Show the Table of Contents

Administration & Maintenance

About Changing HSM and Partition Passwords

From time to time, you might have reason to change the various passwords on the appliance and HSM. This might be because a password has possibly been compromised, lost, or forgotten, or it might be because you have security procedures that mandate password-change intervals.

The two options are:

Action      Description    When used   
Resetting PW

A higher authority sets a user's credentials back to a known default value (without requiring the knowledge or cooperation of the affected user),  
  • current holder has lost or forgotten his/her credential (forgot a password, misplaced a PED Key)   
  • current credential is known or suspected to have become compromised
  • current holder has departed organization   

contrasts with...
Changing PW The legitimate holder of the credential is able to log in with current credentials before directing the HSM, under the current logged-in user's own authority, to change that user's credential to a new value.

  • credential holder suspects possible compromise of credential   
  • credential holder is complying with organization security provisions (such as mandatory password-change interval)

 

HSM

Resetting HSM Password

There is no provision to reset the HSM Admin password (for Password Authentication) or PED Key (for Trusted Path), except to re-initialize the HSM, which zeroizes the contents of the HSM and of all Partitions on that HSM.

Resetting the password/authentication of a role or user requires a higher authority to invoke the reset. On the HSM, there is no authority higher than the SO / HSM Admin.

Changing HSM Password

To change the HSM password (for Password Authentication) or the secret on the blue PED Key (for Trusted Path), you must log in as HSM Admin using the current password (or blue PED Key). This is prompted by the hsm changePw command, so you do not need to log in separately.

lunash:> hsm changePw

Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.

Command result : (0) success

lunash:>

 

Partition

A deliberate change to a Partition password is different from a password reset .

In both cases, the Partition or HSM contents remain intact.

Resetting Partition Password

lunash:> partition resetPw -newpw mynewpw -partition mypartition1

 

Changing Partition Password

 lunash:> partition changePw -newpw mynewpw -oldpw myoldpw -partition mypartition1

You can choose not to include the passwords with the command, which:

  1. causes the system to prompt for old and new passwords (obscuring them with asterisks (*) for greater security, and
  2. presents additional options as shown in the example below.

For a PED-authenticated HSM, the following example changes only the challenge secret of the named partition, and leaves the black PED Key contents unchanged.

Example:

[myluna] lunash:>partition changepw -partition mypar1

Which part of the partition password do you wish to change?

1. change partition owner (black) PED key data
2. generate new random password for partition owner
3. specify a new password for the partition owner
4. both options 1 and 2

0. abort command

Please select one of the above options: 3

Please enter the password for the partition:
> *************

Please enter a new password for the partition:
> ********

Please re-enter password to confirm:
> ********

Luna PED operation required to activate partition on HSM - use User or Partition Owner (black) PED key.

'partition changePw' successful.

Command Result : 0 (Success)
[myluna] lunash:>

 

Failed Logins and Forgotten Passwords

"Failed Logins".

 

Appliance

For password changes affecting the appliance, not including the HSM   "About Changing Appliance Passwords"  .

 

 

 

Show the Table of Contents