|
Home > |
|---|
Resets a Partition Owner's password, or PED key data.
The HSM Admin must be logged in to execute this command. This command is available only if the destructive HSM policy “SO can reset partition PIN” is ON.
This command detects firmware level and determines whether an action is allowed.
For password-authenticated HSMs, if the new password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and the user is asked for password confirmation.
For PED-authenticated HSMs, PED action is required, and a Partition Owner PED Key (black) is imprinted. Any password provided at the command line is ignored.
Note: Reset the black PED Key before resetting the challenge. If not, the system presents an error
"Error: The HSM security policy does not allow the HSM Administrator to reset the password for partitions."
which should say something more informative like :
"Please reset black PED Key first before resetting challenge."
This command does not perform a 'pure' password reset, which would simply apply a default until the partition owner changed it to a suitable replacement. Doing so would create a security hole in a system deployed in a production environment. Instead, the HSM SO assigns a secure password and must inform the partition owner of the change, and must pass along the new password (whether that is a text string or a new PED Key).
partition resetPw -partition <partitionname> [-cu] [-password <password>] [-newpw <password>]
| Parameter | Shortcut | Description |
|---|---|---|
| -cu | -c | Perform task as Crypto-User |
| -newpw | -n |
The new password to be used as the HSM Partition Owner's login credential to the named HSM Partition. Requires the SO to be logged in. This parameter is mandatory for password-authenticated HSMs. It is ignored on PED-authenticated HSMs. If you omit the password from the command line, you are prompted for it (password-authenticated HSMs). |
| -password | -pas | Partition Password |
| -partition | -par | Specifies the name of the HSM Partition ID for which to reset the Owner's PIN. Obtain the HSM partition name by using the partition list command. |
lunash:> partition resetpw -partition mypar Which part of the partition password do you wish to change? 1. change Partition Owner (black) PED key data 2. generate new random password for partition owner 3. use default password for partition owner 4. both options 1 and 2 5. change crypto-user (black) PED key data 6. generate new random password for crypto-user 7. use default password for crypto-user 0. abort command Please select one of the above options: 1 Luna PED operation required to reset partition PED key data - use User or Partition Owner (black) PED key. 'partition resetPw' successful. Command Result : (Success)