It is recommended to configure the HSM before restoring the backed up codebook re-shuffling configuration files.
The Codebook Re-shuffling feature is tested and supported for the Safenet Luna 7.4 HSM devices. The procedure provided in this section is for the Safenet Luna 7.4 HSM devices.
Perform the following steps to restore the backed-up Codebook Reshuffling configuration files.
These steps apply only if codebook reshuffling was enabled on the older DSG system and the system has been re-imaged to DSG v4.0.0.
Login to the DSG Web UI.
On the DSG Web UI, navigate to Settings > System > File Upload.
Note: By default, the Max File Upload size is set to 25 MB on the DSG appliances. If the <filename>.tgz file size is more than 25 MB, the Max File Upload size must be changed. If this value is set to 2 GB, then the following steps can be ignored.
Perform the following steps to increase the Max File Upload size:
- On the DSG Web UI, navigate to Settings > Network > Web Settings.
- Under General Settings, ensure that the Max File Upload is set to 2 GB to accommodate the patch upload.
- Ensure that the steps 1 and 2 are performed on each DSG node in the cluster.
On the File Selection screen, select the <filename>.tgz file, which consists of the following backed up codebook re-shuffling files, and click Upload:
- BLOB (random.dat)
- User PIN (userpin.bin)
Login to the DSG CLI Manager.
Navigate to Administration > OS Console.
Enter the root password.
Navigate to the /products/uploads directory by running the following command.
cd /products/uploadsRun the following command to extract the contents of the <filename>.tgz file.
tar -xvpf <filename>.tgz -C /opt/protegrity/blobcache/dataThe contents of the <filename>.tgz file are extracted.
Run the following command to set the ownership and permissions for the extracted files.
chmod 640 /opt/protegrity/blobcache/data/random.dat /opt/protegrity/blobcache/data/userpin.bin chown "blob-data:dsggroup" /opt/protegrity/blobcache/data/random.dat /opt/protegrity/blobcache/data/userpin.binRun the following command to set the ownership and permissions for the HSM configuration.
sudo chown -R blob-data:blob-data /opt/protegrity/hsm
sudo chmod -R 740 /opt/protegrity/hsm
sudo find /opt/protegrity/hsm -type f -exec chmod 640 {} +
Run the following command to migrate the older userpin file.
python /products/BlobManagementService/installer/migrate_userpin.pycConfigure certificates using the existing certificates from Ramdisk, or update the paths for custom certificates.
Option A: Use existing certificates from Ramdisk. In this case, no additional action is required.
Option B: Use custom certificates and update the certificate paths in the configuration.
sudo vi /opt/protegrity/blobcache/data/blobconfig.env # Update these lines: # export BMS_LISTENER_SSL_CERT=/opt/protegrity/blobcache/data/blob-server.pem # export BMS_LISTENER_SSL_KEY=/opt/protegrity/blobcache/data/blob-server.key # export BMS_LISTENER_SSL_CA=/opt/protegrity/blobcache/data/blob-ca.pem
Set all the required values in the blobconfig.env file.
For more information about the parameters in the blobconfig.env file, refer to the section Configuring the blobconfig.env FileConfigure the BMS client configuration file. Based on the settings in this file, DSG will determine whether to enable or disable codebook reshuffling. On the ESA Web UI, navigate to Settings > System > Files to edit the bms_client.json file and enable the shuffle_codebook parameter.
For more information about the parameters in the bms_client.json file, refer to the section Configuring the bms_client.json File.To understand how the parameters in pepserver.cfg map to the new configuration files, refer to the section Migrating pepserver.cfg Settings to New Configuration Files.