** DO NOT LOSE IT!             **
**                                                 **
*****************************************************
Changing password for user admin.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters, 
digits, and other characters. You can use an 8 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that 
ends it do not count towards the number of character classes used.
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
Password change successful.

The reset to factory appliance settings for the users parameter seems to have worked. Our "admin" password was reset to the default password "PASSWORD", and we had to apply a non-default password.

5.With that done, we can verify if additional aspects of the users parameters were also reset to factory spec.

[Net_HSM] lunash:>user list
 
Users 		Roles 		Status   	RADIUS 
admin 		admin 		enabled 	no 
monitor 	monitor 	enabled 	no 
operator    	operator    	enabled 	no 
 
Command Result : 0 (Success)

Notice that created users "bob" and "john" are gone, but the system-standard users "admin", "operator", and "monitor" persist. Both "operator" and "monitor" will have had their passwords reset to the default, as well.

[Net_HSM] lunash:>sysconf config list
 
Configuration backup files in file system:
 
Size         |	File Name     				|  Description
--------------------------------------------------------------------------------------------    
16641        |  Net_HSM_Config_20120222_0556.tar.gz     |  testing-this                            
16588        |  Net_HSM_Config_20120222_0558.tar.gz     |  Automatic Backup Before Restoring
      
Command Result : 0 (Success)

6.The list of configuration backup files is unchanged. We can choose one and restore it.

[Net_HSM] lunash:>sysconf config restore -service users -file Net_HSM_Config_20120222_0556.tar.gz
 
WARNING !!  This command restores the configuration backup file: Net_HSM_Config_20120222_0556.tar.gz.
It first creates a backup of the current configuration before restoring: Net_HSM_Config_20120222_0556.tar.gz. 
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
> proceed 
            
Proceeding...
Created configuration backup file: Net_HSM_Config_20120222_0606.tar.gz
Restore the users configuration: Succeeded
You must reboot the appliance for the changes to take effect.
Please check the new configurations BEFORE rebooting or restarting the services. 
You can restore the previous configurations if the new settings are not acceptable.
 
Command Result : 0 (Success)
 
 
[Net_HSM] lunash:>sysconf appliance reboot
WARNING !!  This command will reboot the appliance. 
            All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed 
            
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named: 
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW! 
Reboot commencing
 
Command Result : 0 (Success)

7.After rebooting again, we are able to log in with our original "admin" password.

Once again we check the list of users.

[Net_HSM] lunash:>user list
 
Users 		Roles 		Status   	RADIUS
admin 		admin 		enabled 	no
bob 		monitor 	enabled 	no
john 		admin 		enabled 	no
monitor 	monitor 	enabled 	no
operator    	operator 	enabled 	no

We see that users "bob" and "john" have returned. We could also log in as "operator" and "monitor" and find that their chosen passwords have been restored.

8.Finally, ask for the list of system configuration backup files one more time.

[Net_HSM] lunash:>sysconf config list
 
Configuration backup files in file system:
 
Size        | File Name                                   | Description
---------------------------------------------------------------------------------------------     
16641       | Net_HSM_Config_20120222_0556.tar.gz         | testing-this                             
16588       | Net_HSM_Config_20120222_0558.tar.gz         | Automatic Backup Before Restoring       
16248       | Net_HSM_Config_20120222_0606.tar.gz         | Automatic Backup Before Restoring 
      
Command Result : 0 (Success)
 
[Net_HSM] lunash:>sysconf config restore

We see that a new file was created (Net_HSM_Config_20120222_0606.tar.gz) before the restore operation, and the other files are intact.

Backing Up the Appliance Configuration to the HSM

You can protect a configuration setup against the possibility of appliance failure by exporting a backup snapshot file into the internal HSM or an external backup HSM. The command sysconf config export allows you to place the configuration backup file onto an HSM and sysconf config import allows you to retrieve the file from that HSM, back to the appliance file system. The export command gives you two target options:

>The internal HSM of your SafeNet Luna Network HSM appliance. This could be useful if a component failed in the appliance, you sent the appliance back to SafeNet for rework under the RMA procedure, received it back repaired, and then retrieved the file from your HSM to restore your appliance settings.

>An external HSM, such as a Backup HSM or token. This could be useful if the current appliance failed and you wished to install a replacement. Similarly, you could use system configuration backup files restored from a Backup HSM to uniformly configure multiple SafeNet appliances with a standard set of parameters applicable to your enterprise.

If you are exporting a configuration backup to a SafeNet Luna Network HSM, please note the following file size restrictions:

>The maximum size of individual exportable files is 64 KB.

>The maximum storage capacity of the Admin/SO partition is 384 KB.