Skip to main content
Skip table of contents

Webconf: Restore and Migration

Prerequisites

The Next Generation Hardware Appliance needs to be in Alarm State or Factory Reset State.

For u.trust HSM

  • A Backup with its DMS and the corresponding Backup Protection Smart Cards.

  • A connected PIN Pad to interact with the HSM restore.

  • SCA Cards (if backup setup has SCA enabled slots).

  • To activate FIPS mode by restoring a backup from a non-FIPS installation, the appliance backup must be created on an appliance running at least u.trust HSM firmware 6.0.0.0.

  • The FIPS activation option is not available when restoring backups from version 4.0.0 or 5.0.0. The same applies to all backup files that are to be migrated from Legacy Hardware appliance to a Next Generation Hardware Appliance.
    The restore must be carried out without FIPS. In the next step, update the HSM firmware (if an update is available). Then another backup must be created. Now it is possible to restore this new backup with FIPS activated.

For Luna HSM

  • A Backup with its DMS and the corresponding Backup Keys.
    Storage Information is displayed in a table and Restore Parameters can be set here. Activating a checkbox allows the HSM to run in FIPS mode.

  • A locally or externally connected Backup Device to interact with the HSM restore.

Network File System (NFS):
To restore, archives have to be uploaded to a Network File System (NFS) located in your network and reachable for the Next Generation Hardware Appliance.
On the Next Generation Hardware Appliance the following NFS versions are supported:

  • NFS Version 4

  • NFS Version 4.1

  • NFS Version 4.2

If you experience long loading times or even timeouts when opening the restore file browser when accessing NFS, this could be due to a blocked port 111/TCP.
For more information please refer to the Ports and Protocols documentation.

Do not restart or shut down the appliance while the Restore is running.

Restore a Backup

To restore the Next Generation Hardware Appliance from an existing backup, perform the following steps:

  1. Log in to the Next Generation Hardware Appliance.

  2. Open the Restore page.

  3. In the Restore Settings section select the Network File Setting (NFS) option from the drop down menu under Storage Type.

  4. Enter your NFS URL and click Browse Storage to open the Storage Browser:

    1. Navigate to the path where the backup is located. Click on Directories to navigate one level down or click .. One level up to return to the previous level.

    2. Select the backup you want to restore.

  5. Provide the Domain Master Secret (DMS).

  6. Click Restore Now to open the corresponding form.

  7. The form contains all the important information about the selected backup to be restored.

For u.trust HSM

Be aware, that you will need to perform PIN Pad interactions in several steps during HSM restore.

  1. To proceed click Restore.

  2. Follow the instructions in the Restore Guide.
    The Restore Guide/Wizard appears in Webconf and guides through the next steps.
    It shows the overall progress and indicates the part, that is currently restored.

It is possible that a restore fails in a certain step. In this case, a Retry button is displayed. Click on this button to repeat the failed restore step.

The Restore is successful.

For Luna HSM

This restore process does not restore internal HSM data.
After restore is complete, the internal HSM should be initialized and each slot should be restored separately.

Open the Security page. The HSM is restored in two steps:

  1. The HSM must be initialized and some parameters are locked based on the restored configuration.

  2. The next step is to initialize each slot individually and restore them one after the other.
    See HSM Slot Restore for more information.

Restore a Migration Backup from a Legacy Hardware Appliance

There are certain aspects to consider when restoring a migration backup.

Routing of Network Traffic

Network traffic routing behaves differently on Next Generation Hardware Appliance compared to Legacy Hardware Appliance.
All outgoing traffic is sent over the network interface connected to the target subnet.
If the destination is a hostname or IP address that must be routed, it is routed via the Default interface.
Refer to Network Interfaces Configuration for further information.

By default, a configuration with all incoming services is activated on the Network Interface and set as the default. It is possible to activate the other NIC and set it as the default via Webconf.

Net File System (NFS)

on the Next Generation Hardware Appliance the following NFS versions are supported:

  • NFS Version 4

  • NFS Version 4.1

  • NFS Version 4.2

Soft Keys

Installations with soft keys used for backup protection cannot be migrated using the migration procedure described in this document. Further preparations would be necessary on the Legacy Hardware Appliance. For more information, please contact Keyfactor Support.

SSH

SSH access to the Next Generation Hardware Appliance is no longer available. All configuration options are now accessible through Webconf.

Protocol and Port Changes

The Next Generation Hardware Appliance has undergone changes in its cluster communication protocol and ports. Consequently, existing firewall rules and network configurations may require updates to accommodate these changes. For detailed information on the current requirements for ports and protocols, refer to the Ports and Protocols of the Next Generation Hardware Appliance documentation.

Cluster

When migrating a cluster configuration from the Legacy Hardware Appliance to the Next Generation Hardware Appliance, it is not advised to migrate the entire cluster.
Only Node1 should be migrated from the Legacy Hardware Appliance to the Next Generation Hardware Appliance.
Migrate this node to the Next Generation Appliance. There, it will become Node1 again.
Then completely rebuild the cluster on the Next Generation Hardware Appliance, using Node1 as the basis.

Cluster Traffic

Cluster traffic is forwarded via the network interface connected to the cluster network.
If the node's IP address is not on the same network, traffic is forwarded via the Default interface.

Restore

To restore a Migration Backup from the Legacy Hardware Appliance, proceed as for Restore.
Navigate to the path where the Migration Backup from the Legacy Hardware Appliance is located.
Select the migration backup you want to restore.
Once the restore process is complete, Webconf prompts you to enter your user credentials.

OTP authentication is not possible.

The credentials are migration as a user, and the DMS set on the Legacy Hardware Appliance is used as the password.

The appliance must then be restarted to complete the migration.

If the restore is carried out while retaining the current network, an error may occur in the Transport Layer Security (TLS) interface, which can be rectified manually.
In the TLS display, the active interface may only be displayed in one domain. This can be corrected manually. The page Transport Layer Security (TLS) shows you how to manage TLS certificates in Webconf.

After the migration, old SCA Cards will continue to work with all slots on which SCA was activated.
If the SCA configuration of a slot is adjusted, new, individual SCA Cards are generated for this slot. These new SCA Cards will only work on the new slot, not on the already existing slots on which SCA was activated.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close