Changing a Role Credential

From time to time, you may need to change the credential for a role. The credential might have been compromised, or your organization's security policy may mandate password changes after a specific time interval. The following procedure allows you to change the credential for a role (HSM SO, Auditor, Partition SO, Crypto Officer, Crypto User). You must first log in using the role's current credential.

NOTE   If partition policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.

To change a role credential

1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).

lunacm:> role login -name <role>

2.Change the credential for the logged-in role. If you are using a password-authenticated partition, specify a new password. If you are using a PED-authenticated partition, ensure that you have a blank or rewritable PED key available. Refer to Creating PED Keys for details on creating PED keys.

In LunaCM, passwords and activation challenge secrets must be 7-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.  
Spaces are allowed; to specify a password with spaces using the -password option, enclose the password in double quotation marks.

lunacm:> role changepw -name <role>

3.To change the CO or CU challenge secret for an activated PED-authenticated partition, specify the -oldpw and/or -newpw options.

lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>