Show the Table of Contents
In many cases, it is sound practice to back up the contents of your Luna SA HSM, in particular the contents of HSM partitions.
If the important objects are static, then a single backup is sufficient. If important objects change frequently, or if it is important to be able to revert to an identifiable date/time/condition/content, then regular backups are a necessity.
Luna HSM 5.x backup is performed with the Luna Remote Backup HSM. Note that the word "Remote" in that product name merely denotes a capability. The Luna Remote Backup HSM also works fine as the local backup device for Luna HSM, and is the only device supported for either local or remote backup of Luna SA.
The options for backup of primary/source Luna HSMs are:
In local mode, you connect directly to Luna SA via USB. That is, local backup is local to the HSM appliance being backed-up, not necessarily local to the administrator who is directing the process, who might be far away.
For remote backup, you connect (again via USB) to a computer running vtl and the driver for the device. Backup and restore are then performed over the secure network connection. For PED-authenticated Luna SA, you must have a copy of the appropriate red (domain) PED Keys, from the Luna SA, to use with the Backup HSM, in order to perform the copy /cloning (backup and restore) operation between the HSMs.
The following diagram depicts the elements and connections of the local backup (and restore) operation, where everything is in one room.
|1||Lunacm on Client (Host) System sees the primary and backup slots and controls the backup/restore operation|
|2||Backup HSM is a slot visible to "Client (Host) System" when Client (Host) System runs lunacm|
|3||Primary HSMs are slots visible to "Client (Host) System" when Client (Host) System runs lunacm|
|4||Every slot on the backup must have same domain (red PED Key) as matching slot on the primary HSMs|
For Luna SA, the above would be a minority scenario.
The other two backup and restore options:
... require that PED operations be performed remotely. For that reason, HSMs must be prepared (locally) in advance by having orange Remote PED Keys created and matched with each HSM.
The diagram below summarizes the elements and setup for backing up partitions of a distant Luna SA HSM.
For the example, we assume that the System Administrator for the Luna SA appliance is also the person doing the backup, so his laptop has LunaClient software installed, including the Luna SA and Remote PED options.As well, a Luna PED (Remote) and a Luna Backup HSM are connected. The Admin is in contact with the Luna SA appliance by SSH session, and has performed the certificate exchange and registration to make the System Admin laptop a Client of each Luna SA partition.
|1||"System Admin" is a client of Luna SA, and must have client access to each partition being backed up. In this scenario, System Admin must have black PED Keys and passwords for all client partitions.|
|2||Lunacm on "System Admin" laptop (2) sees the primary and backup slots and controls the backup/restore.|
|3||Luna SA partition is a slot visible to "System Admin" when System Admin runs lunacm.|
|4||Every slot on the backup must have same domain (red PED Key) as matching slot on the primary HSMs. We could have shown four different red PED Keys for the four slots (partitions) we are showing in the example, but if it is acceptable to your security protocol, you could have one common domain, re-used for all partitions, or any number that worked for you. The important consideration is that whatever domain situation exists on the primary HSM must be matched on the Backup HSM.|
|5||Backup HSM is a slot visible to "System Admin" when System Admin runs lunacm.|
|PedClient runs on the Luna SA when it needs to access the Remote PED via pedserver on the System Admin laptop|
Vtl on the laptop allows it to generate and trade certificates with Luna SA, to create an NTLS link
Because the laptop views the backup/restore operation in this scenario as a local transaction, between two slots visible to lunacm on the laptop, RBS is not needed.
|This scenario avoids the complication of an intermediary computer (as would be needed for true Remote Backup), but at the cost of giving the authentication keys for all client partitions to an administrator. Your security protocol determines whether this is acceptable.|
On the premise that, if you are going to the trouble of performing backup and restore operations remotely, then you are probably also performing Luna SA administration and performing HSM and partition authentication remotely, the following diagram shows the Luna SA and related PED Keys being prepared for the remote operation.
Note that in the above diagram we indicate that the admin session to the Luna SA is "local". You could administer remotely, but this operation nevertheless requires a local PED connection to the Luna SA and someone there to insert PED Keys and press buttons on the PED keypad, so we depict the most likely connection situation - one person doing all jobs at one location. Once the HSM has been matched to an orange Remote PED Key, all future authentications can be performed with Remote PED, and the HSM can safely be shipped to its distant location.
In the following diagram, the preparation (above) has been done, and suitable orange and red PED Keys have the appropriate secrets imprinted, to allow Remote PED connection and Remote (or local) Backup (cloning) respectively.
|1||"Client (Host) System" (1a) is a client of Luna SA, but "System Admin" (1b) is not a client of Luna SA.|
|2||Lunacm on "Client (Host) System" (2a) sees the primary (2b) and backup (2c) slots and controls the backup/restore.|
|3||Each Luna SA (3a) partition is a slot visible to a "Client (Host) System" (3b) when Client (Host) System runs lunacm.|
|4||Every slot on the backup (4a) must have same domain (red PED Key) as matching slot on the primary HSMs (4b).|
|5||Every primary HSM slot (partition) that is to be backed up or restored must be in login or activated state (black PED Keys -(5)), so that the Client (Host) System can access it with lunacm:> backup or restore commands.|
|6||Backup HSM (6a) is a slot visible to "Client (Host) System" (6b) when Client (Host) System runs lunacm.|
|Lunacm is on both the Client (Host) System and the Admin System, but is run on Client (Host) System to launch and manage the backup and restore activity.|
PedClient is needed on both the Client (Host) System and the Admin System, as well as on any Luna SA,
PedClient is needed on any host that must reach out to a pedserver instance and a Remote PED.
PedClient instances can also communicate with each other to facilitate RBS
|PedServer must reside (and run, waiting for calls) on any computer connected to a Remote PED.|
|RBS is required on the computer connected to the Luna Remote Backup HSM. RBS is not needed on any other computer in the scenario.|
This scenario adds the "complication" of an intermediate computer "Client (Host) System" to broker the Remote Backup of Luna HSM partitions. That could be a special-purpose computer, or it could simply mean that the Admin on the laptop with the Remote Backup HSM is given remote access to each client that normally uses a Luna HSM partition.
In the Remote Backup scenario, above, you could have as many as three different computers (we depict two for our example) connecting to the Luna SA:
If you prefer to have all the connections and operations running from a single computer (the "Admin System" in the examples) then you would choose the Local Backup of a distant HSM, which uses Remote PED, but does not use Remote Backup Service.
As noted previously, the orange PED Keys [ Remote PED Keys or RPK ] contain a Remote PED Vector (RPV) that matches the RPV inside the Luna SA HSM. It is the presence of that RPV at both ends that allows the connection to be made between the HSM and the Remote PED.
At the same time, the Luna SA and the Luna Remote Backup HSM must share the same cloning domain, in order for backup and restore (cloning) operations to take place between the two HSMs. Therefore, red PED Keys with that cloning domain must be available for both the PEDs.
As of Luna HSM 5.2, Luna HSMs use Remote Backup Service (RBS) to facilitate Remote Backup.
Where formerly we ran the remote backup from the "vtl" utility, we now use vtl only for the certificate exchange that makes a computer a client of a distant Luna SA partition.
See "Prepare RBS to Support Backup / Restore" followed by "Backup your HSM Partition Remotely".
Show the Table of Contents