|
Home > |
|---|
•HSM
Admin / Security Officer –
If you lose the HSM SO authentication(a password
for Luna HSMs with Password Authentication; the SO PED Key for Luna HSMs
with Trusted Path / PED Authentication)
,
you must re-initialize the HSM, which also zeroizes the HSM(the
contents of the HSM become permanently unavailable, and must be replaced/regenerated
after you re-initialize -- allowing anyone to change or reset the SO password
without knowing the current password would not be considered good security,
thus we force zeroization of all HSM contents in such a situation (either you have lost access/authentication to
your own data and keys and therefore don't care that they are erased, or an
attacker is attempting to gain access and you want your data and keys made
unavailable, and you want to be made aware that the attack has occurred).
•Partition
Owner /Partition User / Crypto Officer –
If you lose the Partition Owner/User authentication, the HSM Admin or
Security Officer can reset the password with lunacm command 'partition
-resetPw'.
The HSM Policy "21: Force user PIN change after set/reset"
determines whether the Partition User can access the Partition with the
password that is set by "partition -resetPw", or if the User
must explicitly set a new password with "partition changePw"
before being allowed to access the Partition. That policy can be used
to enforce role separation between SO and User.