24/10/2014

8.5. Backup and restore with LunaSA LinOTP 2.7 documentation

LinOTP 2.7 documentation

PRE VI OU S|N E XT |I ND EX

8.5. Backup and restore with LunaSA

TABLE OF CONTENTS
1.LinOTPManagementGuide

Youneedtobackupthecontentsofthepartitionyouareusing.
With the LunaSA you need a backup token, which in turn is an HSM itself. This is why you
needthefollowingcloningpoliciesenabled:
CloningHSM:
hsm changePol -p 7 -v1

2.LinOTPInstallationGuide
1.SupportedOperatingSystems
2.Checklist
3.Serverinstallation

SecretKeyCloningperpartition:

4.InstallingManagementClients

partition changePol -pa yourPartition -po 4 -v1

5.InstallingAuthenticationModules

8.5.1. Backup
InserttheBackupTokenintothelowerslot.
Issuethecommand:
hsm login

6.Customization
7.Databaseconnection
8.SecurityModules
8.1.DefiningSecurityModules
8.2.DefiningSafeNetLunaSA

Thenstartthebackupprocedure:

8.3.SettingupSafeNetLunaSA

partition backup -partition HSMPartitionname -password ClientPassword

8.4.CreateAESKeys

Note

8.5.Backupandrestorewith

Duringthebackupprocedurethebackuptoken(whichinturnisanHSM)getsitsownblue
andblackkey.Butyoucanalsousethesamekeysyouwhereusingfortheoriginalpartition
ontheHSM.ThesameredDomainKeymustbeused.

8.5.1.Backup

LunaSA

8.5.2.Restore
8.6.SettingupHAandLoad

Note
Youcanonlybackuponepartitiontoabackuptoken.
Issuingthebackupcommandwillresultinthefollowingoutput:
CAUTION: Are you sure you wish to initialize the backup
token named:
no label
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Luna PED operation required to initialize backup token - use Security Officer (blue) PED key.

balancingforLunaSA
8.7.ManagingPasswordswith
LunaSA
9.Integrationexamples
10.Updates
11.MigratingfromLinOTP1.3or
LinOTP1.0
12.Securityadvisories
13.Troubleshooting

Luna PED operation required to login to backup token - use Security Officer (blue) PED key.

3.LinOTPUserGuide
Luna PED operation required to generate cloning domain on backup token - use Domain (red) PED key.

4.LinOTPApplianceManual

5.LinOTPModuleDevelopmentGuide
Luna PED operation required to generate partition backup space on token - use User or Partition Owner (black
) PED key.
Luna PED operation required to login to partition backup space on token - use User or Partition Owner (blac
DC
ke
y.
Sk)
EP
AER
H

Thentheobjectsthatarebeingbackuppedarelisted.

Go

Warning

Entersearchtermsoramodule,classor

During the backup process the handles of the keys may change. So you should also
memorize and record the labels of the keys, since during restore the keys might get
restoredtootherhandles!

functionname.

8.5.2. Restore
IncaseofrecoveringabrokenHSMorincaseofsettingupaHAsolution,youneedtorestore
thedata.YouneedtologintotheHSMandcreateanewpartitionwiththesamenameasthe
oldone:
hsm login
partition create -par yourOldPartition

Note
Youcanreusetheexistingblackpartitionownerkey

http://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_backup.html

1/2

24/10/2014

8.5. Backup and restore with LunaSA LinOTP 2.7 documentation

Againyouneedtosetthepartitionpolicies:
partition changePolicy -par testCA -pol 22 -v 1
partition changePolicy -par testCA -pol 23 -v 1

FinallyinsertthebackuptokenintothelowerslotoftheHSMandstarttherestoreprocess:
partition restore -par yourOldPartition -password /RMF-At5F-p6XJ-HR64 -replace
> proceed
Luna PED operation required to login to partition backup space on token - use User or Partition Owner (black) PED key.
Luna PED operation required to activate partition on HSM - use User or Partition Owner (black) PED key.

Note
If this is a new machine, then of course you need to setup the trust link with the clients
anew.
Note
Incaseyouneedtorecoverafailedmember,usethecommand haadmin -recover.

PREVIOUS|NEXT|INDEX
SHOWSOURCE
Copyright2014,LSELeadingSecurityExpertsGmbH.CreatedusingSphinx1.1.3.

http://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_backup.html

2/2