The following recovery procedures apply to users that are authenticated by CORE:
- Password change. A user may change its password using the ucl user change-pwd command.
- Password reset. To reset the other user's password, you must be an SOSecurity officer - UKC partition administrator role. or Admin of EP. Refer to the following table:
|To reset the password of ...||Required Role||Command|
|SOSecurity officer - UKC partition administrator role. of the Root partition||System Admin on EP||ekm_recover_root_so_pwd|
|SOSecurity officer - UKC partition administrator role. of any partition||Root SOSecurity officer - UKC partition administrator role.||ucl user recover-pwd|
|Any member in a partition||The partition's SOSecurity officer - UKC partition administrator role.||ucl user reset-pwd|
Use the following procedures to recover from unlikely partition lockout situations.
|None of the partition certificates can be used to access the partition.||All key material in the partition is out of reach for the CORE clients.||Create a new certified client.||1|
|The number of active SOs in a partition is below its quorum requirements.||All actions that require quorum approval are blocked.||Adjust the quorum requirements.||2|
This case addresses an unlikely event when all certificates of a partition owned by its clients are lost or useless (e.g. expired, signed by expired CA, etc..). To recreate the first certificate of a partition:
A standard partition. Root SO must use the ucl partition recover command.
- Clears the partition's client list in the CORE database. (These clients are useless without certificates).
- Creates a new client and saves its certificate (
<partition-name>.pfx) in the local CORE Client Certificates Folder.
- The client name is the hostname of an appliance that executed the command.
The Root partition. EP Admin must use the ekm_recover_root_partition script.
This script is functionally similar to the previous command, except that it must be executed by the EP Admin. In particular, it:
- Clears the Root partition's client list in the CORE database.
- Creates a new Root client and saves its certificate (
root.pfx) in the CORE Client Certificates Folder on EP.
- The client name is the hostname of EP.
This command doesn't affect the partition's users and their credentials. To recover credentials of its SOSecurity officer - UKC partition administrator role., if needed, refer to CORE Password Reset.
A partition quorum recovery resets the size of a partition quorum to the actual number of the partition SOs. Refer to ekm_recover_quorum. Use this script to recover quorum on any partition, including the