Home > |
---|
The SAFENET-HSM-MIB defines HSM status information and HSM Partition information that can be viewed via SNMP.
To access tables, use a command like:
snmptable -a SHA -A snmppass -u snmpuser -x AES -X snmppass -l authPriv -v 3 172.20.11.59 SAFENET-HSM-MIB::hsmTable
The information is defined in tables, as detailed in the following sections:
The SNMP tables are updated and cached every 60 seconds. Any changes made on the HSM may therefore take up to 60 seconds to be included in the tables. When a query is received to view the tables, the most recent cached version is displayed. If a change you were expecting is not displayed, wait 60 seconds and try again.
Note: Some values may not get updated automatically, such as the HSM firmware version (hsmFirmwareVersion) following a firmware upgrade. To force an update, restart the SNMP agent.
This table provides a list of all the HSM information on the managed element.
Item | Type | Description | Values |
---|---|---|---|
hsmSerialNumber |
DisplayString | Serial number of the HSM - used as an index into the tables. | From factory |
hsmFirmwareVersion | DisplayString | Version of firmware executing on the HSM. | As found |
hsmLabel | DisplayString | Label associated with the HSM. | Provided by SO at init time |
hsmModel | DisplayString | Model identifier for the HSM. | From factory |
hsmAuthenticationMethod | INTEGER | Authentication mode of the HSM. | unknown(1), -- not known
password(2), -- requires passwords pedKeys(3) -- requires PED |
hsmRpvInitialized | INTEGER | Remote ped vector initialized flag of the HSM. | notSupported(1), -- rpv not supported
uninitialized(2), -- rpv not initialized initialized(3) -- rpv initialized |
hsmFipsMode | TruthValue | FIPS 140-2 operation mode enabled flag of the HSM. | Factory set |
hsmPerformance | INTEGER | Performance level of the HSM. | |
hsmStorageTotalBytes | Unsigned32 | Total storage capacity in bytes of the HSM | Factory set |
hsmStorageAllocatedBytes | Unsigned32 | Number of allocated bytes on the HSM | Calculated |
hsmStorageAvailableBytes | Unsigned32 | Number of available bytes on the HSM | Calculated |
hsmMaximumPartitions | Unsigned32 | Maximum number of partitions allowed on the HSM | 2, 5, 10, 15, or 20, per license |
hsmPartitionsCreated | Unsigned32 | Number of partitions created on the HSM | As found |
hsmPartitionsFree | Unsigned32 | Number of partitions that can still be created on the HSM | Calculated |
hsmBackupProtocol | INTEGER | Backup protocol used on the HSM | unknown(1),
none(2), cloning(3), keyExport(4) |
hsmAdminLoginAttempts | Counter32 | Number of failed Administrator login attempts left before HSM zeroized | As found, calculated |
hsmAuditRoleInitialized | INTEGER | Audit role is initialized flag | notSupported(0),
yes(1), no(2) |
hsmManuallyZeroized | TruthValue | Was HSM manually zeroized flag | As found |
hsmUpTime | Counter64 | Up time in seconds since last HSM reset | Counted |
hsmBusyTime | Counter64 | Busy time in seconds since the last HSM reset | Calculated |
hsmCommandCount | Counter64 | HSM commands processed since last HSM reset | Counted |
This table provides a list of all the partition information on the managed element.
Item | Type | Description | Values |
---|---|---|---|
hsmPartitionSerialNumber | DisplayString | Serial number for the partition | Generated |
hsmPartitionLabel | DisplayString | Label assigned to the partition | Provided at partition creation |
hsmPartitionActivated | TruthValue | Partition activation flag | Set by policy |
hsmPartitionStorageTotalBytes | Unsigned32 | Total storage capacity in bytes of the partition | Set or calculated at partition creation or re-size |
hsmPartitionStorageAllocatedBytes | Unsigned32 | Number of allocated (in use) bytes on the partition | Calculated |
hsmPartitionStorageAvailableBytes | Unsigned32 | Number of avalailable (unused) bytes on the partition | Calculated |
hsmPartitionObjectCount | Unsigned32 | Number of objects in the partition | Counted |
This table provides a list of all the license information on the managed element. More than one HSM might be connected to a Host, so they are accessed with two indices; the first index identifies the HSM for which the license entry corresponds (hsmSerialNumber), the second is the index for the corresponding license (hsmLicenseID).
Item | Type | Description | Values |
---|---|---|---|
hsmLicenseID | DisplayString | License identifier | Set at factory or at capability update |
hsmLicenseDescription | DisplayString | License description | Set at factory or at capability update |
This table provides a list of all the HSM policy information on the managed element.
Item | Type | Description | Values |
---|---|---|---|
hsmPolicyType | INTEGER | Type of policy | capability(1),
policy(2) |
hsmPolicyID | Unsigned32 | Policy identifier | Numeric value identifies policy and is used as a index into the policy table |
hsmPolicyDescription | DisplayString | Description of the policy | Brief text description of what the policy does |
hsmPolicyValue | DisplayString | Current value of the policy | Brief text description to show current state/value of policy |
This table provides a list of all the partition policy information on the managed element.
Item | Type | Description | Values |
---|---|---|---|
hsmPartitionPolicyType | INTEGER | Capability or policy | capability(1),
policy(2) |
hsmPartitionPolicyID | Unsigned32 | Policy identifier | Numeric value identifies policy and is used as a index into the policy table |
hsmPartitionPolicyDescription | DisplayString | Description of the policy | Brief text description of what the policy does |
hsmPartitionPolicyValue | DisplayString | Current value of the policy | Brief text description to show current state/value of policy |
This table provides a list of registered clients.
Item | Type | Description | Values |
---|---|---|---|
hsmClientName | DisplayString | Name of the client | Name provided on client cert |
hsmClientAddress | DisplayString | Address of the client | IP address of the client |
hsmClientRequiresHTL | TruthValue | Flag specifying if HTL required for the client | Flag set at HSM host side to control client access |
hsmClientOTTExpiry | INTEGER | OTT expiry time (-1 if not provisioned) | Expiry time, in seconds, for HTL OneTimeToken (range is 0-3600); -1 indicates not provisioned, 0 means never expires |
This table provides a list of assigned partitions for a given client.
Item | Type | Description | Values |
---|---|---|---|
hsmClientHsmSerialNumber | DisplayString | Index into the HSM table | -- |
hsmClientPartitionSerialNumber DisplayString | DisplayString | Index into the Partition Table | -- |
For comparison, the following shows lunacm or lunash command outputs that provide HSM information equivalent to the SNMP information depicted in the tables above (from the HSM MIB).
At the HSM level the information in the outputs of "hsm show" and "hsm showp" and "hsm di" includes the following :
•SW Version
•FW Version
•HSM label
•Serial #
•HW Model
•Authentication Method
•RPV state
•FIPS mode
•HSM storage space (bytes)
•HSM storage space used (bytes)
•HSM storage free space (bytes)
•Performance level
•Max # of partitions
•# of partitions created
•# of free partitions
•Configuration (Cloning/CKE)
•License information similar to the output of the "hsm displayLicenses" command
•Policies as shown below.
Description Value =========== ===== Enable PIN-based authentication Allowed Enable PED-based authentication Disallowed Performance level 15 Enable domestic mechanisms & key sizes Allowed Enable masking Disallowed Enable cloning Allowed Enable special cloning certificate Disallowed Enable full (non-backup) functionality Allowed Enable non-FIPS algorithms Allowed Enable SO reset of partition PIN Allowed Enable network replication Allowed Enable Korean Algorithms Allowed FIPS evaluated Disallowed Manufacturing Token Disallowed Enable Remote Authentication Allowed Enable forcing user PIN change Allowed Enable portable masking key Allowed Enable partition groups Disallowed Enable remote PED usage Disallowed Enable External Storage of MTK Split Disallowed HSM non-volatile storage space 2097152 Enable HA mode CGX Disallowed Enable Acceleration Allowed Enable unmasking Allowed Enable FW5 compatibility mode Disallowed Unsupported Disallowed Unsupported Disallowed Enable ECIES support Disallowed The following policies are set due to current configuration of this HSM and cannot be altered directly by the user. Description Value =========== ===== PIN-based authentication True The following policies describe the current configuration of this HSM and may by changed by the HSM Administrator. Changing policies marked "destructive" will zeroize (erase completely) the entire HSM. Description Value Code Destructive =========== ===== ==== =========== Allow cloning On 7 Yes Allow non-FIPS algorithms On 12 Yes SO can reset partition PIN On 15 Yes Allow network replication On 16 No Allow Remote Authentication On 20 Yes Force user PIN change after set/reset Off 21 No Allow offboard storage On 22 Yes Allow Acceleration On 29 Yes Allow unmasking On 30 Yes
At the HSM Partition level the information in the outputs of"partition show" and "partition showp" includes the following :
•Partition Name
•Partition Serial #
•Activation State
•AutoActivation State
•Partition storage space (bytes)
•Partition storage space used (bytes)
•Partition storage free space (bytes)
•Partition Object Count
•Partition Policies from the Partition showpolicies command
lunash:> partition showPolicies -partition mypartition
Partition Name: mypartition
Partition Num: 65038002
The following capabilities describe this partition and can never be changed. Description Value =========== ===== Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Enable PED use without challenge Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Enable CBC-PAD (un)wrap keys of any size Allowed
Enable private key SFF backup/restore Disallowed
Enable secret key SFF backup/restore Disallowed
Enable Secure Trusted Channel Allowed The following policies are set due to current configuration of this partition and may not be altered directly by the user. Description Value =========== ===== Challenge for authentication not needed False The following policies describe the current configuration of this partition and may be changed by the HSM Administrator. Description Value Code =========== ===== ==== Allow private key cloning On 0 Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11 Ignore failed challenge responses On 15 Operate without RSA blinding On 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation Off 22 Allow auto-activation Off 23 Minimum pin length (inverted: 255 - min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel Off 37
Command Result : 0 (Success)
[myluna] lunash:>