Resetting the Crypto Officer, Limited Crypto Officer, or Crypto User Credential
If necessary, the Crypto Officer can reset the Crypto User credential at any time, without providing the current credential. This is useful in cases where the Crypto User credential has been lost or otherwise compromised.
Prerequisites for Crypto Officer Reset
The Partition SO can also reset the Crypto Officer's credential
CAUTION! HSM policy 15 is destructive when turned on. All partitions on the HSM and their contents will be erased.
To reset the Crypto Officer, Limited Crypto Officer, or Crypto User credential
1.Log in with the appropriate role (see Logging In to the Application Partition).
2.Reset the desired role's credential.
In LunaCM, passwords
Double quotation marks (
") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password option, enclose the password in double quotation marks.
lunacm:> role resetpw -name <role>
You are prompted to set a new credential for the role.
3.Provide the new credential to the Crypto Officer, Limited Crypto Officer(*), or Crypto User.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled, the user must change the credential before any other actions are permitted. See Changing a Partition Role Credential.
The CO can reset the LCO's primary credentials (lunacm:> role resetpw) regardless of the status of "Enable SO reset of a partition PIN" policy 15.
(*LCO is applicable to Luna HSM Firmware 7.7.0 and newer.)