Changing a Role Credential
From time to time, you may need to change the credential for a role. The credential might have been compromised, or your organization's security policy may mandate password changes after a specific time interval. The following procedure allows you to change the credential for a role (HSM SO, Auditor, Partition SO, Crypto Officer, Crypto User). You must first log in using the role's current credential.
NOTE If partition policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.
To change a role credential
1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).
lunacm:> role login -name <role>
2.Change the credential for the logged-in role.
In LunaCM, passwords abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
lunacm:> role changepw -name <role>
3.To change the CO or CU challenge secret for an activated multifactor quorum-authenticated partition, specify the -oldpw and/or -newpw options.
lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>