Change the Crypto Officer password
From time to time, it might be necessary to change the secret associated with a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:
>Regular credential rotation as part of your organization's security policy
>Compromise of a partition challenge secret used in activation/auto-activation by applications connecting to a multifactor-quorum-athenticated HSM
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
This partition changepw command operates on the current virtual slot for the HA group, to perform password change for the entire group.
In LunaCM, passwords
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
For further information and suggestions, see Changing passwords for an HA group.
Syntax
partition changepw -name <string> [-oldpw <oldpassword>] [-newpw <newpassword>] [[-memberList <serial_number>[,<serial_number>]+] [-noRollback] [-logoutOther]]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -logoutOther | -l |
Log out all members of HA group, as well as the HA group itself from other applications. >Include the -logoutOther option if there is an immediate security concern, and you want all applications' access to be terminated immediately, to minimize damage due to a compromised credential. >Omit this option for relaxed situations like scheduled password roll-over, or personnel departing on good terms, or other non-urgent reasons, where you want the applications using the partition, with the current role credential, to have time to finish current tasks and end their sessions. When they resume activity, and need to create new sessions, they will do so only under the new credential for the role. |
| -memberlist <serial_number> | -m |
A list of serial numbers for the HA group members on which the command will execute. Useful if some members were not successfully updated with the new password If this option is not included, the command defaults to attempting password change on all members of the group. |
| -oldpw <oldpassword> | -old |
Current password If you include option -oldpw the HSM assumes that you wish to change the challenge secret, which is the "secondary credential". This applies to Crypto Officer, which has primary and secondary credentials, but not to Partition SO, which has only primary credential. If you omit option -oldpw the HSM assumes that you wish to change the "primary credential" or iKey secret. Required if you wish to change the secondary credential. |
| -name <rolename> | -n |
Name of role whose password is to change. Must be "co" until further notice. Required. |
| -newpw <newpassword> | -new |
New password Required if you have already provided an -oldpw. |
| -noRollback | -no |
Default behavior, if the command encounters a member that cannot accept a new password, is to rollback all already-changed members to the current/old password, so that the HA group continues to function, while you investigate the problem. If -noRollback is specified, then the command updates the members that it can, and prints a list of members whose password could not be updated. You can use that list to populate -memberlist during a re-issue of the command. |
Example
Change the CO password on all members of an HA group
lunacm> partition changePw -n co -oldPw userpin123 -newPw userpin1234 -logoutOther Confirming all members of HA are online... [OK] Confirming all members of HA can be logged into... [OK] Changing password of all members of HA group... [OK] Final summary of members: Member S/N Member Label Password Status ========== ============ =============== 1213473506146 LNH_143.184_NTLS_v0_par1 Changed 91351086532 LNH_10.202_NTLS_v0_par1 Changed Command Result : No Error
