Changing a Role Credential

From time to time, you may need to change the credential for a role. The credential might have been compromised, or your organization's security policy may mandate password changes after a specific time interval. The following procedure allows you to change the credential for a role (HSM SO, Auditor, Partition SO, Crypto Officer, Crypto User). You must first log in using the role's current credential.

NOTE   If partition policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.

To change a role credential

1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).

lunacm:> role login -name <role>

2.Change the credential for the logged-in role. If you are using a password-authenticated HSM, specify a new password. If you are using a multifactor quorum-authenticated HSM, ensure that you have a blank or rewritable iKey available. Refer to Creating iKey Using Luna USB HSM 7.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

lunacm:> role changepw -name <role>

3.To change the CO or CU challenge secret for an activated multifactor quorum-authenticated partition, specify the -oldpw and/or -newpw options.

lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>