TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM 7 installed in a workstation that you provide, and
>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
From time to time, it might be necessary to change the secret associated with
>Regular credential rotation as part of your organization's security policy
>Compromise of a role or secret due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
Individual users can change the password for their own account at any time. The admin or users with admin privileges may change the password for other accounts, including other admin-level accounts.
Password Guidelines
LunaSH passwords must be at least eight characters in length,
and include characters from at least three of the following four
groups:
> lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
> uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
> numeric: 0123456789
> special (spaces allowed): !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~
For more information, see Name, Label, and Password Requirements.
To change your own appliance user password
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH using your username and password (see Logging In to LunaSH).
2.Change your user password.
lunash:> my password set
To change the password for a different user
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).
2.Change the password for a specified user.
lunash:> user password <username>
NOTE admin-level users can also use this command to change their own password.
