Show the Table of Contents
Administration & Maintenance
Resetting Passwords
There is no provision to reset the HSM Admin password (for Password
Authentication) or blue PED Key (Trusted Path), except by initializing
the HSM (which destroys [zeroizes] the contents of the HSM and of any
HSM Partitions). You can change the password (or the secret on the appropriate
blue PED Key) with the hsm changePw command, but that requires that you
know the current password (or have the current blue PED Key).
The assumption, from a security standpoint, is that if you no longer
have the ability to authenticate to the HSM (because you forgot the password
or lost the PED Key, or because an unauthorized person has changed the
password or PED Key), then the HSM is effectively compromised and must
be re-initialized. Thus, no explicit "reset" command is provided.
In a change that is implemented as of this writing, the 'hsm init' command
no longer requires a login, and the 'hsm login' command is not accepted
if the HSM is zeroized.
For examples of the behavior of the 'hsm login' command in various possible
circumstances, click here.
One bad login
With or without –force (no
difference) /
interactive password:
Caution: You
have only TWO HSM Admin logins attempts left. If
you
fail two more consecutive login attempts (i.e.
with
no successful logins in between) the HSM will
be
ZEROIZED!!!
Please
enter the HSM Administrators' password:
>
With or without –force / non-interactive password:
>hsm login -password userpin -force
Caution: You
have only TWO HSM Admin logins attempts left. If
you
fail two more consecutive login attempts (i.e.
with
no successful logins in between) the HSM will
be
ZEROIZED!!!
'hsm login' successful.
Two bad logins
Without –force / interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Type
'proceed' if you are certain you have the
right
login credentials or 'quit' to quit now.
>
proceed
Please
enter the HSM Administrators' password:
>
Without –force / non-interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Type
'proceed' if you are certain you have the
right
login credentials or 'quit' to quit now.
>
proceed
'hsm login' successful.
With –force / interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Please
enter the HSM Administrators' password:
> *******
'hsm login' successful.
With –force / non-interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
'hsm login' successful.
One bad login
With or without –force (no difference):
Caution: You
have only TWO HSM Admin logins attempts left. If
you
fail two more consecutive login attempts (i.e.
with
no successful logins in between) the HSM will
be
ZEROIZED!!!
Use blue pED key?
Two bad logins
Without –force:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong blue PED key is provided the HSM will
be
ZEROIZED!!!
Type
'proceed' if you are certain you have the
right
login credentials or 'quit' to quit now.
>
proceed
Use blue pED key?
With –force
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Use blue pED key?
'hsm login' successful.
Example when HSM Zeroized:
Error: The
HSM is zeroized due to three consecutive failures to
login
as HSM Administrator.
'hsm
login' is not permitted. The HSM must be re-initialized
with
the 'hsm init' command.
'hsm login' aborted.
If you lockout your Partition Owner / Crypto Officer with 10 bad logins
AND the "SO can Reset Container PIN" policy is ON, then you
MUST reset both the partition owner challenge AND the PED pin:
[myLuna] lunash:>partition resetPw -partition Partition1
Which
part of the partition password do you wish to change?
1.
change
black PED key data
2.
generate
new random password for partition owner
3.
generate
new random password for crypto-user
4.
both options
1 and 2
0.
abort command
Please
select one of the above options:
For this situation, you must choose option 4.
If the partition was activated prior to this, you must reactivate it
after resetting the PED pin.
If you merely wish to change the Partition password or black PED Key,
use the "partition changePw" command instead.
Show the Table of Contents