|
Home > |
|---|
Recover from a forgotten password as follows.
If you forget your appliance admin password, you can reset by logging in to the special account called 'recover'.
If you lose the HSM Admin authentication (a password for SafeNet Luna HSMs with Password Authentication; the blue PED key for SafeNet Luna HSMs with Trusted Path Authentication) , you must re-initialize the HSM, which also zeroizes the HSM (the contents of the HSM become permanently unavailable, and must be replaced/regenerated after you re-initialize -- allowing anyone to change or reset the appliance admin password without knowing the current password would not be considered good security, thus we force zeroization of all HSM contents in such a situation (either you have lost access/authentication to your own data/keys and therefore don't care that they are erased, or an attacker is attempting to gain access and you want your data/keys made unavailable, and you want to be made aware that the attack has occurred).
Note: You can restore from a Backup HSM if you use the
token's PED keys (answer Yes to the PED's "Reuse..." question, and No New Domain) when initializing
the HSM.)
The Partition SO authentication is under the same restrictions as the HSM SO with the added provisons:
• For SafeNet Network Appliance HSM, the HSM SO cannot "reset" the Partition SO's password or blue PED key secret. For the HSM SO, any initialized partition is a "black box" that the HSM SO can create or destroy, but cannot access.
•All authentication-management actions in a partition must take place via a registered client connection, normally using the role commands of the LunaCM utility:
–The Partition SO can modify their own password or blue PED key secret using the LunaCM role changepw command.
–The Crypto Officer and Crypto User can modify their own authentication (password or black PED key secret or gray PED key secret, or challenge secret for applications) using the LunaCM role changepw command.
–The Partition SO can reset the Crypto Officer's or the Crypto User's authentication using the LunaCM role resetpw command only if HSM policy 15: Enable SO reset of partition PIN is enabled.
Go to the secure lockup (a safe, an off-site secure deposit box, other) where you keep such important information, read and memorize the password. Return to the HSM and resume using it.
Retrieve one of its copies from your on-site secure storage, or from your off-site disaster-recovery secure storage. Make any necessary replacement copies, using Luna PED, and resume using your HSM(s).
If you have lost a blue PED key, someone else might have found it. Consider using lunacm:>changepw or lunash:>hsm changepw, as appropriate to invalidate the current blue key secret, which might be compromised, and to safeguard your HSM with a new SO secret, going forward. HSM and partition contents are preserved.
If you truly have not kept a securely stored written backup of your HSM SO Password, or for PED-authenticated HSM, your blue SO PED key, then you are out of luck. If you have access to your partition(s), immediately make backups of all partitions that have important content. When you have done what you can to safeguard partition contents, perform hsm factoryreset, followed by hsm init - this is a "hard initialization" that wipes your HSM (destroying all partitions on it) and creates a new HSM SO password or blue PED key. You can then create new partitions and restore contents from backup. Any object that was in HSM SO space (rather than within a partition) is irretrievably lost.
If you have the red PED key or the HSM-or-Partition domain secret for another HSM or Partition that is capable of cloning (or backup/restore) with the current HSM or Partition, then you have the domain that you need - just make a copy. Cloning or backup/restore can take place only between entities that have identical domains, so that other domain must be the same as the one you "lost".
If you truly have not kept a secured written backup of your HSM or partition cloning domain, or for PED-authenticated HSM, your domain PED key(s), then you are out of luck. Any keys or objects that exist under that domain can still be used, but cannot be cloned or backed-up or restored. Begin immediately to phase in new/replacement keys/objects on another HSM, for which you have the relevant domain secret(s) or red PED key(s). Ensure that you have copies of the red PED keys, or that you have a written record of any text domain string, in secure on-site and off-site backup locations. Phase out the use of the old keys/objects, as you have no way to protect them against a damaged or lost HSM.
You will need to generate a new Remote PED Vector on one affected HSM with lunacm:>ped vector init or lunash:>hsm ped vector init to have that HSM and an orange key (plus backups) imprinted with the new RPV. Then you must physically go to all other HSMs that had the previous (lost) RPV and do the same, except you must say Yes to the PED's "Do you wish to reuse an existing keyset?" question, in order to bring the new RPV to all HSMs. If you forget and say No to the PED's "...reuse..." question, then you must start over.
You will need to initialize the audit role on any affected HSM. This creates a new Audit identity for that HSM, which orphans all records and files previously created under the old, lost audit role. The audit files that were previously created can still be viewed, but they can no longer be cryptographically verified. Remember, when performing Audit init on the first HSM, you can say Yes or No to Luna PED's "Do you wish to reuse an existing keyset?" question, as appropriate, but for any additional HSMs that share that audit role, you must answer Yes.
Forgetting a PED PIN is the same as not having the correct PED key. See above for options in each situation.
Once a PED PIN is imposed, it is a required component of role authentication unless you arrange otherwise. You can remove the requirement for a PED PIN on a given HSM role only if you are currently able to authenticate (login) to that role. For black PED keys, you can have the SO reset your authentication. For other roles not.
For blue PED keys, forgetting a PED PIN is fatal.
For red PED keys, forgetting the PED PIN is eventually fatal, but you can work in the meantime while you phase out your orphaned keys and objects.
Forgetting PED PINs for other roles, like losing their PED keys is just more-or-less inconvenient, but not fatal.
See your options, above. The most serious one is the blue PED key or the PED PIN for the SO role. You have only three tries to get it right. On the third wrong attempt, the HSM contents are lost. Wrong attempts are counted if you present the wrong blue PED key, or if you type the wrong PED PIN with the right PED key.
For black User PED keys, and their PED PINS (if applicable) you have ten tries to get the right key or the right combination, unless the SO has changed from the default number of retries. If you are getting close to that maximum number of bad attempts, stop, and ask the SO to reset your partition PW.
For other PED keys, there is no restriction on re-tries.