I Have Forgotten the PIN Code of the Central Server

Owned by Petteri Kivimäki
Last updated: Jan 17, 2024
1 min read

Problem

I have forgotten the PIN code of the Central Server and I am not able to log in to the software token anymore.

The PIN code is used to protect the keys stored in the software token. The PIN must be stored in a secure place, because it will be no longer possible to use or recover the private keys in the token once the PIN is lost.

The PIN code cannot be recovered, but it can be reset. However, reseting the PIN code means that a new signing keys must be generated and activated. After that, the configuration anchor must be re-created and distributed to all the Security Servers and possible federation partners.

More information about changing the configuration signing keys is available at https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md#54-changing-the-configuration-signing-keys.

Solution

  1. Connect to the Central Server using SSH.

  2. Switch to the xroad user using sudo.

    $ sudo su - xroad

  3. Initialize the software token using signer-console. In practise, this means reseting the PIN code. After this step the keys generated with the old PIN code cannot be used anymore.

    $ signer-console init-software-token PIN: retype PIN:

  4. Log off from the server and log in to the Central Server admin console at https://{HOST}:4000.

  5. Generate a new configuration signing key (instructions).

  6. Activate the new configuration signing key (instructions).

  7. Delete the old configuration signing key (instructions).

  8. Re-create the configuration anchor(s) (instructions).

  9. Distribute the new internal configuration anchor to the Security Server administrators and the new external configuration anchor to the federation partners.