Boot User Password 155Resetting HSM Cards on the ASA 310-FIPSWhen removing an ASA 310-FIPS device from a cluster, you have theoption to reset (or de-initialize) the HSM cards.When an ASA 310-FIPS device that has been removed from a cluster isinstalled in a new cluster, or added to an existing cluster, the cards will beinitialized again. This is done by performing a series of steps as part ofthe setup procedure of the ASA 310-FIPS device itself. If the Setup utilitydetects that the cards have not been reset, you will be prompted to resetthe HSM cards at that time. The HSM cards must be reset before they canbe initialized. You may therefore choose to reset the cards already whenremoving the ASA 310-FIPS device from the cluster. Resetting the HSMcards will clear all sensitive cryptographic information stored on the cards.Until the cards are initialized again, they will remain in that state.To reset the HSM cards, you need the following:• The two pairs of HSM-SO and HSM-USER iKeys, where each pair isassociated with a particular HSM card on the ASA 310-FIPS deviceyou want to delete from the cluster• The HSM-SO password associated with each HSM-SO iKey• Log in as the admin user to the particular ASA 310-FIPS device youwant to deleteIf the ASA 310-FIPS device will be used in a different department ororganization after it has been deleted from the cluster, you may want tochange the current password for the HSM-SO iKey and the HSM-USERiKey before you reset the HSM cards. The user who performs the initialsetup of the ASA 310-FIPS device must then provide the "transient"passwords known by both parties when initializing the HSM cards, but candirectly change to new HSM-SO and HSM-USER passwords within thenormal initialization procedure.To change the current password for the HSM-SO iKey before resettingthe HSM cards, use the /maint/hsm/changepass command. For moreinformation about this command, see the "HSM Menu " section underMaintenance Menu in the Command Reference.Note: When moving the ASA 310-FIPS device to a different location,make sure to maintain the connection between each pair of HSM-SOand HSM-USER iKeys and the particular HSM card to which theyare associated. To initialize the HSM cards when installing or addingthe device in a cluster, the correct HSM-SO and HSM-USER iKeysare required, as well as the corresponding HSM-SO and HSM-USERpasswords.Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.