Resetting the Crypto Officer or Crypto User Credential
If necessary, the Crypto Officer can reset the Crypto User credential at any time, without providing the current credential. This is useful in cases where the Crypto User credential has been lost or otherwise compromised.
Prerequisites for Crypto Officer Reset
The Partition SO can also reset the Crypto Officer's credential, if HSM policy 15: Enable SO reset of partition PIN is enabled. By default, this policy is not enabled, and changing it is destructive. If you want the Partition SO to be able to reset the CO's credential, the HSM SO must enable this policy before creating the application partition (see Partition Capabilities and Policies).
CAUTION! HSM policy 15 is destructive when turned on. All partitions on the HSM and their contents will be erased.
To reset the Crypto Officer or Crypto User credential
1.Log in with the appropriate role (see Logging In to the Application Partition).
2.Reset the desired role's credential.
In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.
lunacm:> role resetpw -name <role>
You are prompted to set a new credential for the role.
3.Provide the new credential to the Crypto Officer or Crypto User.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled, the user must change the credential before any other actions are permitted. See Changing a Role Credential.