Backing Up/Restoring the Appliance User Role Configuration
TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM 7 installed in a workstation that you provide, and
>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
LunaSH allows you to store a snapshot of the administrative user database (the names and status of all named LunaSH users) that can later be restored if desired.
CAUTION! Restoring from backup restores the database of user profiles that existed at the time the backup was made. You will lose any user accounts created since the backup; passwords of existing users could be reverted without their knowledge; enabled users might be disabled; disabled users might be enabled; and any user accounts removed since that backup will be restored.
Your records should indicate when user-profile changes were made, and what those changes were. Any time you restore a config backup, reconcile the changed statuses and inform anyone who is affected. For example, users need to know to use their previous password, and to change it immediately.
NOTE While the built-in admin, operator, and monitor accounts are not deleted or added by a restore operation (those accounts are permanent), both their enabled/disabled status and their passwords are changed to whatever prevailed at the time the backup was originally taken.
To back up the appliance user role configuration
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).
2.Back up the user role configuration, specifying a description for the backup file.
lunash:> sysconf config backup -description <description>
lunash:>sysconf config backup -description "Configuration Backup 17-03-01" Created configuration backup file: myLuna_Config_20170301_1200.tar.gz Command Result : 0 (Success)
To restore the appliance user role configuration
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).
2.List the available configuration backup files.
lunash:> sysconf config list
Configuration backup files in file system: Size | File Name | Description ----------------------------------------------------------------------------------------------------- 34099 | myLuna_Config_20180507_1629.tar.gz | Configuration Backup 2018-05-07 Command Result : 0 (Success)
3.Restore the user role configuration. If you only wish to restore the user configuration, excluding other services on the appliance, specify -service users.
lunash:> sysconf config restore -file <filename> [-service users]
lunash:>sysconf config restore -file myLuna_Config_20180507_1629.tar.gz -service users WARNING !! This command restores the configuration from the backup file: myLuna_Config_20180507_1629.tar.gz. It first creates a backup of the current configuration before restoring: myLuna_Config_20180507_1629.tar.gz. If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'. > proceed Proceeding... Created configuration backup file: myLuna_Config_20180507_1634.tar.gz Restore the users configuration: Succeeded. You must either reboot the appliance or restart the service(s) for the changes to take effect. Please check the new configurations BEFORE rebooting or restarting the services. You can restore the previous configurations if the new settings are not acceptable. Command Result : 0 (Success)
4.Reboot the Luna Network HSM 7 appliance.
lunash:> sysconf appliance reboot