Configuring a Remote Luna Backup HSM (G5) Server

In this configuration, the Luna Backup HSM is connected to a remote client workstation that communicates with the Luna PCIe HSM host via the Remote Backup Service (RBS). It is useful in deployments where backups are stored in a separate location from the Luna PCIe HSM, to protect against catastrophic loss (fire, flood, etc).

RBS is a utility, included with the Luna HSM Client software, that runs on a workstation hosting one or more Backup HSMs. When RBS is configured and running, other clients or HSMs registered to it can see its Backup HSM(s) as slots in LunaCM. RBS is compatible with both Luna G5 and G7 Backup HSMs.

Installing/Configuring the Remote Backup Service

RBS is installed using the Luna HSM Client installer. You must create a certificate for the RBS workstation and register it on all clients/appliances that will use the remote Backup HSMs. These instructions will allow you to install and configure RBS.

Prerequisites

>On any Luna PCIe HSM host workstation, install the following Luna HSM Client components (see Luna HSM Client Software Installation):

Network: The Network component includes utilities that are required for remote backups

Remote PED: if you are backing up PED-authenticated partitions

NOTE   The Luna HSM Client version installed on the RBS workstation must be the same version installed on the client workstation(s). Ensure that you use a client version that is compatible with your Backup HSM firmware.

>Install the Luna Backup HSM(s) at the workstation that will host RBS (see Installing the Backup HSM).

>[PED Authentication] Initialize the remote PED vector for each Backup HSM. You will need the orange PED key for backup/restore operations (see Initializing the Backup HSM Remote PED Vector).

To install and configure RBS

1.On the workstation hosting the Backup HSM(s), install the Backup component of the Luna HSM Client (see Luna HSM Client Software Installation). If this workstation will also host a Remote PED, install the Remote PED component as well (Windows only).

2.Navigate to the Luna HSM Client home directory (/usr/safenet/lunaclient/rbs/bin on Linux/Unix) and generate a certificate for the RBS host.

> rbs --genkey

You are prompted to enter and confirm an RBS password. The certificate is generated in:

Linux/UNIX: <LunaClient_install_directory>/rbs/server/server.pem

Windows: <LunaClient_install_directory>\cert\server\server.pem

3.Specify the Backup HSM(s) that RBS will make available to clients.

> rbs --config

RBS displays a list of Backup HSMs currently connected to the workstation. Select the ones you want to provide remote backup services. When you have specified your selection, enter X to exit the configuration tool.

4.Launch the RBS daemon (Linux/UNIX) or console application (Windows).

Linux/UNIX: # rbs --daemon

Windows: Double-click the rbs application. A console window will remain open.

You are prompted to enter the RBS password.

5.Securely transfer the RBS host certificate (server.pem) to your Luna PCIe HSM host workstation using pscp or scp.

6.On the Luna PCIe HSM host workstation, register the RBS host certificate to the server list.

> vtl addServer -n <Backup_host_IP> -c server.pem

7.[Optional] Launch LunaCM on the client to confirm that the Backup HSM appears as an available slot.

NOTE   If you encounter issues, try changing the RBS and PEDclient ports from their default values. Check that your firewall is not blocking ports used by the service.

You can now use the Backup HSM(s) as though they were connected to the Luna PCIe HSM host workstation locally, using Remote PED. See Backup/Restore Using a Host-Connected Luna Backup HSM (G5) for procedures.