Passphrases

Verify the passphrase of a card or softcard

Verify the passphrase of a card using the nShield HSM front panel (only on network-attached HSMs)

To verify the passphrase associated with a card using the unit front panel:

  1. Insert the card into the unit.

  2. From the main menu, select Security World mgmt > Card operations > Check PIN.

    The type of the card (Administrator or Operator) is displayed with the number of the card in the card set.

  3. If this is the card that you want to check, press the right-hand navigation to confirm.

  4. Enter the passphrase.

    If the passphrase that you entered is correct, a confirmation message is shown. Otherwise, an error is reported.

Verify the passphrase of a softcard with ppmk

In order to verify the passphrase of a particular softcard, open a command window, and give the command:

ppmk --check <NAME>|<IDENT>

In this command, you can identify the softcard whose passphrase you want to verify either by its name (<NAME>) or by its logical token hash (as given by running the command nfkminfo --softcard-list).

ppmk prompts you to enter the passphrase and then tells you whether the passphrase you entered is correct for the specified softcard.

Change card and softcard passphrase

Each softcard or card of a card set can have its own individual passphrase: you can even have a card set in which some cards have a passphrase and others do not, and you can have distinct softcards that nevertheless use the same passphrase. A passphrase can be of any length and can contain any characters that you can type.

Normally, in order to change the passphrase of a card or softcard, you need the card or softcard and the existing passphrase. Known card passphrase can be changed using the front panel (only on network-attached HSMs), KeySafe or the cardpp command-line utility; softcard passphrase can be changed using KeySafe or the ppmk command-line utility. You can also add a passphrase to a card or softcard that currently does not have one or remove a passphrase from a card that does currently have one.

If you generated your Security World with the passphrase replacement option, you can also replace the passphrase of a card or softcard even if you do not know the existing passphrase. Such a passphrase replacement operation requires authorization from the ACS.

Change known passphrase

To change a card passphrase, you need the card and the old passphrase.

Each card in a set can have its own individual passphrase. You can even have a set in which some cards have a passphrase and others do not.

Prior to Security World Software v11.72, we set no absolute limit on the length of a passphrase. However, some applications may not accept a passphrase longer than 255 characters. Likewise, the Security World does not impose restrictions on which characters you can use, although some applications may not accept certain characters. Entrust recommends that your password only contains 7-bit ASCII characters:

A-Z, a-z, 0-9, ! @ # $ % ^ & * - _ + = [ ] { } | \ : ' , . ? / ` ~ " < > ( ) ;

See Maximum passphrase length for more about passphrase length when using Security World Software v11.72.

Change known passphrase from than nShield network-attached HSM front panel

To change the passphrase of a card using the unit front panel:

  1. Insert the card.

  2. From the main menu, select Security World mgmt > Card operations > Change PIN.

  3. Select the card whose passphrase you want to change.

  4. Enter the old passphrase, and then enter it again to confirm it.

  5. Enter the new passphrase. If you do not want this card to have a passphrase, select NO at the prompt.

Change known passphrase with KeySafe

To change a known passphrase for an Operator Card using KeySafe:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)

  2. Click Card sets, or select Card sets from the Manage menu. The List Operator Card Sets panel is displayed.

  3. Click Examine / change card to open the Examine / Change Card panel.

  4. Click Change passphrase. The Set Card Protection passphrase panel is displayed.

  5. Enter the old passphrase, and click the OK button.

  6. A screen is displayed asking Do you want to set a passphrase?. Select Yes.

  7. Enter your new passphrase, and enter it again in the second box as confirmation of the change.

  8. Click OK.

Change a known softcard passphrase with KeySafe

To change a known passphrase for a softcard using KeySafe:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)

  2. Click the Softcards menu button, or select Softcards from the Manage menu. KeySafe takes you to the List Softcards panel.

  3. Select the softcard for which you want to change the passphrase, and click the Change passphrase button. KeySafe takes you to the Change/Recover Softcard passphrase panel.

    If a softcard is listed as PIN Recovery Enabled = No, then you will be unable to change the passphrase.

  4. Select the softcard whose passphrase you want to change, and click the Change passphrase button. KeySafe takes you to the Get Softcard Protection passphrase panel.

  5. Enter the old passphrase, and click the OK button.

    KeySafe either displays an error dialog (if the passphrase is not correct) or takes you to the Set Softcard Protection passphrase panel.

  6. Enter your new passphrase, and enter it again in the second field to confirm the passphrase is correct.

  7. Click the OK button.

    After changing a passphrase, KeySafe displays a dialog to confirm that the passphrase has been successfully changes.

  8. Click the OK button to continue using KeySafe.

Change known passphrase with cardpp

Each card in a card set can have its own individual passphrase. You can even have a set in which some cards have a passphrase and others do not. A passphrase can be of any length and can contain any characters that you can type.

With Security World Software v11.72 and later, passphrases are limited to a maximum length of 254 characters, when using cardpp. See Maximum passphrase length.

To change a known card’s passphrase with cardpp:

  1. Run:

    cardpp --change [-m|--module=<MODULE>]

  2. If prompted, insert the card whose passphrase you want to change. If there is a card already in the slot, you are not prompted.

  3. If prompted, enter the existing passphrase for the card. If the card has no current passphrase you are not prompted.
    If you enter the passphrase correctly, cardpp prompts you to enter the new passphrase.

  4. Enter a new passphrase, and then enter it again to confirm it.

Change known softcard passphrase with ppmk

With Security World Software v11.72 and later, passphrases are limited to a maximum length of 254 characters, when using ppmk. See Maximum passphrase length for more information.

To change a known softcard’s passphrase when you know the passphrase, follow these steps:

  1. Give the following command:

    ppmk --change <NAME>|<IDENT>

    In this command, you can identify the softcard whose passphrase you want to change either by its name (<NAME>) or by its logical token hash as listed by nfkminfo (<IDENT>).

    ppmk prompts you to enter the old passphrase.

  2. Type the old passphrase, and press Enter. If you enter the old passphrase correctly, ppmk prompts you to enter the new passphrase.

  3. Type the old passphrase, and press Enter. Type the new passphrase again, and press Enter to confirm it.

    After you have confirmed the new passphrase, ppmk then changes the softcard’s passphrase.

Change unknown or lost passphrase

Change unknown card passphrase with cardpp

If you generated your Security World with the passphrase replacement option, you can change the passphrase of a card even if you do not know its existing passphrase. Such a passphrase replacement operation requires authorization from the ACS.

To change an unknown card passphrase with cardpp:

  1. Run:

    cardpp --recover [--module=<MODULE>]

  2. As prompted, insert the appropriate number of cards from the ACS required to authorize passphrase replacement.

  3. When prompted, insert the Operator Card whose passphrase you want to replace.

  4. When prompted, type the new passphrase, and then press Enter.

  5. When prompted, type the new passphrase again to confirm it, and then press Enter.

    cardpp sets the new passphrase, and then prompts you for another Operator Card.

  6. Repeat the process in the previous step to change the passphrase on further cards, or press Q to quit.

Replace unknown passphrase with ppmk

If you generated your Security World with the passphrase replacement option, you can change the passphrase of a softcard even if you do not know its existing passphrase. Such a passphrase replacement operation requires authorization from the ACS.

To change an unknown softcard passphrase with the ppmk command-line utility:

  1. Run a command of the form:

    preload --admin=p ppmk --recover <NAME>|<IDENT>

    In this command, you can identify the softcard by its <NAME> or by its <IDENT> (its logical token hash as shown in output from the nfkminfo command-line utility).

  2. As prompted, insert the appropriate number of cards from the ACS required to authorize passphrase replacement.

  3. When prompted, type the new passphrase, and then press Enter.

  4. When prompted, type the new passphrase again to confirm it, and then press Enter.

    If the passphrase does not match, ppmk prompts you to input and confirm the passphrase again.

After you successfully confirm the new passphrase, ppmk finishes configuring the softcard to use the new passphrase.

Only insert Administrator Cards into a hardware security module that is connected to a trusted server.