Backing Up the Appliance Configuration
This chapter describes how to back up and restore the appliance configuration. You can backup and restore the appliance configuration to a file, or to an HSM.
Backing Up and Restoring Your Appliance Service Configuration
You can backup the configuration settings for the various services running on the SafeNet Luna Network HSM so that you can restore your configuration if necessary. The ability to backup and restore your appliance configuration assures that your clients will be able to connect to a restored appliance, and all services will function correctly, should that be required.
Backing up your current configuration
You can use the sysconf config backup command at any time to create a backup file that contains the current state of all service parameters configured on the appliance. You can create multiple backup files, and provide a description for each file, allowing you to backup and restore multiple different configurations. The backup files are stored on the file system by default. You can export them to the internal HSM or an external backup HSM. The following configuration settings are saved:
Network | Network configuration |
NTLS | NTLS configuration |
NTP | Network Time Protocol configuration |
SNMP | SNMP configuration |
SSH | SSH configuration |
Syslog | Syslog configuration |
System | System configuration (keys and certificates) |
Users | User accounts, passwords, and files |
Webserver | Webserver configuration for REST API |
Automatically generated configuration backup files
A configuration backup file is generated automatically when you run the sysconf config restore or sysconf config factoryResetcommands. This allows you to revert to your current configuration if the restore operation did not achieve the expected results.
Listing your configuration backup files
You can use the sysconf config list command to list all of your backup files, complete with the description you provided for each one, as shown in the following example. The configuration settings file area will always contain the original factory file, and might additionally contain any number of intentionally created backups, and possibly one or more automatic backup files:
[Net_HSM]lunash:>sysconf config list
Configuration backup files in file system:
Size | File Name | Description
--------------------------------------------------------------------------------------------------
16641 | Net_HSM_Config_20120222_0556.tar.gz | Clients OracleTDE and WebSphere
16588 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring
Command Result : 0 (Success)
Upgrading the appliance software changes your configuration settings
If you upgrade your appliance software, your configuration settings may be changed as part of the upgrade process and, as a result, the original factory configuration no longer applies. Immediately after you upgrade your appliance, create a new configuration backup file and make note of the backup file created. Later, if you wish to restore to this configuration, use the sysconf config restore command with the file created after upgrade.
Managing your configuration backup files
If you wish, you can keep only the backup files that you find useful, and individually delete any others using the sysconf config delete command. You can also use the sysconf config clear command to delete all of your configuration files, if desired.
Note that the configuration backup file area is a special-purpose location, accessible only using the sysconf config commands. You will not see those files listed if you run the command my file list.
There is no limit on the size of individual backup files or the number of backups that can be stored on the file system, other than the available space. This space is shared by other files, such as spkg and log files, so account for this when planning your backup and restore strategy. Some size restrictions apply if you plan to export a backup file into your HSM using sysconf config export. See Backing Up the Appliance Configuration to the HSM for details.
Restoring configuration settings from a backup file
Use the sysconf config restore command to restore the configuration settings for a specific service, or for all services, from a configuration backup file. You must stop any services you wish to restore before performing the restore operation, and reboot the appliance for the changes to take effect. A new configuration backup file of the current configuration is created automatically when you perform a restore operation, allowing you to easily revert to the previous configuration, if necessary.
NOTE Check the new configurations before rebooting or restarting the services.
Example of Backing Up and Restoring Your Appliance Configuration
If we factory reset the configuration parameters, a snapshot backup is created automatically, but for this example we will explicitly create a configuration backup file.
1.Create a backup of current appliance configuration parameters.
[Net_HSM] lunash:>sysconf config backup -description Example backup
Created configuration backup file: Net_HSM_Config_20120222_0556.tar.gz
Command Result : 0 (Success)
2.Check the current state of a configuration parameter (users).
[Net_HSM] lunash:>user list
Users Roles Status RADIUS
admin admin enabled no
bob monitor enabled no
john admin enabled no
monitor monitor enabled no
operator operator enabled no
Command Result : 0 (Success)
3.Perform the factory reset of the chosen configuration parameter (users).
[Net_HSM] lunash:>sysconf config factoryReset -service users WARNING !! This command resets the configuration of the selected service(s) to factory defaults. Resetting services to factory defaults can affect connectivity and the operation of the HSM. If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'. > proceed Proceeding... Resetting service(s) to factory defaults: ----------------------------------------- users : succeeded Command Result : 0 (Success)
[Net_HSM] lunash:>sysconf appliance reboot
WARNING !! This command will reboot the appliance.
All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named:
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success)
4. After the appliance returns from reboot, restart the SSH session and log in.
[Net_HSM] lunash:>
login as: admin
admin@192.20.10.202's password:
Last login: Wed Feb 22 05:44:39 2012 from 192.20.10.143
SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
*****************************************************
** **
** For security purposes, you must change your **
** admin password. **
** **
** Please ensure you store your new admin **
** password in a secure location. **
** **
** DO NOT LOSE IT! **
** **
*****************************************************
Changing password for user admin.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use an 8 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
Password change successful.
The reset to factory appliance settings for the users parameter seems to have worked. Our "admin" password was reset to the default password "PASSWORD", and we had to apply a non-default password.
5.With that done, we can verify if additional aspects of the users parameters were also reset to factory spec.
[Net_HSM] lunash:>user list
Users Roles Status RADIUS
admin admin enabled no
monitor monitor enabled no
operator operator enabled no
Command Result : 0 (Success)
Notice that created users "bob" and "john" are gone, but the system-standard users "admin", "operator", and "monitor" persist. Both "operator" and "monitor" will have had their passwords reset to the default, as well.
[Net_HSM] lunash:>sysconf config list
Configuration backup files in file system:
Size | File Name | Description
--------------------------------------------------------------------------------------------
16641 | Net_HSM_Config_20120222_0556.tar.gz | testing-this
16588 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring
Command Result : 0 (Success)
6.The list of configuration backup files is unchanged. We can choose one and restore it.
[Net_HSM] lunash:>sysconf config restore -service users -file Net_HSM_Config_20120222_0556.tar.gz
WARNING !! This command restores the configuration backup file: Net_HSM_Config_20120222_0556.tar.gz.
It first creates a backup of the current configuration before restoring: Net_HSM_Config_20120222_0556.tar.gz.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'.
> proceed
Proceeding...
Created configuration backup file: Net_HSM_Config_20120222_0606.tar.gz
Restore the users configuration: Succeeded
You must reboot the appliance for the changes to take effect.
Please check the new configurations BEFORE rebooting or restarting the services.
You can restore the previous configurations if the new settings are not acceptable.
Command Result : 0 (Success)
[Net_HSM] lunash:>sysconf appliance reboot
WARNING !! This command will reboot the appliance.
All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
'hsm supportInfo' successful.
Use 'scp' from a client machine to get file named:
supportInfo.txt
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success)
7.After rebooting again, we are able to log in with our original "admin" password.
Once again we check the list of users.
[Net_HSM] lunash:>user list
Users Roles Status RADIUS
admin admin enabled no
bob monitor enabled no
john admin enabled no
monitor monitor enabled no
operator operator enabled no
We see that users "bob" and "john" have returned. We could also log in as "operator" and "monitor" and find that their chosen passwords have been restored.
8.Finally, ask for the list of system configuration backup files one more time.
[Net_HSM] lunash:>sysconf config list
Configuration backup files in file system:
Size | File Name | Description
---------------------------------------------------------------------------------------------
16641 | Net_HSM_Config_20120222_0556.tar.gz | testing-this
16588 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring
16248 | Net_HSM_Config_20120222_0606.tar.gz | Automatic Backup Before Restoring
Command Result : 0 (Success)
[Net_HSM] lunash:>sysconf config restore
We see that a new file was created (Net_HSM_Config_20120222_0606.tar.gz) before the restore operation, and the other files are intact.
Backing Up the Appliance Configuration to the HSM
You can protect a configuration setup against the possibility of appliance failure by exporting a backup snapshot file into the internal HSM or an external backup HSM. The command sysconf config export allows you to place the configuration backup file onto an HSM and sysconf config import allows you to retrieve the file from that HSM, back to the appliance file system. The export command gives you two target options:
>The internal HSM of your SafeNet Luna Network HSM appliance. This could be useful if a component failed in the appliance, you sent the appliance back to SafeNet for rework under the RMA procedure, received it back repaired, and then retrieved the file from your HSM to restore your appliance settings.
>An external HSM, such as a Backup HSM or token. This could be useful if the current appliance failed and you wished to install a replacement. Similarly, you could use system configuration backup files restored from a Backup HSM to uniformly configure multiple SafeNet appliances with a standard set of parameters applicable to your enterprise.
If you are exporting a configuration backup to a SafeNet Luna Network HSM, please note the following file size restrictions:
>The maximum size of individual exportable files is 64 KB.
>The maximum storage capacity of the Admin/SO partition is 384 KB.