Show the Table of Contents

You are here: Administration & Maintenance Manual > HSM Administration > Changing HSM and Partition Passwords > Resetting Passwords

Administration & Maintenance

Resetting Passwords

HSM

There is no provision to reset the HSM Admin password (for Password Authentication) or blue PED Key (Trusted Path), except by initializing the HSM (which destroys [zeroizes] the contents of the HSM and of any HSM Partitions). You can change the password (or the secret on the appropriate blue PED Key) with the hsm changePw command, but that requires that you know the current password (or have the current blue PED Key).

The assumption, from a security standpoint, is that if you no longer have the ability to authenticate to the HSM (because you forgot the password or lost the PED Key, or because an unauthorized person has changed the password or PED Key), then the HSM is effectively compromised and must be re-initialized. Thus, no explicit "reset" command is provided.

In a change that is implemented as of this writing, the 'hsm init' command no longer requires a login, and the 'hsm login' command is not accepted if the HSM is zeroized.

For examples of the behavior of the 'hsm login' command in various possible circumstances, click here.

Password Authenticated HSM:

One bad login

With or without –force (no difference)  / interactive password:

Caution:  You have only TWO HSM Admin logins attempts left. If
        you fail two more consecutive login attempts (i.e.
        with no successful logins in between) the HSM will
        be ZEROIZED!!!

  Please enter the HSM Administrators' password:
>

With or without –force / non-interactive password:

>hsm login -password userpin -force

Caution:  You have only TWO HSM Admin logins attempts left. If
        you fail two more consecutive login attempts (i.e.
        with no successful logins in between) the HSM will
        be ZEROIZED!!!

'hsm login' successful.

Two bad logins

Without –force / interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
        If the wrong HSM Admin password is provided the HSM will
        be ZEROIZED!!!

          Type 'proceed' if you are certain you have the
        right login credentials or 'quit' to quit now.
        > proceed

  Please enter the HSM Administrators' password:

  >

Without –force / non-interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
         If the wrong HSM Admin password is provided the HSM will
        be ZEROIZED!!!

          Type 'proceed' if you are certain you have the
         right login credentials or 'quit' to quit now.
        > proceed

'hsm login' successful.

With –force / interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
         If the wrong HSM Admin password is provided the HSM will
        be ZEROIZED!!!

  Please enter the HSM Administrators' password:
 > *******

'hsm login' successful.

With –force / non-interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
         If the wrong HSM Admin password is provided the HSM will
        be ZEROIZED!!!

'hsm login' successful.

Trusted Path Authentication (uses Luna PED and PED Keys):

One bad login

With or without –force (no difference):

Caution:  You have only TWO HSM Admin logins attempts left. If
         you fail two more consecutive login attempts (i.e.
        with no successful logins in between) the HSM will
        be ZEROIZED!!!

Use blue pED key?

Two bad logins

Without –force:

Caution:  This is your LAST available HSM Admin login attempt.
         If the wrong blue PED key is provided the HSM will
        be ZEROIZED!!!

          Type 'proceed' if you are certain you have the
         right login credentials or 'quit' to quit now.

          > proceed

Use blue pED key?

With –force

Caution:  This is your LAST available HSM Admin login attempt.
        If the wrong HSM Admin password is provided the HSM will
        be ZEROIZED!!!

Use blue pED key?

'hsm login' successful.

 

Example when HSM Zeroized:

Error:    The HSM is zeroized due to three consecutive failures to
        login as HSM Administrator.

          'hsm login' is not permitted. The HSM must be re-initialized
        with the 'hsm init' command.

'hsm login' aborted.

Partition

If you lockout your Partition Owner / Crypto Officer with 10 bad logins AND the "SO can Reset Container PIN" policy is ON, then you MUST reset both the partition owner challenge AND the PED pin:

[myLuna] lunash:>partition resetPw -partition Partition1

  Which part of the partition password do you wish to change?

  1.  change black PED key data

  2.  generate new random password for partition owner

  3.  generate new random password for crypto-user

  4.  both options 1 and 2

  0.  abort command

  Please select one of the above options:

For this situation, you must choose option 4.

If the partition was activated prior to this, you must reactivate it after resetting the PED pin.

If you merely wish to change the Partition password or black PED Key, use the "partition changePw" command instead.

 

Show the Table of Contents