Changing a Partition Role Credential

From time to time, you may need to change the credential for a role. The credential might have been compromised, or your organization's security policy may mandate password changes after a specific time interval. The following procedure allows you to change the credential for a partition role (Partition SO, Crypto Officer, Crypto User). You must first log in using the role's current credential.

NOTE   If partition policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.

To change a partition role credential

1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).

lunacm:> role login -name <role>

2.Change the credential for the logged-in role. If you are using a password-authenticated partition, specify a new password. If you are using a PED-authenticated partition, ensure that you have a blank or rewritable PED key available. Refer to Creating PED Keys for details on creating PED keys.

In LunaCM, passwords and activation challenge secrets must be 7-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.  
Spaces are allowed; to specify a password with spaces using the -password option, enclose the password in double quotation marks.

lunacm:> role changepw -name <role>

3.To change the CO or CU challenge secret for an activated PED-authenticated partition, specify the -oldpw and/or -newpw options.

lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>

 

TIP   Where you have an HA Indirect Login setup (see HA Indirect Login (firmware 7.7.0 and newer)), your HSM is made accessible by other HSMs.

Adding a challenge secret to your role, that is unknown to other parties, does not prevent other parties from logging into your HSM.

Rather it prevents other parties from using your particular role without that extra credential.

To prevent other parties accessing your HSM, change the PIN.