8.6 Setting the HSM PIN

When you save the PIN for a Thales HSM using GenMaster, it is stored in the registry of the application server in the following location for the MyID COM+ user:

HKEY_CURRENT_USER\Software\Intercede\Edefice\MasterCard\LUNA\PINenc

The PIN is stored using the Windows Data Protection API (DPAPI) which encrypts the PIN.

By default, PINs for nShield HSMs are not stored in the registry by GenMaster.

In previous versions of MyID, the PIN for Thales HSMs was stored in the HKEY_LOCAL_MACHINE part of the registry, and was not encrypted.

The SetHSMPIN utility allows you to:

• Change the PIN stored for an HSM.
• Store the PIN for an nShield HSM.
• Add the PIN to the registry of an additional application server.
• Move and encrypt the PIN for an upgraded system.
• Clear the HSM PIN from the registry.

To use the SetHSMPIN utility:

1. Log on to the MyID application server as the MyID COM+ user.

   Note: If you have multiple application servers, you must run the utility on each server.

2. Navigate to the MyID utilities folder.

   By default, this is:

   C:\Program Files\Intercede\MyID\Utilities\

3. To set the PIN, run the utility using the following command line:

   SetHSMPIN <pin>

   where:

   • <pin> – the PIN for the HSM.

   For example:

   SetHSMPIN 123456

   Note: If you are running the utility from a PowerShell prompt, you must escape any $ characters using the ` symbol. For example, if the PIN is 123$567, use the following:

   SetHSMPIN 123`$567

4. To clear the PIN, run the utility using the following command line:

   SetHSMPIN /ClearPIN

   This removes the HSM PIN from the registry. If you have cleared the PIN, you must either set it again, or set it temporarily using the Startup utility; see the MyID startup section in the Advanced Configuration Guide.

5. If prompted, enter an admin user name and password.