Home >

Administration Guide > SNMP > The SAFENET HSM MIB

The SAFENET HSM MIB

The SAFENET-HSM-MIB defines HSM status information and HSM Partition information that can be viewed via SNMP.

To access tables, use a command like:

snmptable  -a SHA  -A snmppass  -u snmpuser -x AES -X snmppass -l authPriv -v 3 172.20.11.59   SAFENET-HSM-MIB::hsmTable
 

The information is defined in tables, as detailed in the following sections:

SNMP Table Updates

The SNMP tables are updated and cached every 60 seconds. Any changes made on the HSM may therefore take up to 60 seconds to be included in the tables. When a query is received to view the tables, the most recent cached version is displayed. If a change you were expecting is not displayed, wait 60 seconds and try again.

Note:  Some values may not get updated automatically, such as the HSM firmware version (hsmFirmwareVersion) following a firmware upgrade. To force an update, restart the SNMP agent.

hsmTable   

This table provides a list of all the HSM information on the managed element.

Item    Type    Description    Values   

hsmSerialNumber      

DisplayString    Serial number of the HSM   - used as an index into the tables.   From factory   
hsmFirmwareVersion       DisplayString    Version of firmware executing on the HSM.    As found   
hsmLabel       DisplayString    Label associated with the HSM.    Provided by SO at init time   
hsmModel       DisplayString    Model identifier for the HSM. From factory   
hsmAuthenticationMethod       INTEGER    Authentication mode of the HSM.    unknown(1), -- not known
password(2), -- requires passwords
pedKeys(3) -- requires PED
hsmRpvInitialized       INTEGER    Remote ped vector initialized flag of the HSM.    notSupported(1), -- rpv not supported
uninitialized(2), -- rpv not initialized
initialized(3) -- rpv initialized
hsmFipsMode       TruthValue    FIPS 140-2 operation mode enabled flag of the HSM.    Factory set   
hsmPerformance       INTEGER    Performance level of the HSM.   
hsmStorageTotalBytes       Unsigned32    Total storage capacity in bytes of the HSM    Factory set   
hsmStorageAllocatedBytes       Unsigned32    Number of allocated bytes on the HSM    Calculated  
hsmStorageAvailableBytes       Unsigned32    Number of available bytes on the HSM    Calculated  
hsmMaximumPartitions       Unsigned32    Maximum number of partitions allowed on the HSM    2, 5, 10, 15, or 20, per license
hsmPartitionsCreated       Unsigned32    Number of partitions created on the HSM    As found   
hsmPartitionsFree       Unsigned32    Number of partitions that can still be created on the HSM    Calculated   
hsmBackupProtocol       INTEGER    Backup protocol used on the HSM    unknown(1),
none(2),
cloning(3),
keyExport(4)   
hsmAdminLoginAttempts       Counter32    Number of failed Administrator login attempts left before HSM zeroized    As found, calculated   
hsmAuditRoleInitialized       INTEGER    Audit role is initialized flag    notSupported(0),   
yes(1),
no(2)   
hsmManuallyZeroized       TruthValue    Was HSM manually zeroized flag    As found   
hsmUpTime       Counter64    Up time in seconds since last HSM reset    Counted   
hsmBusyTime       Counter64    Busy time in seconds since the last HSM reset    Calculated   
hsmCommandCount       Counter64    HSM commands processed since last HSM reset    Counted   

The hsmPartitionTable   

This table provides a list of all the partition information on the managed element.

Item    Type    Description    Values   
hsmPartitionSerialNumber       DisplayString    Serial number for the partition    Generated   
hsmPartitionLabel    DisplayString    Label assigned to the partition    Provided at partition creation   
hsmPartitionActivated    TruthValue    Partition activation flag    Set by policy   
hsmPartitionStorageTotalBytes    Unsigned32    Total storage capacity in bytes of the partition    Set or calculated at partition creation or re-size   
hsmPartitionStorageAllocatedBytes    Unsigned32    Number of allocated (in use) bytes on the partition   Calculated   
hsmPartitionStorageAvailableBytes    Unsigned32    Number of avalailable (unused) bytes on the partition    Calculated   
hsmPartitionObjectCount Unsigned32    Number of objects in the partition    Counted

hsmLicenseTable

This table provides a list of all the license information on the managed element. More than one HSM might be connected to a Host, so they are accessed with two indices; the first index identifies the HSM for which the license entry corresponds (hsmSerialNumber), the second is the index for the corresponding license (hsmLicenseID).

 

Item    Type    Description    Values   
hsmLicenseID    DisplayString    License identifier    Set at factory or at capability update   
hsmLicenseDescription    DisplayString    License description    Set at factory or at capability update   

hsmPolicyTable   

This table provides a list of all the HSM policy information on the managed element.

Item    Type    Description    Values   
hsmPolicyType    INTEGER    Type of policy    capability(1),   
policy(2)     
hsmPolicyID    Unsigned32    Policy identifier    Numeric value identifies policy and is used as a index into the policy table   
hsmPolicyDescription    DisplayString    Description of the policy    Brief text description of what the policy does   
hsmPolicyValue DisplayString    Current value of the policy Brief text description to show current state/value of policy   

hsmPartitionPolicyTable   

This table provides a list of all the partition policy information on the managed element.

Item    Type    Description    Values   
hsmPartitionPolicyType   INTEGER    Capability or policy    capability(1),   
policy(2)   
hsmPartitionPolicyID    Unsigned32     Policy identifier    Numeric value identifies policy and is used as a index into the policy table   
hsmPartitionPolicyDescription    DisplayString    Description of the policy    Brief text description of what the policy does   
hsmPartitionPolicyValue    DisplayString    Current value of the policy    Brief text description to show current state/value of policy   

hsmClientRegistrationTable   

This table provides a list of registered clients.

Item    Type    Description    Values   
hsmClientName    DisplayString    Name of the client    Name provided on client cert   
hsmClientAddress    DisplayString    Address of the client    IP address of the client   
hsmClientRequiresHTL    TruthValue    Flag specifying if HTL required for the client    Flag set at HSM host side to control client access
hsmClientOTTExpiry    INTEGER    OTT expiry time (-1 if not provisioned) Expiry time, in seconds, for HTL OneTimeToken (range is 0-3600); -1 indicates not provisioned, 0 means never expires   

hsmClientPartitionAssignmentTable   

This table provides a list of assigned partitions for a given client.   

Item    Type    Description    Values   
hsmClientHsmSerialNumber    DisplayString    Index into the HSM table    --
hsmClientPartitionSerialNumber DisplayString    DisplayString    Index into the Partition Table    --

SNMP output compared to SafeNet tools output

For comparison, the following shows lunacm or lunash command outputs that provide HSM information equivalent to the SNMP information depicted in the tables above (from the HSM MIB).

HSM Information

At the HSM level the information in the outputs of "hsm show" and "hsm showp" and "hsm di" includes the following :

SW Version

FW Version

HSM label

Serial #

HW Model

Authentication Method

RPV state

FIPS mode

HSM storage space (bytes)

HSM storage space used (bytes)

HSM storage free space (bytes)

Performance level

Max # of partitions

# of partitions created

# of free partitions

Configuration (Cloning/CKE)

License information similar to the output of the "hsm displayLicenses" command

Policies as shown below.

Description Value
=========== =====
Enable PIN-based authentication Allowed
Enable PED-based authentication Disallowed
Performance level 15
Enable domestic mechanisms & key sizes Allowed
Enable masking Disallowed
Enable cloning Allowed
Enable special cloning certificate Disallowed
Enable full (non-backup) functionality Allowed
Enable non-FIPS algorithms Allowed
Enable SO reset of partition PIN Allowed
Enable network replication Allowed
Enable Korean Algorithms Allowed
FIPS evaluated Disallowed
Manufacturing Token Disallowed
Enable Remote Authentication Allowed
Enable forcing user PIN change Allowed
Enable portable masking key Allowed
Enable partition groups Disallowed
Enable remote PED usage Disallowed
Enable External Storage of MTK Split Disallowed
HSM non-volatile storage space 2097152
Enable HA mode CGX Disallowed
Enable Acceleration Allowed
Enable unmasking Allowed
Enable FW5 compatibility mode Disallowed
Unsupported Disallowed
Unsupported Disallowed
Enable ECIES support Disallowed
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
Description Value
=========== =====
PIN-based authentication True
The following policies describe the current configuration of
this HSM and may by changed by the HSM Administrator.
Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.
Description 				Value Code Destructive
=========== 				===== ==== ===========
Allow cloning 				On 	7 	Yes
Allow non-FIPS algorithms 		On 	12 	Yes
SO can reset partition PIN 		On 	15 	Yes
Allow network replication 		On 	16 	No
Allow Remote Authentication 		On 	20 	Yes
Force user PIN change after set/reset 	Off 	21 	No
Allow offboard storage 		On 	22 	Yes
Allow Acceleration 			On 	29 	Yes
Allow unmasking 			On 	30 	Yes   

Partition Information

At the HSM Partition level the information in the outputs of"partition show" and "partition showp" includes the following :

Partition Name

Partition Serial #

Activation State

AutoActivation State

Partition storage space (bytes)

Partition storage space used (bytes)

Partition storage free space (bytes)

Partition Object Count

Partition Policies from the Partition showpolicies command

lunash:> partition showPolicies -partition mypartition
 
Partition Name: mypartition
Partition Num: 65038002
 
   The following capabilities describe this partition and can
   never be changed.

   Description                              Value
   ===========                              =====
   Enable private key cloning               Allowed
   Enable private key wrapping              Disallowed
   Enable private key unwrapping            Allowed
   Enable private key masking               Disallowed
   Enable secret key cloning                Allowed
   Enable secret key wrapping               Allowed
   Enable secret key unwrapping             Allowed
   Enable secret key masking                Disallowed
   Enable multipurpose keys                 Allowed
   Enable changing key attributes           Allowed
   Enable PED use without challenge         Allowed
   Allow failed challenge responses         Allowed
   Enable operation without RSA blinding    Allowed
   Enable signing with non-local keys       Allowed
   Enable raw RSA operations                Allowed
   Max failed user logins allowed           10
   Enable high availability recovery        Allowed
   Enable activation                        Allowed
   Enable auto-activation                   Allowed
   Minimum pin length (inverted: 255 - min) 248
   Maximum pin length                       255
   Enable Key Management Functions          Allowed
   Enable RSA signing without confirmation  Allowed
   Enable Remote Authentication             Allowed
   Enable private key unmasking             Allowed
   Enable secret key unmasking              Allowed
   Enable RSA PKCS mechanism                Allowed
   Enable CBC-PAD (un)wrap keys of any size Allowed
   Enable private key SFF backup/restore    Disallowed
   Enable secret key SFF backup/restore     Disallowed
   Enable Secure Trusted Channel            Allowed


   The following policies are set due to current configuration
   of this partition and may not be altered directly by the
   user.

   Description                              Value
   ===========                              =====
   Challenge for authentication not needed  False


   The following policies describe the current configuration
   of this partition and may be changed by the HSM Administrator.

   Description                              Value        Code
   ===========                              =====        ====
   Allow private key cloning                On           0
   Allow private key unwrapping             On           2
   Allow secret key cloning                 On           4
   Allow secret key wrapping                On           5
   Allow secret key unwrapping              On           6
   Allow multipurpose keys                  On           10
   Allow changing key attributes            On           11
   Ignore failed challenge responses        On           15
   Operate without RSA blinding             On           16
   Allow signing with non-local keys        On           17
   Allow raw RSA operations                 On           18
   Max failed user logins allowed           10           20
   Allow high availability recovery         On           21
   Allow activation                         Off          22
   Allow auto-activation                    Off          23
   Minimum pin length (inverted: 255 - min) 248          25
   Maximum pin length                       255          26
   Allow Key Management Functions           On           28
   Perform RSA signing without confirmation On           29
   Allow Remote Authentication              On           30
   Allow private key unmasking              On           31
   Allow secret key unmasking               On           32
   Allow RSA PKCS mechanism                 On           33
   Allow CBC-PAD (un)wrap keys of any size  On           34
   Force Secure Trusted Channel             Off          37


Command Result : 0 (Success) 
[myluna] lunash:>