From time to time, it might be necessary to change the secret associated with
>Regular credential rotation as part of your organization's security policy
>Compromise of a role or secret due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
The HSM SO can change their own credential at any time.
There is no way to reset the HSM SO credential except to re-initialize the HSM, zeroizing the contents of the HSM and its application partitions. Resetting a credential requires a higher authority. On the HSM, there is no authority higher than the HSM SO.
To change the HSM SO credential
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).
2.Log in as HSM SO (see Logging In as HSM Security Officer).
3.Change the HSM SO credential.
lunash:> hsm changePw
You are prompted for the current HSM SO credential, and then to create a new one.
In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~
The following characters are invalid or problematic and must not be used in passwords: "&;<>\`|
Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks.
