Changing passwords for an HA group
Changing CO passwords has previously been an operation performed on a single HSM application partition by means of the role changepw command, which is fine for situations where a partition is used in stand-alone fashion. HA groups require all member partitions to have the same password. Performing the multiple operations in quick sequence invites human error. Changing the password of one member, while an HA group is in use in a production scenario, breaks the group functionality.
The usual approach has been to individually remove all but one member, change their passwords while they are not part of the group, change the password of the single member in the group, and then re-add the other members, one-by-one, which is labor-intensive and leaves the operation of your application at risk with diminished or no redundancy until the group membership is restored.
Beginning with Luna HSM Client version 10.7.0, the partition changepw [for HA] command is added to LunaCM, to change the passwords for an entire HA group, quickly and efficiently, with minimum disruption and downtime. This is especially significant where organizational security regimes mandate regular rotation of credentials.
The partition changepw command operates on the current virtual slot for the HA group, to perform password change for the entire group.
For description of command options see partition changepw [for HA].
Caveats
If your application generates new connections during the execution of the group CO password change, some authentication failures could occur, in which case see below for appropriate responses. If you are sure that no such new-connection attempts will be made (since you control your application), you could use the -noRollback option. Otherwise, we suggest that allowing the automatic rollback of an interrupted/failed PW change for a group is the best option, so that you can simply try again. With -noRollback, the members are in whatever old/new password state they attained before the update failure, and any new connections are refused until the mismatch of passwords within the group is corrected.
Change the password for an HA group
Prerequisites
The HA group is functional.
All members are connected.
To change the CO password on all members of an HA group
1.On your client, open lunacm.
lunacm (64-bit) v10.7.0. Copyright (c) 2023 Thales Group. All rights reserved.
Available HSMs:
Slot Id -> 0
Label -> par
Serial Number -> 1385675017771
Model -> LunaSA 7.8.4
Firmware Version -> 7.8.4
Bootloader Version -> 1.1.5
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
FM HW Status -> FM Ready
Slot Id -> 1
Label -> par1
Serial Number -> 1238696044902
Model -> LunaSA 7.8.4
Firmware Version -> 7.8.4
Bootloader Version -> 1.1.5
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
FM HW Status -> FM Ready
Slot Id -> 2
HSM Label -> HA
HSM Serial Number -> 11385675017771
HSM Model -> LunaVirtual
HSM Firmware Version -> 7.8.4
HSM Configuration -> Luna Virtual HSM (PW) Key Export With Cloning Mode
HSM Status -> N/A - HA Group
HSM Certificates -> *** Test Certs ***
2.Select the virtual slot of the HA group.
lunacm> slot set slot 2
3.Use the partition changePw command to launch password change for all of the HSM partitions managed by the HA virtual slot.
lunacm> partition changePw -n co -oldPw userpin123 -newPw userpin1234 -logoutOther Confirming all members of HA are online... [OK] Confirming all members of HA can be logged into... [OK] Changing password of all members of HA group... [OK] Final summary of members: Member S/N Member Label Password Status ========== ============ =============== 1213473506146 LNH_143.184_NTLS_v0_par1 Changed 91351086532 LNH_10.202_NTLS_v0_par1 Changed Command Result : No Error
What to do in the event of a failure
Failure of the initial check
lunacm> partition changePw -n co -oldPw userpin123 -newPw userpin1234 -logoutOther
Confirming all members of HA are online... [OK]
Confirming all members of HA can be logged into... [FAILED]
Failed at member: 1213473506146
The role is logged out due to incorrect old password.
Final summary of members:
Member S/N Member Label Password Status
========= ============ ===============
1213473506146 LNH_143.184_NTLS_v0_par1 Unchanged
91351086532 LNH_10.202_NTLS_v0_par1 Unchanged
Command Result : 0xa0 (CKR_PIN_INCORRECT)
Response: ensure that all members are logged in and redo. If any member cannot be corrected and logged in, then remove it from the group, proceed with the remaining members, and afterward add the failed member or a new/replacement member that has the new group CO password.
Unsuccessful password change on all members with the -noRollback flag specified
lunacm> partition changePw -n co -oldPw userpin123 -newPw userpin1234 -noRollback
Confirming all members of HA are online... [OK]
Confirming all members of HA can be logged into... [OK]
Changing password of all members of HA group... [FAILED]
The following member(s) failed: 91351086532
The role is logged out due to incorrect old password.
Final summary of members:
Member S/N Member Label Password Status
========== ============ ===============
1213473506146 LNH_143.184_NTLS_v0_par1 Changed
91351086532 LNH_10.202_NTLS_v0_par1 Unchanged
Command Result : 0xa0 (CKR_PIN_INCORRECT)
Response: Change the password for the partition that failed. Use partition changePw with the -memberlist option and the serial number of the failed partition. Until you do that, existing crypto operations against the group continue uninterrupted, because the prior session (using the oldPw) has not closed, but any attempt at a new operation against the virtual slot will fail while any members do not have the updated newPw.
Unsuccessful password change without the -noRollback flag specified, and a successful rollback
lunacm> partition changePw -n co -oldPw userpin123 -newPw userpin1234
Confirming all members of HA are online... [OK]
Confirming all members of HA can be logged into... [OK]
Changing password of all members of HA group... [FAILED]
Failed at member: 91351086532
Rolling back members to old password... [OK]
Members have successfully been rolled back to their original password.
The role is logged out due to incorrect old password.
Final summary of members:
Member S/N Member Label Password Status
========== ============ ===============
1213473506146 LNH_143.184_NTLS_v0_par1 Unchanged
91351086532 LNH_10.202_NTLS_v0_par1 Unchanged
Command Result : 0xa0 (CKR_PIN_INCORRECT)
Response: remove the failed member from the HA group and try again. The remaining members can function with your client application both before and after a successful group password change. The failed one[former] member can be diagnosed and corrected, while separated from the group, then have its password updated so it can rejoin the group at your convenience.
