Changing a Role Credential

Use the instructions on this page to change your current credential for a role in an HSM application partition.

From time to time, it might be necessary to change the secret associated with a role on a cryptographic module (HSM) or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role or secret due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

The following procedure allows you to change the credential for a role (HSM SO, Auditor, Partition SO, Crypto Officer, Crypto User). You must first log in using the role's current credential (this is not a way to recover from lockout or from lost credentials).

NOTE   If HSM policy 21: Force user PIN change after set/reset is set to 1 (default), this procedure is required after initializing or resetting the CO or CU role and/or creating a challenge secret.

To change a role credential using LunaCM on the Luna HSM Client

1.In LunaCM, log in using the role's current credential (see Logging In to the Application Partition).

lunacm:> role login -name <role>

2.Change the credential for the logged-in role. If you are using a password-authenticated partition, specify a new password. If you are using a multifactor quorum-authenticated partition, ensure that you have a blank or rewritable PED key available. Refer to Creating PED keys for details on creating PED keys.

Passwords and activation challenge secrets must be 8-255 characters in length. Spaces are allowed; to specify a password with spaces using command-line options, enclose the password in double quotation marks. The space character may not be used as the first character in a password.The following characters are allowed:
!#$%'()*+,-./0123456789:=? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
This character set is enforced when using Luna HSM Client 10.8.0 or newer, and recommended for all previous versions. Previously-set passwords and challenge secrets are unaffected, but the new character set is enforced when these passwords are changed.

lunacm:> role changepw -name <role>

3.To change the CO or CU challenge secret for an activated PED-authenticated partition, specify the -oldpw and/or -newpw options.

lunacm:> role changepw -name <role> -oldpw <oldpassword> -newpw <newpassword>

TIP   Where you have an HA Indirect Login setup (see High Availability Indirect Login), your HSM is made accessible by other HSMs. Adding a challenge secret to your role, that is unknown to other parties, does not prevent other parties from logging into your HSM. Rather it prevents other parties from using your particular role without that extra credential. To prevent other parties accessing your HSM, change the PIN.