Partition Utilization Metrics

In order to ensure the quality of service (QoS) that you provide to applications that make use of HSM partitions, it is first necessary to know how the users and applications are making use of the HSM resources - that is, the distribution of demand.

For an HSM with a single application partition, it can be helpful to know what type of load is being imposed on the HSM and the enumeration and categorization of operations that are being performed. Application developers might have a good idea of the expected ratio of operations, but the operations team managing the application servers would like to know the real-world utilization, for their planning and management purposes.

For a Network HSM with multiple partitions that are sharing the space and the processing resources of the HSM, it is useful to know which partitions are presenting the greatest load, and the kinds of operations that are most common or frequent. That knowledge aids in resource planning and possible relocation or reallocation of partitions to ensure reliable service for all users.

NOTE   Utilization metrics are based on utilization counters that track operations by category. This is not to be confused with usage counters, that track and limit the number of times a key or certificate is allowed to be used.

NOTE   This feature has software and/or firmware dependencies. See Version Dependencies by Feature for more information.

Rules of acquisition

Utilization Metrics count these operations within category "bins" per partition:

>Sign

>Verify

>Encrypt

>Decrypt

>Key generate

>Key derive

Operations not in that list do not increment any counter. That is, an operation request to the HSM increments counters in 0 or more bins. The list might expand in future releases. Each bin has a single counter that counts how many requests have been received from the host, since the last counter-reset order or power cycle. Counters for a partition can be read and reset as a single operation, or as two separate operations.

The utilization counters count requests to the HSM, because, while successful requests are expected and are counted, unsuccessful requests also consume resources and therefore need to be counted as well. Any request that fails on the host - meaning it does not reach the HSM - is not counted, because it did not use any HSM resources.

Utilization counters are volatile, and therefore are lost in the event of a power failure. If they are valued, they should be polled regularly and the results kept in non-volatile storage on the host.

Administration

Either of the HSM SO or Administrator roles can be responsible for managing utilization metrics. The HSM Administrator role can be initialized if you prefer to keep the functions separate. If the overhead of maintaining a separate Administrator role is not acceptable (an additional set of PED Keys for PED-authenticated HSMs), then the SO can handle the utilization metrics. On the other hand, if you do not wish to invoke the sensitive (in a security sense) HSM SO PED Keys on a regular basis, then the Administrator role, which is less-sensitive and less widely capable can be assigned the task.

Availability of Partition Utilization Metrics

Utilization metrics are supported by firmware 7.3 (and newer) which implements HSM-level policy 49 "Allow Partition Utilization Metrics". That policy is off (value 0) by default, as it is not required in all use-cases, and is most useful where multiple applications use the HSM.

NOTE   The Utilization Metrics feature allows the HSM administrator and SO to know which operations are being performed on the HSM. This information is normally available only to the Auditor when audit logging is turned on. However, while the SO can see a record of cryptographic operations, there is no visibility as to which keys are being used.

Setting the policy on (value 1) enables utilization metrics for all partitions including the Admin partition. Changing the policy is not destructive in either direction (off-to-on or on-to-off).

The hsm qos metrics show command allows you to view the current utilization counter values for all partitions, and overall counts for the entire HSM, or to export the current counts to a file, without resetting the counters.

The hsm qos metrics reset command allows you to reset to zero the current utilization counter values for all partitions; additionally, you have the option to view the current counts or to export the current counts to a file, without losing any counts between the view/export action and the reset action.

To access the Partition Utilization Metrics feature

1.Ensure that your HSM is at firmware version 7.3 or newer, or upgrade to a suitable version; see Updating the SafeNet Luna HSM Firmware.

2.Set HSM policy 49 (Allow Partition Utilization Metrics) to "On"

lunash:>hsm changepolicy -policy 49 -value 1


'hsm changePolicy' successful.

Policy Allow Partition Utilization Metrics is now set to value: 1


Command Result : 0 (Success)
To view or save Partition Utilization Metrics without resetting

Run the hsm qos metrics show command.

lunash:>hsm qos metrics show 
To reset the Partition Utilization Metrics counters to zero

Metrics are reset whenever power is lost to the HSM or the HSM is reset, or the HSM is initialized. These events do not save

Run the hsm qos metrics reset command.

lunash:>hsm qos metrics reset 
To reset the Partition Utilization Metrics counters to zero while also viewing or exporting the information

Run the hsm qos metrics reset -export command (which saves the current counter values to a named file before they are zeroed).

lunash:>hsm qos metrics reset -export somefilename

 

Additionally,

Or run the hsm qos metrics reset -display command (which shows, but does not save the counter data).

lunash:>hsm qos metrics reset -display