The SafeNet Luna HSM MIB
The SAFENET-HSM-MIB defines HSM status information and HSM Partition information that can be viewed via SNMP.
To access tables, use a command like:
snmptable -a SHA -A snmppass -u snmpuser -x AES -X snmppass -l authPriv -v 3 192.20.11.59 SAFENET-HSM-MIB::hsmTable
The information is defined in tables, as detailed in the following sections.
SNMP Table Updates
The SNMP tables are updated and cached every 60 seconds. Any changes made on the HSM may therefore take up to 60 seconds to be included in the tables. When a query is received to view the tables, the most recent cached version is displayed. If a change you were expecting is not displayed, wait 60 seconds and try again.
NOTE Some values may not get updated automatically, such as the HSM firmware version (hsmFirmwareVersion) following a firmware upgrade. To force an update, restart the SNMP agent.
hsmTable
This table provides a list of all the HSM information on the managed element.
| Item | Type | Description | Values |
|---|---|---|---|
|
hsmSerialNumber |
DisplayString | Serial number of the HSM - used as an index into the tables. | From factory |
| hsmFirmwareVersion | DisplayString | Version of firmware executing on the HSM. | As found |
| hsmLabel | DisplayString | Label associated with the HSM. | Provided by SO at init time |
| hsmModel | DisplayString | Model identifier for the HSM. | From factory |
| hsmAuthenticationMethod | INTEGER | Authentication mode of the HSM. | unknown(1), -- not known
password(2), -- requires passwords pedKeys(3) -- requires PED |
| hsmRpvInitialized | INTEGER | Remote ped vector initialized flag of the HSM. | notSupported(1), -- rpv not supported
uninitialized(2), -- rpv not initialized initialized(3) -- rpv initialized |
| hsmFipsMode | TruthValue | FIPS 140-2 operation mode enabled flag of the HSM. | Factory set |
| hsmPerformance | INTEGER | Performance level of the HSM. | |
| hsmStorageTotalBytes | Unsigned32 | Total storage capacity in bytes of the HSM | Factory set |
| hsmStorageAllocatedBytes | Unsigned32 | Number of allocated bytes on the HSM | Calculated |
| hsmStorageAvailableBytes | Unsigned32 | Number of available bytes on the HSM | Calculated |
| hsmMaximumPartitions | Unsigned32 | Maximum number of partitions allowed on the HSM | 2, 5, 10, 15, or 20, per license |
| hsmPartitionsCreated | Unsigned32 | Number of partitions created on the HSM | As found |
| hsmPartitionsFree | Unsigned32 | Number of partitions that can still be created on the HSM | Calculated |
| hsmBackupProtocol | INTEGER | Backup protocol used on the HSM | unknown(1),
none(2), cloning(3), keyExport(4) |
| hsmAdminLoginAttempts | Counter32 | Number of failed Administrator login attempts left before HSM zeroized | As found, calculated |
| hsmAuditRoleInitialized | INTEGER | Audit role is initialized flag | notSupported(0),
yes(1), no(2) |
| hsmManuallyZeroized | TruthValue | Was HSM manually zeroized flag | As found |
| hsmUpTime | Counter64 | Up time in seconds since last HSM reset | Counted |
| hsmBusyTime | Counter64 | Busy time in seconds since the last HSM reset | Calculated |
| hsmCommandCount | Counter64 | HSM commands processed since last HSM reset | Counted |
The hsmPartitionTable
This table provides a list of all the partition information on the managed element.
| Item | Type | Description | Values |
|---|---|---|---|
| hsmPartitionSerialNumber | DisplayString | Serial number for the partition | Generated |
| hsmPartitionLabel | DisplayString | Label assigned to the partition | Provided at partition creation |
| hsmPartitionActivated | TruthValue | Partition activation flag | Set by policy |
| hsmPartitionStorageTotalBytes | Unsigned32 | Total storage capacity in bytes of the partition | Set or calculated at partition creation or re-size |
| hsmPartitionStorageAllocatedBytes | Unsigned32 | Number of allocated (in use) bytes on the partition | Calculated |
| hsmPartitionStorageAvailableBytes | Unsigned32 | Number of avalailable (unused) bytes on the partition | Calculated |
| hsmPartitionObjectCount | Unsigned32 | Number of objects in the partition | Counted |
hsmLicenseTable
This table provides a list of all the license information on the managed element. More than one HSM might be connected to a Host, so they are accessed with two indices; the first index identifies the HSM for which the license entry corresponds (hsmSerialNumber), the second is the index for the corresponding license (hsmLicenseID).
| Item | Type | Description | Values |
|---|---|---|---|
| hsmLicenseID | DisplayString | License identifier | Set at factory or at capability update |
| hsmLicenseDescription | DisplayString | License description | Set at factory or at capability update |
hsmPolicyTable
This table provides a list of all the HSM policy information on the managed element.
| Item | Type | Description | Values |
|---|---|---|---|
| hsmPolicyType | INTEGER | Type of policy | capability(1),
policy(2) |
| hsmPolicyID | Unsigned32 | Policy identifier | Numeric value identifies policy and is used as a index into the policy table |
| hsmPolicyDescription | DisplayString | Description of the policy | Brief text description of what the policy does |
| hsmPolicyValue | DisplayString | Current value of the policy | Brief text description to show current state/value of policy |
hsmPartitionPolicyTable
This table provides a list of all the partition policy information on the managed element.
| Item | Type | Description | Values |
|---|---|---|---|
| hsmPartitionPolicyType | INTEGER | Capability or policy | capability(1),
policy(2) |
| hsmPartitionPolicyID | Unsigned32 | Policy identifier | Numeric value identifies policy and is used as a index into the policy table |
| hsmPartitionPolicyDescription | DisplayString | Description of the policy | Brief text description of what the policy does |
| hsmPartitionPolicyValue | DisplayString | Current value of the policy | Brief text description to show current state/value of policy |
hsmClientRegistrationTable
This table provides a list of registered clients.
| Item | Type | Description | Values |
|---|---|---|---|
| hsmClientName | DisplayString | Name of the client | Name provided on client cert |
| hsmClientAddress | DisplayString | Address of the client | IP address of the client |
| hsmClientRequiresHTL | TruthValue | Flag specifying if HTL required for the client |
Flag set at HSM host side to control client access Note: HTL is not available in release 7.x. This value will always return false for 7.x HSMs. |
| hsmClientOTTExpiry | INTEGER | OTT expiry time (-1 if not provisioned) |
Expiry time, in seconds, for HTL OneTimeToken (range is 0-3600); -1 indicates not provisioned, 0 means never expires Note: HTL is not available in release 7.x. This value will always return -1 for 7.x HSMs. |
hsmClientPartitionAssignmentTable
This table provides a list of assigned partitions for a given client.
| Item | Type | Description | Values |
|---|---|---|---|
| hsmClientHsmSerialNumber | DisplayString | Index into the HSM table | -- |
| hsmClientPartitionSerialNumber DisplayString | DisplayString | Index into the Partition Table | -- |
SNMP output compared to SafeNet tools output
For comparison, the following shows LunaCM or LunaSH command outputs that provide HSM information equivalent to the SNMP information depicted in the tables above (from the HSM MIB).
HSM Information
At the HSM level the information in the outputs of hsm show and hsm showpolicies and hsm displaylicenses includes the following:
>SW Version
>FW Version
>HSM label
>Serial #
>HW Model
>Authentication Method
>RPV state
>FIPS mode
>HSM total storage space (bytes)
>HSM used storage space (bytes)
>HSM free storage space (bytes)
>Performance level
>Max # of partitions
># of partitions created
># of free partitions
>Policies as shown below:
lunash:>hsm showpolicies
HSM Label: sa7pw
Serial #: 66331
Firmware: 7.1.0
The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.
Description Value
=========== =====
Enable PIN-based authentication Allowed
Enable PED-based authentication Disallowed
Performance level 15
Enable domestic mechanisms & key sizes Allowed
Enable masking Disallowed
Enable cloning Allowed
Enable full (non-backup) functionality Allowed
Enable non-FIPS algorithms Allowed
Enable SO reset of partition PIN Allowed
Enable network replication Allowed
Enable Korean Algorithms Disallowed
FIPS evaluated Disallowed
Manufacturing Token Disallowed
Enable forcing user PIN change Allowed
Enable portable masking key Allowed
Enable partition groups Disallowed
Enable remote PED usage Disallowed
HSM non-volatile storage space 33554432
Enable unmasking Allowed
Maximum number of partitions 100
Enable Single Domain Disallowed
Enable Unified PED Key Disallowed
Enable MofN Disallowed
Enable small form factor backup/restore Disallowed
Enable Secure Trusted Channel Allowed
Enable decommission on tamper Allowed
Enable partition re-initialize Disallowed
Enable low level math acceleration Allowed
Enable Fast-Path Disallowed
Allow Disabling Decommission Allowed
Enable Tunnel Slot Disallowed
Enable Controlled Tamper Recovery Allowed
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
Description Value
=========== =====
PIN-based authentication True
The following policies describe the current configuration of
this HSM and may be changed by the HSM Administrator.
Changing policies marked "destructive" will erase all HSM partitions
on the HSM.
IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase
all partitions AND zeroize your HSM.
Description Value Code Destructive
=========== ===== ==== ===========
Allow cloning On 7 Yes
Allow non-FIPS algorithms On 12 Yes
SO can reset partition PIN Off 15 Yes
Allow network replication On 16 No
Force user PIN change after set/reset On 21 No
Allow offboard storage On 22 Yes
Allow unmasking On 30 No
Current maximum number of partitions 100 33 No
Allow Secure Trusted Channel Off 39 No
Decommission on tamper Off 40 Yes
Allow low level math acceleration On 43 No
Disable Decommission Off 46 Yes
Do Controlled Tamper Recovery On 48 No
Command Result : 0 (Success)
Partition Information
At the application partition level, the information in the outputs of partition show and partition showpolicies includes the following:
>Partition Name
>Partition Serial #
>Activation State
>AutoActivation State
>Partition total storage space (bytes)
>Partition used storage space (bytes)
>Partition free storage space (bytes)
>Partition Object Count
>Partition policies from the partition showpolicies command:
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
37: Force Secure Trusted Channel : 0
39: Allow Start/End Date Attributes : 0
Command Result : No Error
