Replace ADMIN with OKVADMIN User

Now would be a good time to change the default ADMIN user to define your own OKVADMIN user. The currently defined ADMIN user is common to all Utimaco HSM. This is a security issue, as anyone with a copy of the ADMIN.key can access your HSM as ADMIN or the root user.

We will cover the process of creating your own new RSA key file. Creation of the new OKVADMIN user and the deletion of the existing ADMIN user. This new OKVADMIN user will have the same permissions mask as the exiting ADMIN user. It will now be accessed via your new RSA key file.

You also have the option of creating (2) ADMIN users and providing a (4) eyes access control. The details of this option are covered in the Utimaco csadm documentation included with the software bundle.

Locate the default ADMIN.key which can be found in the Utimaco Software at the following location. It is the default RSA key for the ADMIN user.

./Software/Linux/x86-64/Administration/key/ADMIN.key

Here are the steps you need to create a new OKVADMIN user and delete the old default ADMIN user:

# csadm listusers 
     Name Permission Mechanism Attribuites 
     ADMIN 22000000 	RSA Sign   Z[0] 
    # csadm KeyType=RSA GenKey=OKVADMIN.key,"OKV Admin Key File “  
    # csadm LogonSign=ADMIN,ADMIN.key \ 
    AddUser=OKVADMIN, 22000000, rsasign, OKVADMIN.key 
    # csadm LogonSign=OKVADMIN,OKVADMIN.key DeleteUser=ADMIN 
    # csadm listusers 
    Name 	      Permission       Mechanism     	Attribuites 
    OKVADMIN 	22000000 	     RSA Sign 	      Z[0] 
    # csadm LogonSign=OKVADMIN,OKVADMIN.key <CSADM Command>