role changepw

Change the password, PED key secret, or activation challenge password for the currently logged-in role.

From time to time, it might be necessary to change the secret associated with a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role or secret due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~

Double quotation marks (") are problematic and should not be used within passwords.

Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

Syntax

role changepw -name <role> [-oldpw <oldpassword>] [-newpw <newpassword>] [-prompt] [-logoutOther] [-force]

Argument(s) Shortcut Description
-logoutOther -l

Log out the role with the given name from other applications. Include the -logoutOther option if there is an immediate security concern, and you want all applications' access to be terminated immediately, to minimize damage due to a compromised credential.

Issue the command without this option for relaxed situations like scheduled password roll-over, or personnel departing on good terms, or other non-urgent reasons, where you want the applications using the partition, with the current role credential, to have time to finish current tasks and end their sessions. When they resume activity, and need to create new sessions, they will do so only under the new credential for the role.

-name <role> -n Role to change password for. This must be the currently logged-in role.
-oldpw <oldpassword> -old

Current password (for application partition on PW authenticated HSM) or current challenge secret (for application partition on multifactor quorum-authenticated HSM).

If you include option -oldpw the HSM assumes that you wish to change the challenge secret, which is the "secondary credential". This applies to Crypto Officer and Crypto User, which each have primary and secondary credentials, but not to Partition SO, which has only primary credential.

If you omit option -oldpw the HSM assumes that you wish to change the "primary credential" or PED key secret.

Required if you wish to change the secondary credential.

-newpw <newpassword> -new

New password (for application partition on password-authenticated HSM) or new challenge secret (for application partition on multifactor quorum-authenticated HSM).

Required if you have already provided an -oldpw.

-prompt -p Prompt for challenges (challenges will be hidden by *)
-force -f Force the action. Use this option to bypass the warning about primary/secondary credentials on a multifactor quorum-authenticated HSM, as shown in the example.

Examples

Change credential on the HSM's Admin partition

lunacm:> role login -name SO

        Please attend to the PED.

Command Result : No Error




lunacm:> role changepw -name SO -prompt

        Warning: this role has no secondary credentials.
                -prompt parameter will be ignored.

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

        Please attend to the PED.

Command Result : No Error

Change Crypto Officer's password

lunacm:> role changepw -name co -oldpw PASSWORD -newpw myuserpin

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error

Change the Crypto Officer's primary credential (PED key secret)

lunacm:> role changepw -name co

        This role has secondary credentials.
        You are about to change the primary credentials.
        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed


Command Result : No Error

Change Crypto Officer's secondary credential (challenge secret)

lunacm:> role changepw -name co -oldpw PASSWORD -newpw myuserpin

        This role has secondary credentials.   
        You are about to change the secondary credentials. 
        Are you sure you wish to continue? 


        Type 'proceed' to continue, or 'quit' to quit now -> proceed


Command Result : No Error