TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM 7 installed in a workstation that you provide, and
>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
The recover account is a limited-purpose account that has the permanent (fixed) password "PASSWORD". The recover account's only purpose is to reset the password of the admin user, if the admin password is lost/forgotten.
NOTE The password recovery procedure does not affect the contents of the HSM or its application partitions. If you suspect that the admin account has been compromised, you can perform a factory reset of the HSM and appliance after recovery (see Resetting the Luna Network HSM 7 to Factory Condition).
As a security measure, recover can log in via the local serial connection only. The admin user's account password can be changed remotely by anyone who already knows it, but the admin user's password cannot be arbitrarily reset unless the person doing so has physical access to the appliance, to make the serial connection.
CAUTION! The exception to this rule is where you have your appliances connected to a "terminal server" that aggregates serial links and makes them accessible via telnet or similar. This configuration is useful in a test lab, where access control is not critical, and it can be very convenient when setting up and tearing down appliances for various test and verification scenarios. However, connection of your Luna Network HSM 7 appliances to a remotely accessible terminal server could expose an additional avenue of attack, and therefore Thales recommends that you avoid allowing this potential security opening in a production environment.
The recover account cannot be locked out, and its default password does not expire.
To reset the admin account password
1.Connect a serial terminal to the serial console connector on the Luna Network HSM 7 rear panel.
2.Log in to LunaSH as recover, using the fixed password "PASSWORD".
NOTE If the HSM is initialized, you are required to present the HSM Security Officer (SO) credential. Therefore, only the SO can perform this operation. If you have not initialized the HSM prior to resetting the admin password, then no credential is required.
If you have also lost the HSM SO credential, your only alternative is to zeroize the HSM using the emergency decommission button. Refer first to Consequences of Losing PED keys for guidelines on how to recover your partitions and cryptographic material after this action, and then to Decommissioning the Luna Network HSM 7 Appliance.
You are prompted to set a new admin password (see Do Not Cancel Out).
LunaSH passwords must be at least eight characters in length,
and include characters from at least three of the following four
groups:
> lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
> uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
> numeric: 0123456789
> special (spaces allowed): !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~
If you are confident that your Luna Network HSM 7 has not been compromised, you can resume using it as before (taking care to both remember and secure the admin password).
Do Not Cancel Out
Use of the recover account sets the password of the admin account back to the factory value, and then forces a password change. Do not attempt to bypass the password change.
To prevent the admin account being accessible over the network with a known password during the recover procedure, SSH is disabled when the recover process begins. The SSH service is re-enabled only after the password is changed. Interrupting the process and avoiding the password change leaves SSH service off at boot time. If you cancel out partway through the process in order to retain the default password, instead of changing it when prompted, you might find that you no longer have SSH access.
If you encounter the problem, reconnect a local terminal and log into the recover account again, this time allowing it to complete the full process, ending with a proper, non-default password. If SSH service is still not available, contact Technical Support.
CAUTION! During recovery, the network service is stopped and other services are affected. The minimum-effort resumption would be to reboot the system, which causes all services to restart with current configuration. However, for safety, you should consider manually restarting services from the local (serial) console, until all passwords have been changed from their default values.
