|
Home > |
|---|
A SafeNet Network HSM 5.x HSM can have up to 20 partitions, with space for objects per HSM defaulting to 2MB, upgradable to 15.5MB. Each partition on the HSM has a share of that space and can have its own cloning domain as represented by a domain (red) PED Key.
The normal backup-and-restore option for SafeNet Network HSM 5 partitions uses the external, locally connected or remotely linked (network) SafeNet Remote Backup HSM as the backup repository. The SafeNet Remote Backup HSM supports the same partition structure, storage size, and capacity as the SafeNet Network HSM 5's onboard HSM.
In order to provide a migration path from earlier SafeNet Network HSM and removable-token format HSMs, it is possible to externally connect a SafeNet DOCK 2 card reader for SafeNet PCM, SafeNet CA4, or SafeNet HSM Backup Token, and to restore/migrate legacy token and partition contents to the current-generation SafeNet Network HSM.
Keys (objects) from multiple SafeNet CA4 tokens, SafeNet PCM tokens (Key Export Signing, RA), or with differing cloning domains can be consolidated onto one SafeNet Network HSM 5.x HSM, where objects from every token HSM are restored onto a partition corresponding to each token (segregated by legacy cloning domain). So, for example, ten legacy tokens (each with 100 objects) go to ten SafeNet Network HSM partitions to accommodate however-many objects existed on all those tokens. The SafeNet Network HSM in this example receives 1000 objects, allocated as 100 per partition, with each token migrating to its own SafeNet Network HSM partition.
Alternatively, multiple SafeNet CA4 tokens, SafeNet PCM tokens, or SafeNet HSM Backup Tokens can be restored to the same partition if those SafeNet CA4 (or Backup) tokens share the same domain PED Key. So, for example, objects from ten tokens (each with 100 objects) go all on one partition which, at the end of the operation, contains 1000 objects.
To restore an HSM partition from a removable token (firmware 4.x), to a SafeNet Network HSM 5.x HSM, you must have:
•the SafeNet Backup Token containing the objects to be restored to that HSM
•the authentication [ the authentication type must match - if your source tokens are password authenticated, their contents can be restored/migrated onto a password authenticated HSM partition only; if your source tokens are PED authenticated, their contents can be restored/migrated onto a PED authenticated HSM partition only ]for the Backup Token or PCM token, and for the HSM Partition
•SafeNet DOCK 2 card reader
The types of objects that can be migrated also depend on the configurations and policies of the source and destination HSMs. For example, the RA (registration authority) configuration permits cloning of secret keys, but not of private keys, and that intentional, security policy-based limitation applies to the migration/restore-from-legacy operation as well.
In the following examples, the target, or destination partition is called mylunapar2.
1.Create a partition on the SafeNet Network HSM 5 HSM
lunash:>partition create -partition mylunapar2 -password <password> -domain <domain> -force
2.With the SafeNet DOCK 2 reader powered on and connected (USB) to the SafeNet Network HSM 5.x, insert a SafeNet Network HSM Backup token (or other legacy removable token-format HSM) into the token-reader slot of the SafeNet DOCK.
3.Type the command:
lunash:>partition restore -password mylunapar2 -password <password> [-tokenPar <name>] [-tokenPw <tokenpassword>] -add
1.Create a partition on the SafeNet Network HSM 5 HSM
lunash:>partition create -partition mylunapar2 -force
Both user (black) and domain (red) PED keys are created for SafeNet Network HSM 5 partition mylunapar2.
2.With the SafeNet DOCK 2 reader powered on and connected (USB) to the your client computer, insert the desired SafeNet Network HSM Backup token or SafeNet CA4 token into the token-reader slot of the SafeNet DOCK 2.
3.Leave the SafeNet DOCK 2 powered on and the token in its slot, and transfer its USB cable connection from the client computer to the USB socket on the SafeNet Network HSM 5.x. The SafeNet Network HSM immediately sees the new token slot, and you can now run lunash commands from the SafeNet Network HSM against the token.
4.Import the legacy domain [SafeNet Network HSM 5, SafeNet USB HSM, and the SafeNet Remote Backup Device use a newer domain scheme, which is not compatible with legacy HSM domains; the partition setLegacyDomain command prepares a legacy domain in a way that allows it to be recognized and used by a current-model HSM, in special circumstances- the HSM retains its modern domain, but the legacy domain becomes associated with the partition's "real" domain. The association is permanent for the life of that partition.
Intentional,designed-in, data security provisions prevent setting/associating a legacy domain from one SafeNet token to a single SafeNet Network HSM 5.x partition, then associating another (different) legacy domain to that same partition and adding the second token's objects to the partition while the first token's objects are stored there. Just as you cannot clone/copy objects from one token to another token with a different domain, you cannot get around that security provision by migrating unmatched domain objects to a single SafeNet Network HSM partition.
As long as token HSMs share a common (legacy) domain, you migrate the contents of multiple tokens to a single partition - the legacy domain is set just once for all such tokens.] :
lunash:>partition setLegacyDomain -partition mylunapar2 [-password <password>] [-domain <domain>]
and respond to the PED prompts including presenting the legacy red key.
5.Type the command:
lunash:>partition restore -partition mylunapar2 -replace -force
(and respond to the PED prompts). The �-replace� option overwrites the partition content with objects from the SafeNet CA4 or PCM or Backup token. Use �-add� option if you want to append the SafeNet token objects to the partition.
6.Repeat ALL the above steps to restore objects from other SafeNet tokens onto separate SafeNet Network HSM partitions.
Repeat only step 6 with the "-add" option, instead, to restore objects from other SafeNet tokens onto the same, single SafeNet Network HSM 5 partition - this works ONLY if the originating SafeNet tokens all share the same legacy domain. Once a legacy domain is associated with a SafeNet Network HSM 5.x partition, that association remains in force for the life of that partition; the HSM does not allow another association (of legacy domain) to be made onto a partition that already has an existing association. The only way to end the association is to destroy the partition (wiping all contents) and create it again.
If you have a PED authenticated token HSM, but did not have MofN authentication applied, then the steps are the same as above except do not issue the lunacm "partition mofnactivate" command.
To backup the HSM contents to a token-style HSM - - - this is not a supported operation for SafeNet Network HSM 5.x.
Restore from a legacy backup token is effectively a data migration - one-way only.