Before creating the encrypted backup, have a place ready to store these files, whether in a folder on the file system—such as /root/backups or an external USB device.
- Connect the appropriate Smartcard reader with a PIN-pad to the front USB port of the StrongKey Tellaro appliance. Depending on the server hardware, some models do not recognize the reader on the USB ports at the back of the machine without configuration changes in the machine's BIOS
- Login into the appliance as the ‘root’ user. You must login into the appliance’s console to operate the smartcard and PIN-pad reader with the HSM’s Cryptoserver Administration Tool (CAT) – you cannot use an SSH or Putty session for this task
- If the graphical user interface (GUI) of the appliance does not start automatically, at the command prompt, start X-Windows as follows:
shell> startx -
When X-Windows is running, start a terminal shell by selecting Terminal from the GUI menu.
- Run the Cryptoserver Administration Tool (CAT):
shell> java -jar /usr/local/bin/cat.jar
-
Click on the Devices button and connect to HSM with /dev/cs2.0 as the device and click 'OK'.
- Authenticate to the tool by selecting the Login/Logoff button.
-
A panel will display a list of existing credentials with additional information about the credentials
NOTE: that the number of administrators will vary from site to site, depending on the security policy of the site. If an “M of N” authentication policy is in force, there will generally be a minimum of three (3) administrator credentials (the ‘N’ component) configured in the HSM during installation, of which a minimum of two (2) administrators (the ‘M’ component) must authenticate to CAT to perform administrative tasks
- Choose any one of the Administrator credentials on the displayed User Management panel. This will prompt whether you want to use the Smartcard Token or keyfile Token. If using the SmartCard Token, click on "OK".
-
This will prompt the user to authenticate with their smartcard (with a sliding bar moving up and down on the right-hand side of the panel)
- The administrator must insert their smartcard into the reader, press "OK" and follow prompts on the PIN-pad reader’s screen to enter their secret PIN. A successful PIN authentication will enable the smartcard to authenticate the user to CAT.
NOTE: Each administrator must choose their credential on the CAT panel to authenticate with their smartcard until the requisite number (‘M’) of administrators have authenticated to CAT
- When ‘M’ administrators have successfully authenticated to CAT, all the tabs will be active. Ensure the Login State of 22000000 in CAT by logging in up to two administrators if necessary.
- Remove the smartcard reader with the PIN-pad from the front USB port (however, have it handy in case the work does not get completed and the session, inadvertently, expires).
- Select the Menu option: Manage MBK --> Info Tab and copy the KeyCheck Value (KCV) under the "hsm-mbk" and paste that in a notepad. This value will only be needed if data is lost during the battery replacement.
- Now, Select the menu option Manage → Backup/Restore.
-
Back up the HSM databases by selecting ‘Backup databases from Source CryptoServer to Backup directory’ option and string the backups in the folder. Make sure to select all the databases displayed in the list.
-
The CryptoServer Database Backup/Restore Wizard controls the type and specifications of the operation you will be performing. The Command to create the backup is Backup databases from Source CryptoServer to Backup directory. The Source CryptoServer will be
/dev/cs2.0. Select the backup directory—either a local folder such as/root/backupsor the path to a mounted USB device. Click the Add All >> button to add bothCXIKEY.dbanduser.dbunder Backup Directory. -
Once finished making these changes, click the Execute button.
Upon a successful backup, a list of exported files displays.
If these files were backup up to a local folder, it is still recommended they also be copied to a backup USB device for more redundancy.
-
Close the CAT panels and windows