partition archive backup

Backup partition objects. Use this command to backup objects from the current user partition to a partition on a backup device. You must be logged in as the Crypto Officer to backup the partition.

NOTE   If the domains of your source and target HSMs do not match or the policy settings do not permit backup, the partition archive backup command fails. No objects are cloned to the target HSM but the command creates an empty backup partition. In this circumstance, you must manually delete the empty backup partition.

Cloning is a repeating atomic action

When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.

If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.

This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.

Syntax

If backup device is a slot in the current system:

partition archive backup -slot <backup_slot> -partition <backup_partition> -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]

If backup device is in a remote workstation:

partition archive backup -slot remote -hostname <hostname> -port <portnumber> -partition <backup_partition> -password <password> [-sopassword <sopassword>] [-commandtimeout <seconds>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]

If backup device is a USB-attached HSM:

partition archive backup -slot direct -partition <backup_partition> -password <password> [-sopassword <sopassword>] [-domain <domain> | -defaultdomain] [-append] [-replace] [-debug] [-force]

Argument(s) Shortcut Description
-append -a Append the objects to the existing partition.
-commandtimeout <seconds> -ct The command timeout for network communication. The default timeout is 10 seconds. The maximum timeout is 3600. This option can be used to adjust the timeout value to account for network latency.
-debug -deb Turn on additional error information. (optional)
-defaultdomain -def Default domain for the specified partition.
-domain <domain> -do Domain for the specified partition.
-force -f Force action with no prompting.
-hostname <hostname> -ho Host name of remote workstation running remote backup server. (required when -s remote is used)
-partition <backup_partition> -par Partition on the backup device. (maximum length of 64 characters)
-password <password> -pas Password for the specified partition.
-port <portnumber> -po Port number for remote backup server on remote workstation. (required when -s remote is used)
-replace -rep Allow objects with same OUID on backup device to be deleted and replaced.
-slot <see description> -s

Target slot containing the backup device. It can be specified by any of the following:

> <slot number>, if the backup slot is in the current system.

>remote -hostname <host name> -port <port number> if the backup device is in a remote work station.

>direct to specify a USB-attached backup device. If you know the slot number that contains the USB-attached HSM, you can specify that slot number explicitly (for example, -s 5)

-sopassword <sopassword> -sop SO password for the backup device.

Example with password in command line

lunacm:> partition archive backup -slot 2 -partition sa78backup -domain clientdomain -password newPa$$w0rd -sopassword backupSOpwd

        Logging in as the SO on slot 2.

        Creating partition sa78backup on slot 2.

        Logging into the container sa78backup on slot 2 as the user.

        Creating Domain for the partition sa78backup on slot 2.

        Verifying that all objects can be backed up...

        6 objects will be backed up.

        Backing up objects...
        Cloned object 70 to partition sa78backup (new handle 14).
        Cloned object 69 to partition sa78backup (new handle 18).
        Cloned object 53 to partition sa78backup (new handle 19).
        Cloned object 54 to partition sa78backup (new handle 23).
        Cloned object 52 to partition sa78backup (new handle 24).
        Cloned object 47 to partition sa78backup (new handle 28).

        Backup Complete.

        6 objects have been backed up to partition sa78backup
        on slot 2.

Command Result : No Error 

Example with password prompt

lunacm:> partition archive backup -slot 2 -partition sa78backup 

Option -domain was not specified. It is required.
 Enter the domain name: ***
 Re-enter the domain name: ***
 Option -password was not supplied. It is required.
 Enter the user password for the target partition: *** 
 Re-enter the user password for the target partition: ***
   Logging in as the SO on slot 2. 
   Creating partition sa78backup on slot 2. 
   Logging into the container sa78backup on slot 2 as the user. 
   Creating Domain for the partition sa78backup on slot 2.
   Verifying that all objects can be backed up...
   6 objects will be backed up. 
   Backing up objects...
   Cloned object 70 to partition sa78backup (new handle 14). 
   Cloned object 69 to partition sa78backup (new handle 18).
   Cloned object 53 to partition sa78backup (new handle 19). 
   Cloned object 54 to partition sa78backup (new handle 23).
   Cloned object 52 to partition sa78backup (new handle 24).
   Cloned object 47 to partition sa78backup (new handle 28).
 Backup Complete.
   6 objects have been backed up to partition sa78backup
   on slot 2. 
Command Result : No Error

 

Example if password mistyped

lunacm:>partition archive backup -slot 21 -partition bkpar3

Option -domain was not specified. It is required.
 Enter the domain name: ***
 Re-enter the domain name: ***
 Option -password was not supplied. It is required.
 Enter the user password for the target partition: ***
 Re-enter the user password for the target partition: ***
The passwords are not the same.
Command aborted.
Command Result : 0xb (User Cancelled Operation)