SNMP Configuration Guide
This document provides step-by-step instructions for enabling, configuring, and verifying SNMP (Simple Network Management Protocol) functionality between a Luna Network HSM and an SNMP Manager running on Linux. It is broken down into the following sections:
>Introduction to Traps and Informs
>Overview of SNMP Functionality
>Configuring SNMP on the SNMP Manager (Linux Host)
>Configuring SNMP on the Luna Network HSM Device
Introduction to Traps and Informs
In SNMP, traps and informs are notifications sent from the Luna Network HSM (agent) to the SNMP Manager to report events or status changes The key difference is that traps are one-way messages sent without acknowledgment while informs require the SNMP manager to acknowledge receipt; if no acknowledgment is received, the HSM resends the message. This makes informs more reliable but slightly slower due to the confirmation process. In general, traps are suitable for routine monitoring while informs are preferred for critical alerts where confirmation of delivery is important.
Overview of SNMP Functionality
The Luna Network HSM supports SNMPv3, providing secure communication and monitoring capabilities for HSM status, operational metrics, and event traps.
The configuration process includes:
>Creating SNMP users on the HSM
>Defining traps (destinations for SNMP notifications)
>Setting up SNMP notifications
>Configuring the SNMP Manager to receive and interpret these traps
Prerequisites
On SNMP Manager (Linux):
>Root or sudo privileges
>Network connectivity with the HSM (UDP ports 161 and 162 open)
Configuring SNMP on the SNMP Manager (Linux Host)
1.Install required packages,
yum install net-snmp-devel net-snmp net-snmp-utils -y
>net-snmp: Core SNMP daemon and libraries.
>net-snmp-devel: Provides net-snmp-config utility.
>net-snmp-utils: Provides SNMP testing tools like snmpwalk, snmptable, etc.
2.Locate and install MIB files.
net-snmp-config --default-mibdirs # Expected output (example): /usr/share/snmp/mibs cp <Luna MIB's path> /usr/share/snmp/mibs snmptranslate -Tp # Displays MIB hierarchy including CHRYSALIS-UTSP-MIB, SAFENET-HSM-MIB, and SAFENET-APPLIANCE-MIB
3.Congifure the SNMP trap daemon.
The trap daemon (snmptrapd) listens for SNMP traps on UDP port 162.
Edit the configuration file /etc/snmp/snmptrapd.conf and add the following lines:
# SNMPv3 user configuration for receiving traps createUser restuser SHA myAuthPassword AES myPrivPassword # createUser <securityName> <authenticationProtocol> <authenticationPassword> <privacyProtocol> <privacyPassword> authUser log,execute,net restuser # Allows this SNMPv3 user to log traps outputOption s # Logs will go into /var/log/messages
4.Start and enable snmptrapd service
sudo systemctl enable snmptrapd sudo systemctl start snmptrapd sudo systemctl status snmptrapd # Ensure it listens on UDP port 162 sudo netstat -anu | grep 162
Configuring SNMP on the Luna Network HSM Device
1.Start the SNMP service.
service start snmp
2.Create SNMP user.
Use the REST API endpoint to create an SNMPv3 user.
POST /api/lunasa/snmp/users
{
"securityName": "restuser",
"authenticationPassword": "password",
"authenticationProtocol": "SHA",
"privacyPassword": "password",
"privacyProtocol": "AES"
}
3.Create SNMP trap destination.
Define where the HSM should send SNMP traps (to SNMP Manager).
POST /api/lunasa/snmp/traps
{
"address": "<SNMP Manager IP>",
"securityName": "restuser",
"authenticationPassword": "password",
"authenticationProtocol": "SHA",
"privacyPassword": "password",
"privacyProtocol": "AES",
"engineId": "<engineId from SNMP Manager>",
"trapType": "trap"
}
Verify the created trap:
GET /api/lunasa/snmp/traps
4.Add notification for SNMP user.
Each user can have one or more notifications defined.
Example for trap notification:
POST /api/lunasa/snmp/users/{userId}/notifications
{
"address": "<SNMP Manager IP>",
"port": 162,
"authenticationPassword": "password",
"authenticationProtocol": "SHA",
"privacyPassword": "password",
"privacyProtocol": "AES",
"type": "trap",
"engineId": "000FFFFFFFA9"
}
Example for inform notification:
{
"address": "<SNMP Manager IP>",
"port": 162,
"authenticationPassword": "password",
"authenticationProtocol": "SHA",
"privacyPassword": "password",
"privacyProtocol": "AES",
"type": "inform"
}
Testing SNMP Functionality
Using MIB files:
# CHRYSALIS-UTSP-MIB Examples
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authPass> -x AES -X <privPass> {HSM_IP} CHRYSALIS-UTSP-MIB::hsmOperationRequests
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authPass> -x AES -X <privPass> {HSM_IP} CHRYSALIS-UTSP-MIB::hsmCriticalEvents
# SAFENET-HSM-MIB Examples
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authPass> -x AES -X <privPass> {HSM_IP} SAFENET-HSM-MIB::hsmTable
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authPass> -x AES -X <privPass> {HSM_IP} SAFENET-HSM-MIB::hsmPartitionTable
# SAFENET-APPLIANCE-MIB Example
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authPass> -x AES -X <privPass> {HSM_IP} SAFENET-APPLIANCE-MIB::appSoftwareVersion
Testing Traps
After configuring both the Luna Network HSM (SNMP Agent) and the SNMP Manager (trap receiver), perform the following steps to test SNMP traps.
1.Enable debug logging on SNMP Manager.
To confirm that traps are being recieved, start snmptrapd in the foreground with verbose logging:
sudo systemctl stop snmptrapd sudo snmptrapd -f -Lo -d -n
2.Generate a test trap from the Luna Network HSM 7
Before generating a test SNMP trap, regenerate the NTLS certificate with an expiry period of within 5 days, and then disable and then enable the NTLS certificate monitor using the following commands:
ntls certificate monitor disable ntls certificate monitor enable
3.Verify trap reception on SNMP Manager.
sysUpTimeInstance = Timeticks: (44818015) 5 days, 4:29:40.15 snmpTrapOID.0 = OID: enterprises.12383.3.1.3.1 enterprises.12383.3.1.2.6 = STRING: "Nov 6 15:28:00 2025 GMT"
See Also
SNP Trap Configuration: POST /api/lunasa/snmp/traps
SNP User Configuration: POST /api/lunasa/snmp/users
SNP User Notification Creation: POST /api/lunasa/snmp/users/{userid}/notifications
