SNMP Operation and Limitations with SafeNet Luna Network HSM

This page applies only to SafeNet Luna Network HSM which, as a closed system, has its own agent. This contrasts with other SafeNet Luna HSMs that are installed inside a host computer, or USB-connected to a host, and therefore require you to provide an SNMP agent and configure for use with our subagent.

Various LunaSH commands govern the setup and use of SNMP with the SafeNet appliance. You provide your own SNMP application – a standard, open-source tool like net-snmp, or a commercial offering, or one that you develop yourself – and use the commands described below (and on the following pages) to enable and adjust the SNMP agent on-board the SafeNet appliance.  

SNMP-Related Commands

Please refer to the LunaSH Appliance Commands in the Reference Section of this Help for syntax and usage descriptions of the following:

>The sysconf snmp command has subcommands enable, disable, notification, show, trap, and user.

The sysconf snmp notification command allows viewing and configuring the notifications that can be sent by the SNMP agent. At least one user must be configured before the SNMP agent can be accessed.

The sysconf snmp enable command enables and starts the SNMP service.

The sysconf snmp disable command stops the service.   

The sysconf snmp show command shows the current status of the service.   

The sysconf snmp trap command has sub-commands to set, show, and clear trap host information.

The sysconf snmp user command allows viewing and configuring the users that can access the SNMP agent. At least one user must be configured before the SNMP agent can be accessed.

>The service list command reports a service: "snmpd - SNMP agent service".

>The service status, service stop, service start and service restart commands accept the value "snmp" as a <servicename> parameter (that is, you can start, stop or restart the snmp service – this represents some overlap with the sysconf enable and disable commands, but is provided for completeness).

Coverage

The following are some points of interest, with regard to our reporting.

Memory

Swap usage - Covered by UCD-SNMP-MIB under memTotalSwap, memAvailSwap and memMinimumSwap OID

Physical Memory usage - Covered by UCD-SNMP-MIB under memTotalRea, memAvailReal, memTotalFree OID

Errors - Covered by UCD-SNMP-MIB under memSwapError and memSwapErrorMsg OID

Paging

Size of page file - Not covered

Page file usage - Not covered

Paging errors - Not covered
Note: UCD-SNMP-MIB/memory will report all the data that we get from the "free" command.

CPU

% Utilization Threads - Not covered

%user time - Covered by UCD-SNMP-MIB under ssCpuUsr OID

%system time - Covered by UCD-SNMP-MIB under ssCpuSystem OID

Top running processes - Not covered

Network

Interface status - Covered

% utilization - Covered

Bytes in - Not covered

Bytes Out - Not covered

Errors - Covered

Note: All of the above are already covered by the RFC1213-MIB.

Monitoring Internal Hardware failure

We do not currently keep any status on hardware failure.

Environmental

We support only CPU and mother board temperature.

HSM MIB

The above concerns status of various elements of the appliance, outside the contained HSM.

HSM status is separately handled by the SAFENET-HSM-MIB.

In the current implementation, the object ntlsCertExpireNotification has no value. If you query this object, the response is "Snmp No Such Object.

Information about the HSM, retrievable via SNMP, is similar to executing the following commands:

From SafeNet Luna Network HSM (LunaSH) commands:

> hsm show

>hsm showpolicies

>hsm displaylicenses

>client show

From the SafeNet Luna HSM Client (LunaCM) commands:

>partition showinfo

>partition showpolicies

MIBS You Need for Network Monitoring of SafeNet Luna Network HSM

The following MIBs are not supplied as part of the SafeNet Luna Network HSM build, but can be downloaded from a number of sources. How they are implemented depends on your MIB utility. Support is restricted to active queries (trap captures only reboots).

>LM-SENSORS-MIB

>RFC1213-MIB

>SNMP-FRAMEWORK-MIB

>SNMP-MPD-MIB

>SNMP-TARGET-MIB

>SNMP-USER-BASED-SM-MIB

>SNMPv2-MIB

>SNMP-VIEW-BASED-ACM-MIB

In addition, the SAFENET-APPLIANCE-MIB is included within the SafeNet Luna Network HSM appliance, to report Software Version.

MIBS You Need for Monitoring the Status of the HSM

You require the following MIB to monitor the status of the HSM:

>SAFENET-HSM-MIB.mib