AWS CloudHSM
User Guide

changePswd

The changePswd command in cloudhsm_mgmt_util changes the password of an existing user on the HSMs in the cluster.

Any user can change their own password. Crypto officers (COs and PCOs) can also change the password of any other user. You do not need to enter the current password to make the change. However, you cannot change the password of a user who is logged into the AWS CloudHSM client or key_mgmt_util.

Before you run any cloudhsm_mgmt_util command, you must start cloudhsm_mgmt_util and log in to the HSM. Be sure that the user type of the account that you use to log in can run the commands you plan to use.

If you add or delete HSMs, update the configuration files that the AWS CloudHSM client and the command line tools use. Otherwise, the changes that you make might not be effective on all HSMs in the cluster.

User Type

The following types of users can run this command.

  • All users.

Syntax

Because this command does not have named parameters, you must enter the arguments in the order specified in the syntax diagram.

changePswd <user-type> <user-name> <password>

Examples

These examples show how to use changePassword to create new users in your HSMs.

Example : Change your password

Any user on the HSMs can change use changePswd to change their own password.

The first command uses info to get the current user. The output shows that the current user, bob, is a crypto user (CU).

aws-cloudhsm> info server 0 Id Name Hostname Port State Partition LoginState 0 10.0.3.10 10.0.3.10 2225 Connected hsm-aaaabbbbccc Logged in as 'bob(CU)' aws-cloudhsm> info server 1 Id Name Hostname Port State Partition LoginState 0 10.0.3.10 10.0.3.10 2225 Connected hsm-ccccaaaabbb Logged in as 'bob(CU)'

To change his password, bob runs changePswd with a new password, newPasswerd.

When the command completes, the password change is effective.

aws-cloudhsm> createUser CU bob newPasswerd *************************CAUTION******************************** This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster. **************************************************************** Do you want to continue(y/n)?y Changing password for bob(CU) on 2 nodes

Example : Change the password of another user

This example shows how to change password of a different user. Any crypto officer (CO, PCO) can change the password of any user on the HSMs without specifying the existing password.

The first command uses info to confirm that alice, a CO, is logged into the HSMs in the cluster.

aws-cloudhsm>info server 0 Id Name Hostname Port State Partition LoginState 0 10.0.3.10 10.0.3.10 2225 Connected hsm-aaaabbbbccc Logged in as 'alice(CO)' aws-cloudhsm>info server 1 Id Name Hostname Port State Partition LoginState 0 10.0.3.10 10.0.3.10 2225 Connected hsm-ccccaaaabbb Logged in as 'alice(CO)'

This command uses changePswd to change the password of officer1, another CO on the HSMs. In this case, the command resets the password to defaultPassword, the password that this fictitious enterprise uses as its default. Later, officer1 can reset their password to a more secure value.

aws-cloudhsm>changePswd CO officer1 defaultPassword *************************CAUTION******************************** This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster. **************************************************************** Do you want to continue(y/n)?y Changing password for officer1(CO) on 2 nodes

Arguments

Because this command does not have named parameters, you must enter the arguments in the order specified in the syntax diagram.

changePswd <user-type> <user-name> <password> [1FA | 2FA]
<user-type>

Specifies the current type of the user whose password you are changing. You cannot use changePswd to change the user type.

Valid values are CO, CU, AU, PCO, and PRECO.

To get the user type, use listUsers. For detailed information about the user types on an HSM, see HSM Users.

Required: Yes

<user-name>

Specifies the user's friendly name. This parameter is not case-sensitive. You cannot use changePswd to change the user name.

Required: Yes

<password>

Specifies a new password for the user. Enter a string of 7 to 32 characters. This value is case sensitive. The password appears in plaintext when you type it.

Required: Yes

1FA | 2FA

Enables or disables dual-factor authentication for the new user. Enter 1FA or 2FA.

This parameter is valid only when the cluster has been configured for dual-factor authentication.

Required: No

Default: 1FA. Dual factor authentication is not enabled.

Related Topics