Home > |
---|
There is no provision to reset the Security Officer (SO) password (for Password Authentication) or PED Key (for Trusted Path), except to re-initialize the HSM, which zeroizes the contents of the HSM and of any Partitions on that HSM.
The assumption, from a security standpoint, is that if you no longer have the ability to authenticate to the HSM (because you forgot the password or lost the PED Key, or because you are an unauthorized person attacking the HSM without access to the password or PED Key), then the HSM is effectively compromised and must be re-initialized. To look at that another way, a user or SO who already has current authentication and just wishes to change that authentication, at his/her own level, is required to log in first (which protects against malicious changes), but resetting back to some default secret requires intervention by a higher authority. At the HSM level, there is no higher authority than the Security Officer / HSM Admin, so simple re-setting is not permitted.
If you re-initialize with the same cloning domain, you can, of course, restore from backup.
To change the HSM password (for Password Authentication) or the secret on the SO PED Key (for Trusted Path), you must log in as SO using the current password (or SO PED Key).
lunacm:> hsm login -password <password>
Command Result : No Error
lunacm:> hsm changePw prompt -newpw <new_password> -oldpw <old_password>
Command Result : No Error
lunacm:>
The task is complete.
You may not set the Password to be "PASSWORD", which is reserved as the partition creation-time default only, and is too easy to guess for a real, operational, in-service password.
If you issued the same command for a Trusted Path / PED Authenticated HSM, lunacm returns an error like "0x30 (CKR_DEVICE_ERROR)". The text passwords are not expected or wanted for this type of HSM.
For a Trusted Path / PED Authenticated HSM, do not include any text passwords in the command.
lunacm:> hsm changePw
Please attend to the PED
Luna PED prompts for the current blue SO PED Key.
After you insert that, and press [ENTER], Luna PED prompts for a new blue PED Key - that can be an entirely new iKey PED Key, or it could be the same one that you just used, now to be overwritten. If the key that you provide is blank, a new Security Officer secret is generated and imprinted on both the iKey PED Key and the HSM. If the key you provide has a valid ID on it, Luna PED says so, and asks if you wish to retain it or overwrite it. Once that is done, you are asked if you wish to make any additional copies of the new blue PED Key, and the task is finished. The HSM and Partition contents are intact, but anybody (and any application) that has only the old blue SO PED Key (or a copy of it) can no longer access the HSM for administrative actions.
During the PED interaction, you could elect to change the MofN status of the SO secret. That is, if (for example) you had not invoked MofN for your old blue-key secret, you could now set "N" to some number higher than 1, and "M" as well, which would have the effect of splitting your SO secret across "N" different blue PED Keys. In legacy Luna HSMs, this was not possible.
A deliberate change to a Partition password is different from a password reset(the command partition -resetpw -password <password> allows the SO to force a password change for the Partition -- this would be needed if the User had forgotten the Partition Password or if someone had made 10 bad login attempts; it would also be used in the case of personnel change. Note that an SO-settable policy determines whether the User can resume using the Partition with the new password, or the User is immediately forced to set his/her own new password before being allowed to resume using the Partition.) .
In both cases, the Partition or HSM contents remain intact.
•you must be logged in as SO, but
•you do not need to know the existing Partition password (for Password Authenticated systems) nor do you need to have the existing Partition Owner (black) PED Key (for Trusted Path Authenticated systems).
lunacm:> partition resetPw -password <new_password>
•you do not have to be logged in as HSM Admin, but
•you do need to know the current password (for Password Authenticated) or have the current black User PED Key (for PED Authenticated HSM).
lunacm:> partition changePw -newpw <new_password> -oldpw <old_password>
The above works for a Password Authenticated HSM, and the task is finished. The Partition contents are intact, but anybody (and any application) that knows only the old password can no longer access the partition. For a Password Authenticated HSM the Partition Owner/User Password is also the Client password - your Client applications must be given the new password before they can resume using the Partition.
If you issued the same command
( lunacm:>
partition changePw -newpw <new_password> -oldpw <old_password>)
for a Trusted Path / PED Authenticated HSM, lunacm assumes that you wish to change the Partition challenge secret (if you previously created one). This is your opportunity to impose a new secret – of your own choosing – to replace the 16-character secret created for you by Luna PED. You might do this for convenience, or because your organization's security policy mandates regular password changes.
If you prefer not to expose the password in the clear, on-screen, you can issue the command as lunacm:> partition changePw -prompt which causes lunacm to prompt you for the old and new passwords, and hides your input with asterisks (*****...).
For a Trusted Path / PED Authenticated HSM, if you do not include the text passwords in the changepw command, then lunacm assumes that you wish to change the secret on the black PED Key.
lunacm:>
partition changePw
Please attend to the PED
Luna PED prompts for the current black Partition User / Owner PED Key.
After you insert that, and press [ENTER], Luna PED prompts for a new black PED Key - that can be an entirely new iKey PED Key, or it could be the same one that you just used, now to be overwritten. If the key that you provide is blank, a new Owner/User secret is generated and imprinted on both the iKey PED Key and the HSM Partition. If the key you provide has a valid ID on it, Luna PED says so, and asks if you wish to retain it or overwrite it.. Once that is done, you are asked if you wish to make any additional copies of the new black PED Key, and the task is finished. The Partition contents are intact, but anybody (and any application) that has only the old black User/Owner PED Key (or a copy of it) can no longer access the partition for administrative or cryptographic activities.
Note that, on a PED Authenticated HSM, the Client challenge secret (that your Client applications present in order to access the Partition) is different and totally separate from the black Owner/User PED Key secret that permits administrative access to the Partition. By changing or re-setting the Partition Owner/User secret in the second example, you did not touch the Client Partition secret, which can still be used by Clients.
Similarly, you could use the command lunacm:> partition createChallenge to create a new Client secret (which must then be given to any Client application that needs to use the Partition), without affecting the black Owner/User PED Key secret.