About Changing HSM and Partition Passwords

From time to time, you might have reason to change the various passwords on the appliance and HSM. This might be because a password has possibly been compromised, lost, or forgotten, or it might be because you have security procedures that mandate password-change intervals.

The two options are:

Action	Description	When used
Resetting PW	A higher authority sets a user's credentials back to a known default value (without requiring the knowledge or cooperation of the affected user).	>Current holder has lost or forgotten his/her credential (forgot a password, misplaced a PED key) >Current credential is known or suspected to have become compromised >Current holder has departed organization
contrasts with...
Changing PW	The legitimate holder of the credential is able to log in with current credentials before directing the HSM, under the current logged-in user's own authority, to change that user's credential to a new value.	>Credential holder suspects possible compromise of credential >Credential holder is complying with organization security provisions (such as mandatory password-change interval)

Action

Description

When used

Resetting PW

A higher authority sets a user's credentials back to a known default value (without requiring the knowledge or cooperation of the affected user).

>Current holder has lost or forgotten his/her credential (forgot a password, misplaced a PED key)

>Current credential is known or suspected to have become compromised

>Current holder has departed organization

contrasts with...

Changing PW

The legitimate holder of the credential is able to log in with current credentials before directing the HSM, under the current logged-in user's own authority, to change that user's credential to a new value.

>Credential holder suspects possible compromise of credential

>Credential holder is complying with organization security provisions (such as mandatory password-change interval)

HSM Passwords

Resetting HSM SO Password

There is no provision to reset the HSM Admin password (for Password Authentication) or PED key (for Trusted Path), except to re-initialize the HSM, which zeroizes the contents of the HSM and of all Partitions on that HSM.

Resetting the password/authentication of a role or user requires a higher authority to invoke the reset. On the HSM, there is no authority higher than the SO/HSM Admin.

Changing HSM SO Password

To change the HSM password (for Password Authentication) or the secret on the blue PED key (for Trusted Path), use the hsm changepw command. You will be prompted for the current HSM SO credential, so you do not need to log in separately:

lunash:> hsm changepw

Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.

Command result : (0) success

Partition Passwords

The Partition SO can use the LunaCM command role resetpw to reset the Crypto Officer password or black PED key only if HSM policy 15: Enable SO reset of partition PIN is enabled. By default, this policy is not enabled.

Failed Logins and Forgotten Passwords

See Failed Logins.

Appliance

For password changes affecting the appliance, not including the HSM, see Users and Passwords in the Appliance Administration Guide.