Partition Utilization Metrics
In order to ensure the quality of service (QoS) that you provide to applications that make use of HSM partitions, it is first necessary to know how the users and applications are making use of the HSM resources - that is, the distribution of demand.
For an HSM with a single application partition, it can be helpful to know what type of load is being imposed on the HSM and the enumeration and categorization of operations that are being performed. Application developers might have a good idea of the expected ratio of operations, but the operations team managing the application servers would like to know the real-world utilization, for their planning and management purposes.
For a Network HSM with multiple partitions that are sharing the space and the processing resources of the HSM, it is useful to know which partitions are presenting the greatest load, and the kinds of operations that are most common or frequent. That knowledge aids in resource planning and possible relocation or reallocation of partitions to ensure reliable service for all users.
NOTE Utilization metrics are based on utilization counters that track operations by category. This is not to be confused with usage counters, that track and limit the number of times a key or certificate is allowed to be used.
This feature requires minimum firmware version 7.3.0
Rules of acquisition
Utilization Metrics count these operations within category "bins" per partition:
>Sign
>Verify
>Encrypt
>Decrypt
>Key generate
>Key derive
Operations not in that list do not increment any counter. That is, an operation request to the HSM increments counters in 0 or more bins. The list might expand in future releases. Each bin has a single counter that counts how many requests have been received from the host, since the last counter-reset order or power cycle. Counters for a partition can be read and reset as a single operation, or as two separate operations.
The utilization counters count requests to the HSM, because, while successful requests are expected and are counted, unsuccessful requests also consume resources and therefore need to be counted as well. Any request that fails on the host - meaning it does not reach the HSM - is not counted, because it did not use any HSM resources.
Utilization counters are volatile, and therefore are lost in the event of a power failure. If they are valued, they should be polled regularly and the results kept in non-volatile storage on the host.
Availability of Partition Utilization Metrics
Utilization metrics are supported by firmware 7.3 (and newer) which implements HSM-level policy 49: Allow Partition Utilization Metrics. That policy is off (value 0) by default, as it is not required in all use-cases, and is most useful where multiple applications use the HSM.
NOTE The Utilization Metrics feature allows the HSM SO to know which operations are being performed on the HSM. This information is normally available only to the Auditor when audit logging is turned on. However, while the SO can see a record of cryptographic operations, there is no visibility as to which keys are being used.
Setting the policy on (value 1) enables utilization metrics for all partitions including the Admin partition. Changing the policy is not destructive in either direction (off-to-on or on-to-off).
The hsm qos metrics show command allows you to view the current utilization counter values for all partitions, and overall counts for the entire HSM, or to export the current counts to a file, without resetting the counters.
The hsm qos metrics reset command allows you to reset to zero the current utilization counter values for all partitions; additionally, you have the option to view the current counts or to export the current counts to a file, without losing any counts between the view/export action and the reset action.
To access the Partition Utilization Metrics feature
1.Ensure that your HSM is at firmware version 7.3 or newer (if needed, upgrade to a suitable version; see Updating the Luna HSM Firmware).
2.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
3.Enable HSM policy 49: Allow Partition Utilization Metrics.
lunash:> hsm changepolicy -policy 49 -value 1
To view or save Partition Utilization Metrics without resetting
lunash:> hsm qos metrics show
To reset the Partition Utilization Metrics counters to zero
Metrics are reset whenever power is lost to the HSM or the HSM is reset, or the HSM is initialized. These events do not save the metrics.
To reset the metrics without exporting:
lunash:> hsm qos metrics reset
To reset the Partition Utilization Metrics counters to zero while also viewing or exporting the information
lunash:> hsm qos metrics reset -export <filename>
The current counter values are saved to a named file before they are zeroed.
lunash:> hsm qos metrics reset -display
The counter data is displayed but not saved.