|
Home > |
Administration Guide > User and Password Administration > About Changing HSM and Partition Passwords
|
|---|
From time to time, you might have reason to change the various passwords on the appliance and HSM. This might be because a password has possibly been compromised, lost, or forgotten, or it might be because you have security procedures that mandate password-change intervals.
The two options are:
| Action | Description | When used |
|---|---|---|
| Resetting PW |
A higher authority sets a user's credentials back to a known default value (without requiring the knowledge or cooperation of the affected user), |
•current holder has lost or forgotten his/her credential (forgot a password, misplaced a PED Key) •current credential is known or suspected to have become compromised •current holder has departed organization |
|
contrasts with... |
||
| Changing PW | The legitimate holder of the credential is able to log in with current credentials before directing the HSM, under the current logged-in user's own authority, to change that user's credential to a new value. |
•credential holder suspects possible compromise of credential •credential holder is complying with organization security provisions (such as mandatory password-change interval) |
There is no provision to reset the HSM Admin password (for Password Authentication) or PED Key (for Trusted Path), except to re-initialize the HSM, which zeroizes the contents of the HSM and of all Partitions on that HSM.
Resetting the password/authentication of a role or user requires a higher authority to invoke the reset. On the HSM, there is no authority higher than the SO / HSM Admin.
To change the HSM password (for Password Authentication) or the secret on the blue PED Key (for Trusted Path), you must log in as HSM Admin using the current password (or blue PED Key). This is prompted by the hsm changePw command, so you do not need to log in separately.
lunash:> hsm changePw
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.
Command result : (0) success
lunash:>
A deliberate change to a Partition password is different from a password reset .In both cases, the Partition or HSM contents remain intact.
•you must be logged in as HSM Admin, but
•you do not need to know the existing Partition password (for Password Authenticated systems) nor do you need to have the existing Partition Owner (black) PED Key (for Trusted Path Authenticated systems).
lunash:> partition resetPw -newpw mynewpw -partition mypartition1
•you do not have to be logged in as HSM Admin or SO, but
•you do need to know the current Partition password. For Trusted Path HSMs , you must provide the current black PED Key.
lunash:> partition changePw -newpw mynewpw -oldpw myoldpw -partition mypartition1
You can choose not to include the passwords with the command, which:
a.causes the system to prompt for old and new passwords (obscuring them with asterisks (*) for greater security, and
b.presents additional options as shown in the example below.
For a PED-authenticated HSM, the following example changes only the challenge secret of the named partition, and leaves the black PED Key contents unchanged.
[myluna] lunash:>partition changepw -partition mypar1
Which part of the partition password do you wish to change?
1. change partition owner (black) PED key data
2. generate new random password for partition owner
3. specify a new password for the partition owner
4. both options 1 and 2
0. abort command
Please select one of the above options: 3
Please enter the password for the partition:
> *************
Please enter a new password for the partition:
> ********
Please re-enter password to confirm:
> ********
Luna PED operation required to activate partition on HSM - use User or Partition Owner (black) PED key.
'partition changePw' successful.
Command Result : 0 (Success)
[myluna] lunash:>
For password changes affecting the appliance, not including the HSM .