|
Home > |
|---|
There is no provision to reset the HSM Admin or SO password (for Password Authentication) or blue PED Key (Trusted Path), except by initializing the HSM (which destroys [zeroizes] the contents of the HSM and of any HSM Partitions). You can change the password (or the secret on the appropriate blue PED Key) with the lunacm hsm changePw command, but that requires that you know the current password (or have the current blue PED Key).
The assumption, from a security standpoint, is that if you no longer have the ability to authenticate to the HSM (because you forgot the password or lost the PED Key, or because an unauthorized person has changed the password or PED Key), then the HSM is effectively compromised and must be re-initialized.
The hsm init command does not require a login, and the hsm login command is not accepted if the HSM is in zeroized state.
The following are examples of the behavior of the hsm login command in various possible circumstances.
One bad login
With or without �force (no difference) / interactive password:
Caution: You
have only TWO HSM Admin logins attempts left. If
you
fail two more consecutive login attempts (i.e.
with
no successful logins in between) the HSM will
be
ZEROIZED!!!
Please
enter the HSM Administrators' password:
>
With or without �force / non-interactive password:
>hsm login -password userpin -force
Caution: You
have only TWO HSM Admin logins attempts left. If
you
fail two more consecutive login attempts (i.e.
with
no successful logins in between) the HSM will
be
ZEROIZED!!!
'hsm login' successful.
Two bad logins
Without �force / interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Type
'proceed' if you are certain you have the
right
login credentials or 'quit' to quit now.
>
proceed
Please enter the HSM Administrators' password:
>
Without �force / non-interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Type
'proceed' if you are certain you have the
right
login credentials or 'quit' to quit now.
>
proceed
'hsm login' successful.
With �force / interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Please
enter the HSM Administrators' password:
> *******
'hsm login' successful.
With �force / non-interactive password:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
'hsm login' successful.
One bad login
With or without �force (no difference):
Caution: You
have only TWO HSM Admin logins attempts left. If
you
fail two more consecutive login attempts (i.e.
with
no successful logins in between) the HSM will
be
ZEROIZED!!!
Use blue pED key?
Two bad logins
Without �force:
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong blue PED key is provided the HSM will
be
ZEROIZED!!!
Type
'proceed' if you are certain you have the
right
login credentials or 'quit' to quit now.
> proceed
Use blue pED key?
With �force
Caution: This
is your LAST available HSM Admin login attempt.
If
the wrong HSM Admin password is provided the HSM will
be
ZEROIZED!!!
Use blue pED key?
'hsm login' successful.
Example when HSM Zeroized:
Error: The
HSM is zeroized due to three consecutive failures to
login
as HSM Administrator.
'hsm
login' is not permitted. The HSM must be re-initialized
with
the 'hsm init' command.
'hsm login' aborted.
If you lockout your Partition Owner / Crypto Officer with 10 bad logins AND the "SO can Reset Container PIN" policy is ON, then you MUST reset both the partition owner challenge AND the PED pin:
lunacm:>partition resetPw -partition Partition1
Which part of the partition password do you wish to change?
1. change black PED key data
2. generate new random password for partition owner
3. generate new random password for crypto-user
4. both options 1 and 2
0. abort command
Please select one of the above options:
For this situation, you must choose option 4.
If the partition was activated prior to this, you must reactivate it after resetting the PED pin.
If you merely wish to change the Partition password or black PED Key, use the "partition changePw" command instead.