Change the password for the currently logged-in role.
From time to time, it might be necessary to change the secret associated with
>Regular credential rotation as part of your organization's security policy
>Compromise of a role or secret due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
In LunaCM, passwords must be 8-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
Syntax
role changepw -name <role> [-oldpw <oldpassword>] [-newpw <newpassword>] [-prompt] [-logoutOther] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -logoutOther | -l |
Log out the role with the given name from other applications. Include the -logoutOther option if there is an immediate security concern, and you want all applications' access to be terminated immediately, to minimize damage due to a compromised credential. Issue the command without this option for relaxed situations like scheduled password roll-over, or personnel departing on good terms, or other non-urgent reasons, where you want the applications using the partition, with the current role credential, to have time to finish current tasks and end their sessions. When they resume activity, and need to create new sessions, they will do so only under the new credential for the role. |
| -name <role> | -n | Role to change password for. This must be the currently logged-in role. |
| -oldpw <oldpassword> | -old |
Current password |
| -newpw <newpassword> | -new |
New password Required if you have already provided an -oldpw. |
| -force | -f | Force the action. Use this option to bypass the warning about primary/secondary credentials on a multifactor quorum-authenticated HSM, as shown in the example. |
Change Crypto Officer's password
lunacm:> role changepw -name co -oldpw PASSWORD -newpw myuserpin
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
