Home >

Administration Guide > User and Password Administration > Resetting Passwords

Resetting Passwords

Resetting is normally done by a higher power when an authentication secret is lost/forgotten, or compromised, and is discussed separately from merely changing authentication when the user is in legitimate possession of the current authentication.

HSM

There is no provision to reset the SO or HSM Admin password (for Password Authenticated HSMs) or the blue PED Key (for PED Authenticated or Trusted Path HSMs), except by initializing the HSM, which destroys [zeroizes] the contents of the HSM and of any HSM Partitions. You can change the password (or the secret on the appropriate blue PED Key) with the hsm changePw command, but that requires that you know the current password (or have the current blue PED Key).

The assumption, from a security standpoint, is that if you no longer have the ability to authenticate to the HSM (because you forgot the password or lost the PED Key, or because an unauthorized person has changed the password or PED Key), then the HSM is effectively compromised and must be re-initialized. Thus, no explicit "reset" command is provided.

The hsm init command does not require a login, and the hsm login command is not accepted if the HSM is in zeroized state.

The following are examples of the behavior of the hsm login command in various possible circumstances.

Password Authenticated HSM:

One bad login

With or without –force (no difference)  / interactive password:

Caution:  You have only TWO HSM Admin login attempts left. If
         you fail two more consecutive login attempts (i.e.
         with no successful logins in between) the HSM will
         be ZEROIZED!!!
  Please enter the HSM Administrators' password:
 >

 

With or without –force  / non-interactive password:

>hsm login -password userpin -force
Caution:  You have only TWO HSM Admin login attempts left. If 
         you fail two more consecutive login attempts (i.e.
         with no successful logins in between) the HSM will
         be ZEROIZED!!!
'hsm login' successful.

 

Two bad logins

Without –force  / interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
         If the wrong HSM Admin password is provided the HSM will
         be ZEROIZED!!!
          Type 'proceed' if you are certain you have the
         right login credentials or 'quit' to quit now.
         >  proceed
  Please enter the HSM Administrators' password:
  >

 

Without –force  / non- interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
          If the wrong HSM Admin password is provided the HSM will
          be ZEROIZED!!!
          Type 'proceed' if you are certain you have the
          right login credentials or 'quit' to quit now.
         >  proceed
'hsm login' successful.

 

With –force  / interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
          If the wrong HSM Admin password is provided the HSM will
          be ZEROIZED!!!
  Please enter the HSM Administrators' password:
  > *******
'hsm login' successful.

 

With –force  / non-interactive password:

Caution:  This is your LAST available HSM Admin login attempt.
          If the wrong HSM Admin password is provided the HSM will
         be ZEROIZED!!!
'hsm login' successful.

Trusted Path Authentication (uses SafeNet PED and PED Keys):

One bad login

With or without –force ( no difference):

Caution:  You have only TWO HSM Admin login attempts left. If
          you fail two more consecutive login attempts (i.e.
         with no successful logins in between) the HSM will
         be ZEROIZED!!!
Use blue PED key?

 

Two bad logins

Without –force :

Caution:  This is your LAST available HSM Admin login attempt.
          If the wrong blue PED key is provided the HSM will
         be ZEROIZED!!!
          Type 'proceed' if you are certain you have the
          right login credentials or 'quit' to quit now.
          >  proceed
Use blue PED key?

 

With –force :

Caution:  This is your LAST available HSM Admin login attempt. 
         If the wrong HSM Admin password is provided the HSM will
         be ZEROIZED!!!
Use blue PED key?
'hsm login' successful.

 

Example when HSM Zeroized:

Error:    The HSM is zeroized due to three consecutive failures to 
         login as HSM Administrator.
          'hsm login' is not permitted. The HSM must be re-initialized 
         with the 'hsm init' command.
'hsm login' aborted.

Partition

If you lockout your Partition Owner / Crypto Officer with 10 bad logins AND the "SO can Reset Container PIN" policy is ON, then you MUST reset both the partition owner challenge AND the PED pin:

[myLuna] lunash:>partition resetPw -partition Partition1
  Which part of the partition password do you wish to change?
  1.   change black PED key data
  2.   generate new random password for partition owner
  3.   generate new random password for crypto-user
  4.   both options  1 and 2
  0.   abort command
  Please select one of the above options:

 

For this situation, you must choose option 4.

If the partition was activated prior to this, you must reactivate it after resetting the PED pin.

If you merely wish to change the Partition password or black PED Key, use the partition changePw command instead.

SafeNet PCI-E HSM 6.2 Product Documentation
007-011329-009 Rev. A 18 December 2015 Copyright 2015 Gemalto NV All rights reserved.