6.6 Setting the HSM PIN
When you save the PIN for a SafeNet HSM using GenMaster, it is stored in the registry of the application server in the following location for the MyID COM+ user:
HKEY_CURRENT_USER\Software\Intercede\Edefice\MasterCard\LUNA\PINenc
The PIN is stored using the Windows Data Protection API (DPAPI) which encrypts the PIN.
By default, PINs for Thales HSMs are not stored in the registry by GenMaster.
In previous versions of MyID, the PIN for SafeNet HSMs was stored in the HKEY_LOCAL_MACHINE part of the registry, and was not encrypted.
The SetHSMPIN utility allows you to:
- Change the PIN stored for an HSM.
- Store the PIN for a Thales HSM.
- Add the PIN to the registry of an additional application server.
- Move and encrypt the PIN for an upgraded system.
To use the SetHSMPIN utility:
-
Log on to the MyID application server as the MyID COM+ user.
Note: If you have multiple application servers, you must run the utility on each server.
-
Navigate to the MyID utilities folder.
By default, this is:
C:\Program Files (x86)\Intercede\MyID\Utilities\
-
Run the utility using the following command line:
SetHSMPIN <pin>
where:
- <pin> – the PIN for the HSM.
For example:
SetHSMPIN 123456
Note: If you are running the utility from a PowerShell prompt, you must escape any $ characters using the ` symbol. For example, if the PIN is 123$567, use the following:
SetHSMPIN 123`$567