role changepw
Change the password
From time to time, it might be necessary to change the secret associated with a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:
>Regular credential rotation as part of your organization's security policy
>Compromise of a role or secret due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
In LunaCM, passwords
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
Syntax
role changepw -name <role> [-oldpw <oldpassword>] [-newpw <newpassword>] [-prompt] [-logoutOther] [-force]
Argument(s) | Shortcut | Description |
---|---|---|
-logoutOther | -l |
Log out the role with the given name from other applications. Include the -logoutOther option if there is an immediate security concern, and you want all applications' access to be terminated immediately, to minimize damage due to a compromised credential. Issue the command without this option for relaxed situations like scheduled password roll-over, or personnel departing on good terms, or other non-urgent reasons, where you want the applications using the partition, with the current role credential, to have time to finish current tasks and end their sessions. When they resume activity, and need to create new sessions, they will do so only under the new credential for the role. |
-name <role> | -n | Role to change password for. This must be the currently logged-in role. |
-oldpw <oldpassword> | -old |
Current password If you include option -oldpw the HSM assumes that you wish to change the challenge secret, which is the "secondary credential". This applies to Crypto Officer and Crypto User, which each have primary and secondary credentials, but not to Partition SO, which has only primary credential. If you omit option -oldpw the HSM assumes that you wish to change the "primary credential" or PED key secret. Required if you wish to change the secondary credential. |
-newpw <newpassword> | -new |
New password Required if you have already provided an -oldpw. |
-prompt | -p | Prompt for challenges (challenges will be hidden by *) |
-force | -f | Force the action. Use this option to bypass the warning about primary/secondary credentials on a multifactor quorum-authenticated HSM, as shown in the example. |
Examples
Change credential on the HSM's Admin partition
lunacm:> role login -name SO Please attend to the PED. Command Result : No Error lunacm:> role changepw -name SO -prompt Warning: this role has no secondary credentials. -prompt parameter will be ignored. Type 'proceed' to continue, or 'quit' to quit now -> proceed Please attend to the PED. Command Result : No Error
Change Crypto Officer's password
lunacm:> role changepw -name co -oldpw PASSWORD -newpw myuserpin Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error
Change the Crypto Officer's primary credential (PED key secret)
lunacm:> role changepw -name co This role has secondary credentials. You are about to change the primary credentials. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error
Change Crypto Officer's secondary credential (challenge secret)
lunacm:> role changepw -name co -oldpw PASSWORD -newpw myuserpin This role has secondary credentials. You are about to change the secondary credentials. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error