partition changepw

Change the Crypto Officer password, or activation challenge password for the currently logged-in member partitions of an HA group.

From time to time, it might be necessary to change the secret associated with a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a partition challenge secret used in activation/auto-activation by applications connecting to a multifactor-quorum-athenticated HSM

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

This partition changepw command operates on the current virtual slot for the HA group, to perform password change for the entire group.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~

Double quotation marks (") are problematic and should not be used within passwords.

Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

For further information and suggestions, see Changing passwords for an HA group.

Syntax

partition changepw -name <string> [-oldpw <oldpassword>] [-newpw <newpassword>] [[-memberList <serial_number>[,<serial_number>]+] [-noRollback] [-logoutOther]]

Argument(s) Shortcut Description
-logoutOther -l

Log out all members of HA group, as well as the HA group itself from other applications.

>Include the -logoutOther option if there is an immediate security concern, and you want all applications' access to be terminated immediately, to minimize damage due to a compromised credential.

>Omit this option for relaxed situations like scheduled password roll-over, or personnel departing on good terms, or other non-urgent reasons, where you want the applications using the partition, with the current role credential, to have time to finish current tasks and end their sessions. When they resume activity, and need to create new sessions, they will do so only under the new credential for the role.

-memberlist <serial_number> -m

A list of serial numbers for the HA group members on which the command will execute. Useful if some members were not successfully updated with the new password

If this option is not included, the command defaults to attempting password change on all members of the group.

-oldpw <oldpassword> -old

Current password (for application partition on PW authenticated HSM) or current challenge secret (for application partition on multifactor quorum-authenticated HSM).

If you include option -oldpw the HSM assumes that you wish to change the challenge secret, which is the "secondary credential". This applies to Crypto Officer, which has primary and secondary credentials, but not to Partition SO, which has only primary credential.

If you omit option -oldpw the HSM assumes that you wish to change the "primary credential" or PED key secret.

Required if you wish to change the secondary credential.

-name <rolename> -n

Name of role whose password is to change. Must be "co" until further notice.

Required.

-newpw <newpassword> -new

New password (for application partition on password-authenticated HSM) or new challenge secret (for application partition on multifactor quorum-authenticated HSM).

Required if you have already provided an -oldpw.

-noRollback -no

Default behavior, if the command encounters a member that cannot accept a new password, is to rollback all already-changed members to the current/old password, so that the HA group continues to function, while you investigate the problem.

If -noRollback is specified, then the command updates the members that it can, and prints a list of members whose password could not be updated. You can use that list to populate -memberlist during a re-issue of the command.

Example

Change the CO password on all members of an HA group

lunacm> partition changePw -n co -oldPw userpin123 -newPw userpin1234 -logoutOther

  Confirming all members of HA are online... [OK]

  Confirming all members of HA can be logged into... [OK]

  Changing password of all members of HA group... [OK]

  Final summary of members:


Member S/N           Member Label                   Password Status
==========           ============                   ===============
1213473506146        LNH_143.184_NTLS_v0_par1       Changed
91351086532          LNH_10.202_NTLS_v0_par1        Changed

Command Result : No Error