Changing a Partition Role Credential
Use the instructions on this page to change your current credential for a role in an HSM application partition.
From time to time, it might be necessary to change the secret associated with
>Regular credential rotation as part of your organization's security policy
>Compromise of a role or secret due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
The following procedure allows you to change the credential for a
NOTE If HSM policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.
To change a partition role credential using LunaCM on the Luna HSM Client
1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).
lunacm:> role login -name <role>
2.Change the credential for the logged-in role.
In LunaCM, passwords abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
lunacm:> role changepw -name <role>
3.To change the CO or CU challenge secret for an activated PED-authenticated partition, specify the -oldpw and/or -newpw options.
lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>
TIP Where you have an HA Indirect Login setup (see High Availability Indirect Login), your HSM is made accessible by other HSMs. Adding a challenge secret to your role, that is unknown to other parties, does not prevent other parties from logging into your HSM. Rather it prevents other parties from using your particular role without that extra credential. To prevent other parties accessing your HSM, change the PIN.
To change a partition role credential using LunaSH on the Luna Network HSM 7
[ Section added/modified for LUNA-31064 ]
NOTE If you need to change the Partition SO credential, you must use LunaCM on the Luna HSM Client as described above.
1.In LunaSH, log in as SO (see hsm login).
lunash:> hsm login
2.Change the credential for the role on the specified partition. By default, the Crypto Officer role is changed; to change the Crypto User credential, include the -cu option.
lunash:> partition changePw -partition <partitionname>
lunash:> partition changePw -partition <partitionname> -cu
3.To change the CO or CU challenge secret for an activated multifactor quorum-authenticated partition, specify the -oldpw and/or -newpw options, like.
lunash:> partition changePw -partition <partitionname> -oldpw <oldpassword> -newpw <newpassword> [-cu]
TIP Where you have an HA Indirect Login setup (see High Availability Indirect Login), your HSM is made accessible by other HSMs. Adding a challenge secret to your role, that is unknown to other parties, does not prevent other parties from logging into your HSM. Rather it prevents other parties from using your particular role without that extra credential. To prevent other parties accessing your HSM, change the PIN.