Resetting the Crypto Officer, Limited Crypto Officer, or Crypto User Credential

If necessary, the Crypto Officer can reset the Crypto User credential at any time, without providing the current credential. This is useful in cases where the Crypto User credential has been lost or otherwise compromised.

Prerequisites for Crypto Officer Reset

The Partition SO can also reset the Crypto Officer's credential, if HSM policy 15: Enable SO reset of partition PIN is enabled. By default, this policy is not enabled, and changing it is destructive. If you want the Partition SO to be able to reset the CO's credential, the HSM SO must enable this policy before creating the application partition (see Partition Capabilities and Policies).

CAUTION!   HSM policy 15 is destructive when turned on. All partitions on the HSM and their contents will be erased.

To reset the Crypto Officer, Limited Crypto Officer, or Crypto User credential

1.Log in with the appropriate role (see Logging In to the Application Partition).

2.Reset the desired role's credential.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

lunacm:> role resetpw -name <role>

You are prompted to set a new credential for the role.

3.Provide the new credential to the Crypto Officer, Limited Crypto Officer(*), or Crypto User.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled, the user must change the credential before any other actions are permitted. See Changing a Partition Role Credential.

The CO can reset the LCO's primary credentials (lunacm:> role resetpw) regardless of the status of "Enable SO reset of a partition PIN" policy 15.

(*LCO is applicable to Luna HSM Firmware 7.7.0 and newer.)