Changing a Partition Role Credential

Use the instructions on this page to change your current credential for a role in an HSM application partition.

From time to time, it might be necessary to change the secret associated with a role on an HSM appliance, a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role or secret due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

The following procedure allows you to change the credential for a partition role (Partition SO, Crypto Officer, Crypto User). You must first log in using the role's current credential (this is not a way to recover from lockout or from lost credentials).

NOTE   If HSM policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.

To change a partition role credential via a Client

1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).

lunacm:> role login -name <role>

2.Change the credential for the logged-in role. If you are using a password-authenticated partition, specify a new password. If you are using a multifactor quorum-authenticated partition, ensure that you have a blank or rewritable PED key available. Refer to Creating PED keys for details on creating PED keys.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

lunacm:> role changepw -name <role>

3.To change the CO or CU challenge secret for an activated PED-authenticated partition, specify the -oldpw and/or -newpw options.

lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>

TIP   Where you have an HA Indirect Login setup (see High Availability Indirect Login), your HSM is made accessible by other HSMs. Adding a challenge secret to your role, that is unknown to other parties, does not prevent other parties from logging into your HSM. Rather it prevents other parties from using your particular role without that extra credential. To prevent other parties accessing your HSM, change the PIN.

To change a partition role credential via Luna Shell (lunash) on the appliance

1.In LunaSH, log in as SO (see hsm login).

lunash:> hsm login

2.Change the credential for the logged-in role. If you are using a password-authenticated partition, specify a new password. If you are using a multifactor quorum-authenticated partition, ensure that you have a blank or rewritable PED key available. Refer to Creating PED keys for details on creating PED keys.

lunash:> partition changePw-name <partitionname>              (wihout a user option, to change the credential of the CO)

or

lunash:> partition changePw-name <partitionname> -cu              (with -cu option to change the credential of the CU)

3.To change the CO or CU challenge secret for an activated PED-authenticated partition, specify the -oldpw and/or -newpw options, like.

lunacm:> role changepw-name <role> -oldpw <oldpassword> -newpw <newpassword>

TIP   Where you have an HA Indirect Login setup (see High Availability Indirect Login), your HSM is made accessible by other HSMs. Adding a challenge secret to your role, that is unknown to other parties, does not prevent other parties from logging into your HSM. Rather it prevents other parties from using your particular role without that extra credential. To prevent other parties accessing your HSM, change the PIN.

NOTE   If you need to change the credential of the Partition Owner (a.k.a. the Partition Security Officer or the po) use the command

role changepw -name po

for the appropriate registered partition, on a connected, registered client.