The SafeNet Luna HSM MIB

The SAFENET-HSM-MIB defines HSM status information and HSM Partition information that can be viewed via SNMP.

To access tables, use a command like:

snmptable  -a SHA  -A snmppass  -u snmpuser -x AES -X snmppass -l authPriv -v 3 192.20.11.59   SAFENET-HSM-MIB::hsmTable
 

The information is defined in tables, as detailed in the following sections.

SNMP Table Updates

The SNMP tables are updated and cached every 60 seconds. Any changes made on the HSM may therefore take up to 60 seconds to be included in the tables. When a query is received to view the tables, the most recent cached version is displayed. If a change you were expecting is not displayed, wait 60 seconds and try again.

NOTE   Some values may not get updated automatically, such as the HSM firmware version (hsmFirmwareVersion) following a firmware upgrade. To force an update, restart the SNMP agent.

hsmTable

This table provides a list of all the HSM information on the managed element.

Item    Type    Description    Values   

hsmSerialNumber      

DisplayString    Serial number of the HSM   - used as an index into the tables.   From factory   
hsmFirmwareVersion       DisplayString    Version of firmware executing on the HSM.    As found   
hsmLabel       DisplayString    Label associated with the HSM.    Provided by SO at init time   
hsmModel       DisplayString    Model identifier for the HSM. From factory   
hsmAuthenticationMethod       INTEGER    Authentication mode of the HSM.    unknown(1), -- not known
password(2), -- requires passwords
pedKeys(3) -- requires PED
hsmRpvInitialized       INTEGER    Remote ped vector initialized flag of the HSM.    notSupported(1), -- rpv not supported
uninitialized(2), -- rpv not initialized
initialized(3) -- rpv initialized
hsmFipsMode       TruthValue    FIPS 140-2 operation mode enabled flag of the HSM.    Factory set   
hsmPerformance       INTEGER    Performance level of the HSM.   
hsmStorageTotalBytes       Unsigned32    Total storage capacity in bytes of the HSM    Factory set   
hsmStorageAllocatedBytes       Unsigned32    Number of allocated bytes on the HSM    Calculated  
hsmStorageAvailableBytes       Unsigned32    Number of available bytes on the HSM    Calculated  
hsmMaximumPartitions       Unsigned32    Maximum number of partitions allowed on the HSM    2, 5, 10, 15, or 20, per license
hsmPartitionsCreated       Unsigned32    Number of partitions created on the HSM    As found   
hsmPartitionsFree       Unsigned32    Number of partitions that can still be created on the HSM    Calculated   
hsmBackupProtocol       INTEGER    Backup protocol used on the HSM    unknown(1),
none(2),
cloning(3),
keyExport(4)   
hsmAdminLoginAttempts       Counter32    Number of failed Administrator login attempts left before HSM zeroized    As found, calculated   
hsmAuditRoleInitialized       INTEGER    Audit role is initialized flag    notSupported(0),   
yes(1),
no(2)   
hsmManuallyZeroized       TruthValue    Was HSM manually zeroized flag    As found   
hsmUpTime       Counter64    Up time in seconds since last HSM reset    Counted   
hsmBusyTime       Counter64    Busy time in seconds since the last HSM reset    Calculated   
hsmCommandCount       Counter64    HSM commands processed since last HSM reset    Counted   

The hsmPartitionTable

This table provides a list of all the partition information on the managed element.

Item    Type    Description    Values   
hsmPartitionSerialNumber       DisplayString    Serial number for the partition    Generated   
hsmPartitionLabel    DisplayString    Label assigned to the partition    Provided at partition creation   
hsmPartitionActivated    TruthValue    Partition activation flag    Set by policy   
hsmPartitionStorageTotalBytes    Unsigned32    Total storage capacity in bytes of the partition    Set or calculated at partition creation or re-size   
hsmPartitionStorageAllocatedBytes    Unsigned32    Number of allocated (in use) bytes on the partition   Calculated   
hsmPartitionStorageAvailableBytes    Unsigned32    Number of avalailable (unused) bytes on the partition    Calculated   
hsmPartitionObjectCount Unsigned32    Number of objects in the partition    Counted

hsmLicenseTable

This table provides a list of all the license information on the managed element. More than one HSM might be connected to a Host, so they are accessed with two indices; the first index identifies the HSM for which the license entry corresponds (hsmSerialNumber), the second is the index for the corresponding license (hsmLicenseID).

Item    Type    Description    Values   
hsmLicenseID    DisplayString    License identifier    Set at factory or at capability update   
hsmLicenseDescription    DisplayString    License description    Set at factory or at capability update   

hsmPolicyTable

This table provides a list of all the HSM policy information on the managed element.

Item    Type    Description    Values   
hsmPolicyType    INTEGER    Type of policy    capability(1),   
policy(2)     
hsmPolicyID    Unsigned32    Policy identifier    Numeric value identifies policy and is used as a index into the policy table   
hsmPolicyDescription    DisplayString    Description of the policy    Brief text description of what the policy does   
hsmPolicyValue DisplayString    Current value of the policy Brief text description to show current state/value of policy   

hsmPartitionPolicyTable   

This table provides a list of all the partition policy information on the managed element.

Item    Type    Description    Values   
hsmPartitionPolicyType   INTEGER    Capability or policy    capability(1),   
policy(2)   
hsmPartitionPolicyID    Unsigned32     Policy identifier    Numeric value identifies policy and is used as a index into the policy table   
hsmPartitionPolicyDescription    DisplayString    Description of the policy    Brief text description of what the policy does   
hsmPartitionPolicyValue    DisplayString    Current value of the policy    Brief text description to show current state/value of policy   

hsmClientRegistrationTable

This table provides a list of registered clients.

Item    Type    Description    Values   
hsmClientName    DisplayString    Name of the client    Name provided on client cert   
hsmClientAddress    DisplayString    Address of the client    IP address of the client   
hsmClientRequiresHTL    TruthValue    Flag specifying if HTL required for the client   

Flag set at HSM host side to control client access

Note: HTL is not available in release 7.x. This value will always return false for 7.x HSMs.

hsmClientOTTExpiry    INTEGER    OTT expiry time (-1 if not provisioned)

Expiry time, in seconds, for HTL OneTimeToken (range is 0-3600); -1 indicates not provisioned, 0 means never expires   

Note: HTL is not available in release 7.x. This value will always return -1 for 7.x HSMs.

hsmClientPartitionAssignmentTable   

This table provides a list of assigned partitions for a given client.   

Item    Type    Description    Values   
hsmClientHsmSerialNumber    DisplayString    Index into the HSM table    --
hsmClientPartitionSerialNumber DisplayString    DisplayString    Index into the Partition Table    --

SNMP output compared to SafeNet tools output

For comparison, the following shows LunaCM or LunaSH command outputs that provide HSM information equivalent to the SNMP information depicted in the tables above (from the HSM MIB).

HSM Information

At the HSM level the information in the outputs of hsm show and hsm showpolicies and hsm displaylicenses includes the following:

>SW Version

>FW Version

>HSM label

>Serial #

>HW Model

>Authentication Method

>RPV state

>FIPS mode

>HSM total storage space (bytes)

>HSM used storage space (bytes)

>HSM free storage space (bytes)

>Performance level

>Max # of partitions

># of partitions created

># of free partitions

>Policies as shown below:

lunash:>hsm showpolicies
 
 
   HSM Label:   myLunaHSM
   Serial #:    66331
   Firmware:    7.3.0
 
   The following capabilities describe this HSM, and cannot be altered
   except via firmware or capability updates.
 
   Description                              Value
   ===========                              =====
   Enable PIN-based authentication          Allowed
   Enable PED-based authentication          Disallowed
   Performance level                        15
   Enable domestic mechanisms & key sizes   Allowed
   Enable masking                           Disallowed
   Enable cloning                           Allowed
   Enable full (non-backup) functionality   Allowed
   Enable non-FIPS algorithms               Allowed
   Enable SO reset of partition PIN         Allowed
   Enable network replication               Allowed
   Enable Korean Algorithms                 Disallowed
   FIPS evaluated                           Disallowed
   Manufacturing Token                      Disallowed
   Enable forcing user PIN change           Allowed
   Enable portable masking key              Allowed
   Enable partition groups                  Disallowed
   Enable remote PED usage                  Disallowed
   HSM non-volatile storage space           33554432
   Enable unmasking                         Allowed
   Maximum number of partitions             100
   Enable Single Domain                     Disallowed
   Enable Unified PED Key                   Disallowed
   Enable MofN                              Disallowed
   Enable small form factor backup/restore  Disallowed
   Enable Secure Trusted Channel            Allowed
   Enable decommission on tamper            Allowed
   Enable partition re-initialize           Disallowed
   Enable low level math acceleration       Allowed
   Enable Fast-Path                         Disallowed
   Allow Disabling Decommission             Allowed
   Enable Tunnel Slot                       Disallowed
   Enable Controlled Tamper Recovery        Allowed
   Enable Partition Utilization Metrics     Allowed
 
 
   The following policies are set due to current configuration of
   this HSM and cannot be altered directly by the user.
 
   Description                              Value
   ===========                              =====
   PIN-based authentication                 True
 
 
   The following policies describe the current configuration of
   this HSM and may be changed by the HSM Administrator.
   Changing policies marked "destructive" will erase all HSM partitions
   on the HSM.
 
   IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase
   all partitions AND zeroize your HSM.
 
   Description                              Value        Code      Destructive
   ===========                              =====        ====      ===========
   Allow cloning                            On           7         Yes
   Allow non-FIPS algorithms                On           12        Yes
   SO can reset partition PIN               Off          15        Yes
   Allow network replication                On           16        No
   Force user PIN change after set/reset    On           21        No
   Allow offboard storage                   On           22        Yes
   Allow unmasking                          On           30        No
   Current maximum number of partitions     100          33        No
   Allow Secure Trusted Channel             Off          39        No
   Decommission on tamper                   Off          40        Yes
   Allow low level math acceleration        On           43        No
   Disable Decommission                     Off          46        Yes
   Do Controlled Tamper Recovery            On           48        No
   Allow Partition Utilization Metrics      Off          49        No
 
 
 
Command Result : 0 (Success)

Partition Information

At the application partition level, the information in the outputs of partition show and partition showpolicies includes the following:

>Partition Name

>Partition Serial #

>Activation State

>AutoActivation State

>Partition total storage space (bytes)

>Partition used storage space (bytes)

>Partition free storage space (bytes)

>Partition Object Count

>Partition policies from the partition showpolicies command:

lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 1
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 0
                23: Enable auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                37: Enable Secure Trusted Channel : 1
                39: Enable  Start/End Date Attributes : 1
 
        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 3: Allow private key masking : 0
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Allow high availability recovery : 1
                22: Allow activation : 0
                23: Allow auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                31: Allow private key unmasking : 1
                32: Allow secret key unmasking : 1
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                37: Force Secure Trusted Channel : 0
                39: Allow Start/End Date Attributes : 0
 
Command Result : No Error