Recovery Procedures
CORE Password Reset
The following recovery procedures apply to users that are authenticated by CORE:
- Password change. A user may change its password using the ucl user change-pwd command.
- Password reset. To reset the other user's password, you must be an SO
Security officer - UKC partition administrator role. or Admin of EP. See the following table:
| To reset the password of ... | Required Role | Command |
|---|---|---|
| SOSecurity officer - UKC partition administrator role. of the Root partition |
System Admin on EP | ekm_recover_root_so_pwd |
| SOSecurity officer - UKC partition administrator role. of any partition |
Root SOSecurity officer - UKC partition administrator role. |
ucl user recover-pwd |
| Any member in a partition | The partition's SOSecurity officer - UKC partition administrator role. |
ucl user reset-pwd |
Partition Lockout Release
Use the following procedures to recover from unlikely partition lockout situations.
| Lockout Case | Impact | Recovery | Note |
|---|---|---|---|
| None of the partition certificates can be used to access the partition. | All key material in the partition is out of reach for the CORE clients. | Create a new certified client. | 1 |
| The number of active SOs in a partition is below its quorum requirements. | All actions that require quorum approval are blocked. | Adjust the quorum requirements. | 2 |
Notes:
Recovery of Partition's Certificate
This case addresses an unlikely event when all certificates of a partition owned by its clients are lost or useless (e.g. expired, signed by expired CA, etc..). To recreate the first certificate of a partition:
-
A standard partition. Root SO must use the ucl partition recover command.
This command:
- Clears the partition's client list in the CORE database. (These clients are useless without certificates).
- Creates a new client and saves its certificate (
<partition-name>.pfx) in the local CORE Client Certificates Folder. - The client name is the hostname of an appliance that executed the command.
-
The Root partition. EP Admin must use the ekm_recover_root_partition script.
This script is functionally similar to the previous command, except that it must be executed by the EP Admin. In particular, it:
- Clears the Root partition's client list in the CORE database.
- Creates a new Root client and saves its certificate (
root.pfx) in the CORE Client Certificates Folder on EP. - The client name is the hostname of EP.
Note
This command doesn't affect the partition's users and their credentials. To recover credentials of its SOSecurity officer - UKC partition administrator role., if needed, see CORE Password Reset.
Partition Quorum Reset
A partition quorum recovery resets the size of a partition quorum to the actual number of the partition SOs. See ekm_recover_quorum. Use this script to recover quorum on any partition, including the root partition.