TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM 7 installed in a workstation that you provide, and
>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
The appliance admin can create a backup of configuration settings for various services running on the Luna Network HSM 7 appliance, and save it to the appliance file system. This allows you to easily restore the configuration after a factory reset, ensuring that existing clients can connect to the restored appliance with all services functioning correctly. You can create multiple backup files and provide a description for each, to store different configurations. You can store your configuration backup files on the appliance filesystem, save them to the internal HSM, or export them to an external backup HSM.
>Backing Up the Appliance Configuration
>Restoring the Appliance Configuration
>Managing Configuration Backup Files
The backup file includes configuration data for the following modules and services:
| Network | Network configuration |
| NTLS | NTLS configuration |
| NTP | Network Time Protocol configuration |
| SNMP | SNMP configuration |
| SSH | SSH configuration |
| Syslog | Syslog configuration |
| System | System configuration (keys and certificates) |
| Users | User accounts, passwords, and files |
| Webserver | Webserver configuration for REST API |
Backing Up the Appliance Configuration
Use the following procedure to back up your appliance configuration to the appliance filesystem.
CAUTION! This procedure does not back up HSM or partition configurations. It applies only to the Luna Network HSM 7 appliance settings configurable in LunaSH.
Prerequisites
>You must be logged in to LunaSH as admin to back up the appliance configuration.
To back up the appliance configuration
1.Back up the appliance configuration, specifying an optional description for the backup file. Use quotes to include spaces in your description. To save a copy of the initial factory configuration instead of the current configuration, include the -factoryconfig option.
lunash:> sysconf config backup [-description <description>]
Restoring the Appliance Configuration
Use the following procedure to restore appliance services from a stored configuration backup. You can restore the entire configuration or select specific services to restore.
Prerequisites
>You must be logged in to LunaSH as admin to restore the appliance configuration.
>If you are restoring the network configuration, log in using a serial connection so that you do not lose contact with the appliance.
>The configuration backup file must be available on the appliance filesystem.
To restore the appliance configuration
1.[Optional] Check the list of configuration backup files available on the appliance.
lunash:> sysconf config list
2.Stop any services you wish to restore.
lunash:> service stop <service>
3.Restore the configuration from backup by specifying the backup file and service you wish to restore.
lunash:> sysconf config restore -file <filename> -service <service>
4.Restart the service or reboot the appliance to activate the restored configuration settings.
lunash:> service restart <service>
lunash:> sysconf appliance reboot
Managing Configuration Backup Files
If you wish, you can keep only the backup files that you find useful, and individually delete any others using the sysconf config delete command. You can also use the sysconf config clear command to delete all of your configuration backup files.
Note that the configuration backup file area is a special-purpose location, accessible only using the sysconf config commands. You will not see those files listed if you run the command my file list.
There is no limit on the size of individual backup files or the number of backups that can be stored on the file system, other than the available space. This space is shared by other files, such as spkg and log files, so account for this when planning your backup and restore strategy. Some size restrictions apply if you plan to export a backup file into your HSM using sysconf config export.
Backing Up the Appliance Configuration to the HSM
You can protect a configuration setup against the possibility of appliance failure by exporting a backup file into the internal HSM or an external backup HSM. The command sysconf config export allows you to place the configuration backup file onto an HSM and sysconf config import allows you to retrieve the file from that HSM, back to the appliance file system. The export command gives you two target options:
>The internal HSM of your Luna Network HSM 7 appliance. This could be useful if a component failed in the appliance, you sent the appliance back to Thales Group for rework under the RMA procedure, received it back repaired, and then retrieved the file from your HSM to restore your appliance settings.
>A locally-installed Luna Backup HSM. This could be useful if the current appliance failed and you wished to install a replacement. Similarly, you could use system configuration backup files restored from a Backup HSM to uniformly configure multiple Luna Network HSM 7 appliances with a standard set of parameters applicable to your enterprise.
If you are exporting a configuration backup to a Luna Network HSM 7, please note the following file size restrictions:
>The maximum size of individual exportable files is 64 KB.
>The maximum storage capacity of the Admin/SO partition is 384 KB.
Automatically generated configuration backup files
A configuration backup file is generated automatically when you run the sysconf config restore or sysconf config factoryReset commands. This allows you to revert to your current configuration if the restore operation did not achieve the expected results.
Listing your configuration backup files
You can use the sysconf config list command to list all of your backup files, complete with the description you provided for each one, as shown in the following example. The configuration settings file area will always contain the original factory file, and might additionally contain any number of intentionally created backups, and possibly one or more automatic backup files:
Upgrading the appliance software changes your configuration settings
If you upgrade your appliance software, your configuration settings may be changed as part of the upgrade process and, as a result, the original factory configuration no longer applies. Immediately after you upgrade your appliance, create a new configuration backup file and make note of the backup file created. Later, if you wish to restore to this configuration, use the sysconf config restore command with the file created after upgrade.
