Two auditor credentials can be changed, as needed:
>the appliance audit role (to authenticate an SSH or serial connection to access appliance-level Luna Shell commands)
>the HSM audit role (to authenticate to the cryptographic module within the HSM security appliance)
From time to time, it might be necessary to change the secret associated with
>Regular credential rotation as part of your organization's security policy
>Compromise of a role or secret due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
The Auditor can change their own credentials at any time.
To help differentiate the terms used in this context:
>the functional position in your organization is the "auditor";
>the credentialed roles, for
•the appliance level, controlling Luna Shell (lunash:>) access via ssh or serial connection, and
•the cryptographic module within the HSM security appliance
are both called "audit", but that is two separate levels of access (might be for a single person doing audit configuration and management duties or might be multiple persons, including quorum iKey holders for PED-auth HSMs), and therefore [should be] two different secrets.
To change/rotate the appliance auditor credential
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as audit or a custom user with an audit role (see Logging In to LunaSH ).
2.Change the current appliance user's (audit) role password.
lunash:>my password set
To change the HSM cryptographic module auditor credential
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as audit or a custom user with an audit role (see Logging In to LunaSH ).
2.Log into the cryptographic module as the audit HSM role (see Logging In as Auditor).
3.Change the Auditor credential.
lunash:> audit changePwd
You are prompted for the current Auditor credential, and then to create a new one.
