Changing the HSM SO Credential

From time to time, you may need to change the HSM Security Officer's credential. The credential might have been compromised, or your organization's security policy may mandate account credential changes after a specific time interval. The HSM SO can change their own credential at any time.

There is no way to reset the HSM SO credential except to re-initialize the HSM, zeroizing the contents of the HSM and its application partitions. Resetting a credential requires a higher authority. On the HSM, there is no authority higher than the HSM SO.

To change the HSM SO credential

1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).

2.Log in as HSM SO (see Logging In as HSM Security Officer).

3.Change the HSM SO credential.

lunash:> hsm changepw

You are prompted for the current HSM SO credential, and then to create a new one.

In LunaSH, the HSM SO password must be 7-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~
The following characters are invalid or problematic and must not be used in the HSM SO password: "&;<>\`|
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.


Customer Support Portal

SafeNet Luna Network HSM 7.4 Product Documentation  16 December 2019  Copyright 2001-2019 Thales. All rights reserved.