keyring unlock

Unlock a specified keyring that has been locked due to reaching the consecutive failed login limit (10 attempts). The Crypto Officer for the partition used to create the keyring must provide authentication.

NOTE   Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.

NOTE   Unlike the PSO and CO roles on standard Luna partitions, the KRSO and KRCO roles on each keyring are intended to be held by the same individual, and use the same password. When the password for one role is changed, the change is applied to the other role as well. Consider this distinction when planning your cluster deployment and setting your KRSO passwords.

The KRCO password is what your applications will specify to access the keyring and create and use objects. Thales recommends that you always use the most secure password possible. The length of your KRSO/KRCO password affects the behavior of the keyring as follows:

>If the KRCO password is 16 characters or shorter, the keyring is locked after 10 failed login attempts and must be unlocked before it can be used again:

PATCH /api/keyrings/{keyringID}

lunash:> keyring unlock {-keyringid <string> | -label <name>} [-copassword <password>]

>If the KRCO password is 17 characters or longer, the lockout counter is not incremented.

Failed login attempts using 6 characters or less never increment the counter.

REST API: PATCH /api/keyrings/{keyringID}

User Privileges

Users with the following privileges can perform this command:

>Admin

Syntax

keyring unlock {-keyringid <string> | -label <name>} [-copassword <password>]

Argument(s) Shortcut Description
-copassword -c Specifies the Crypto Officer password for the partition used to create the keyring. If this option is omitted on a password-authenticated HSM, LunaSH prompts for the password. If this option is included on a multifactor quorum-authenticated HSM and the partition is not activated, it is ignored.
-keyringid -k Specifies the UUID of the keyring to be unlocked. Use lunash:> keyring list to display a list of available keyrings and their UUIDs.
-label -l Specifies the label of the keyring to be unlocked.

Example

lunash:>keyring unlock -copassword iamtheCO -keyringid e921c334-3d11-4797-a10f-e98bc9ed5621

Success

Command Result : 0 (Success)