From time to time, you might have reason to change the various passwords on the appliance and HSM. This might be because a password has possibly been compromised, lost, or forgotten, or it might be because you have security procedures that mandate password-change intervals.
The two options are:
Action | Description | When used |
---|---|---|
Resetting PW |
A higher authority sets a user's credentials back to a known default value (without requiring the knowledge or cooperation of the affected user), |
|
contrasts with... |
||
Changing PW | The legitimate holder of the credential is able to log in with current credentials before directing the HSM, under the current logged-in user's own authority, to change that user's credential to a new value. |
|
There is no provision to reset the HSM Admin password (for Password Authentication) or PED Key (for Trusted Path), except to re-initialize the HSM, which zeroizes the contents of the HSM and of all Partitions on that HSM.
Resetting the password/authentication of a role or user requires a higher authority to invoke the reset. On the HSM, there is no authority higher than the SO / HSM Admin.
To change the HSM password (for Password Authentication) or the secret on the blue PED Key (for Trusted Path), you must log in as HSM Admin using the current password (or blue PED Key). This is prompted by the hsm changePw command, so you do not need to log in separately.
lunash:> hsm changePw
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.
Command result : (0) success
lunash:>
A deliberate change to a Partition password is different from a password reset .
In both cases, the Partition or HSM contents remain intact.
lunash:> partition resetPw -newpw mynewpw -partition mypartition1
lunash:> partition changePw -newpw mynewpw -oldpw myoldpw -partition mypartition1
You can choose not to include the passwords with the command, which:
For a PED-authenticated HSM, the following example changes only the challenge secret of the named partition, and leaves the black PED Key contents unchanged.
[myluna] lunash:>partition changepw -partition mypar1
Which part of the partition password do you wish to change?
1. change partition owner (black) PED key data
2. generate new random password for partition owner
3. specify a new password for the partition owner
4. both options 1 and 2
0. abort command
Please select one of the above options: 3
Please enter the password for the partition:
> *************
Please enter a new password for the partition:
> ********
Please re-enter password to confirm:
> ********
Luna PED operation required to activate partition on HSM - use User or Partition Owner (black) PED key.
'partition changePw' successful.
Command Result : 0 (Success)
[myluna] lunash:>
For password changes affecting the appliance, not including the HSM "About Changing Appliance Passwords" .