Prepare RBS to Support Backup / Restore

Remote Backup uses the Remote Backup Service (RBS), which must be installed and configured before you use it. RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed.

To prepare for RBS:

1.Install SafeNet Luna PCIe HSM Client software on the computer that will manage your primary HSM (could be the administrative client for SafeNet Luna PCIe HSM, or the host computer containing one or more SafeNet Luna PCIe HSMs, or connected to one or more SafeNet Luna USB HSMs). Probably you will want to include the Remote PED option.



If the primary HSM is other than SafeNet Luna PCIe HSM, install the SafeNet Luna PCIe HSM option in addition to the SafeNet Luna USB HSM or SafeNet Luna PCIe HSM software, because the SafeNet Luna PCIe HSM client is the only one that includes the vtl utility, necessary for the certificate exchange that enables Remote Backup Service.

2.Install SafeNet Luna PCIe HSM Client software for the host computer connected to your Backup HSM. Select the Remote Backup option.



You could also choose to install the Remote PED option here. It depends on how you intend to separate the functions and, other than the space it occupies on your hard disk, it doesn't hurt to have any of the SafeNet Luna PCIe HSM Client options installed and available.

3.Run rbs --genkey to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file.

4.Run rbs --config to specify devices to support.

5.Run rbs --daemon to launch the rbs daemon (Linux and UNIX) or the rbs console application (on Windows, it closes after every use) .

6.Copy the certificate generated earlier (server.pem) to your primary HSM host computer or SafeNet Luna PCIe HSM appliance:

            # scp root@192.20.9.253:/usr/safenet/lunaclient/rbs/server/server.pem .        
            

            root@192.20.9.253's password:     *********   
            

            server.pem                | 1 kB |   1.2 kB/s | ETA: 00:00:00 | 100%   

7.Run vtl on the host computer (or appliance) to add the RBS server to the server list:

 vtl add -n 192.20.9.253 -c server.pem    
New server 192.20.9.253 successfully added to server list. 
 vtl list    
Server: 192.20.9.82     HTL required: no 
   Server: 192.20.9.253    HTL required: no  

 

Now go to Backup your HSM Partition Remotely.

 

The PEDClient is half of the PEDServer/PEDClient duo that enables Remote PED service.

However, PEDClient is also used in the communication component of Remote Backup Service. So, PEDClient should run on all the platforms that have HSMs - where a SafeNet Luna USB HSM or SafeNet Luna PCIe HSM is installed (PEDClient is already inside SafeNet Luna Network HSM 5.2 and newer...) - and also on any system with the RBS application.

The PEDServer is required only on a computer with the SafeNet Remote PED.

If you consolidate your HSM administration (including Remote PED) on the same computer with your SafeNet Remote Backup HSM, you would have both PEDClient and PEDServer installed there. We observe that a majority of customers combine administrative functions this way, on a laptop or a workstation that is used to administer one-or-many HSM hosts. The HSM host (with SafeNet Luna USB HSM or SafeNet Luna PCIe HSM) or the SafeNet Luna Network HSM appliance resides in a physically secure, possibly remote location, while the administrator works from a laptop in her/his office. Your security policy determines how you do it.