hsm changePw

Change the password or PED key contents for the HSM SO. Both the old and the new PED key are required for multifactor quorum-authenticated HSMs.

From time to time, it might be necessary to change the secret associated with a role on an HSM appliance, a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role or secret due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

User Privileges

Users with the following privileges can perform this command:

>Admin

Syntax

hsm changePw [-oldpw <password> -newpw <password>]

Argument(s)

Shortcut

Description

-newpw <password> -n

Specifies the new password that is used as the HSM SO's login credential to the HSM. If the new password is not provided on the command line, the you are interactively prompted for the new password, and for confirmation of the new password.

In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~

The following characters are invalid or problematic and must not be used within passwords: "&;<>\`|

Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks.

-oldpw <password> -o Specifies the current password for the HSM SO. If the current password is not provided on the command line, the user is interactively prompted for the current password.

Example

lunash:>hsm changePw

Please enter the HSM Administrators' current password:
> ********

Please enter a new password for the HSM Administrator:
> ********

Please re-enter password to confirm:
> ******** 'hsm changePw' successful. Command Result : 0 (Success)