Partition Utilization Metrics

In order to ensure the quality of service (QoS) that you provide to applications that make use of HSM partitions, it is first necessary to know how the users and applications are making use of the HSM resources - that is, the distribution of demand.

For an HSM with a single application partition, it can be helpful to know what type of load is being imposed on the HSM and the enumeration and categorization of operations that are being performed. Application developers might have a good idea of the expected ratio of operations, but the operations team managing the application servers would like to know the real-world utilization, for their planning and management purposes.

NOTE   Utilization metrics are based on utilization counters that track operations by category. This is not to be confused with usage counters, that track and limit the number of times a key or certificate is allowed to be used.

Rules of acquisition

Utilization Metrics count these operations within category "bins" per partition:

>Sign

>Verify

>Encrypt

>Decrypt

>Key generate

>Key derive

Operations not in that list do not increment any counter. That is, an operation request to the HSM increments counters in 0 or more bins. The list might expand in future releases. Each bin has a single counter that counts how many requests have been received from the host, since the last counter-reset order or power cycle. Counters for a partition can be read and reset as a single operation, or as two separate operations.

The utilization counters count requests to the HSM, because, while successful requests are expected and are counted, unsuccessful requests also consume resources and therefore need to be counted as well. Any request that fails on the host - meaning it does not reach the HSM - is not counted, because it did not use any HSM resources.

Utilization counters are volatile, and therefore are lost in the event of a power failure. If they are valued, they should be polled regularly and the results kept in non-volatile storage on the host.

Availability of Partition Utilization Metrics

Utilization metrics are supported using HSM-level policy 49: Allow Partition Utilization Metrics. That policy is off (value 0) by default, as it is not required in all use-cases, and is most useful where multiple applications use the HSM.

NOTE   The Utilization Metrics feature allows the HSM SO to know which operations are being performed on the HSM. This information is normally available only to the Auditor when audit logging is turned on. However, while the SO can see a record of cryptographic operations, there is no visibility as to which keys are being used.

Setting the policy on (value 1) enables utilization metrics for all partitions including the Admin partition. Changing the policy is not destructive in either direction (off-to-on or on-to-off).

The hsm showUtilization command allows you to view the current utilization counter values for all partitions, and overall counts for the entire HSM, without resetting the counters.

The hsm resetUtilization command allows you to reset to zero the current utilization counter values for all partitions.

To access the Partition Utilization Metrics feature

1.Log in as HSM SO (see Logging In as HSM Security Officer).

lunacm:> role login -name so

2.Enable HSM policy 49: Allow Partition Utilization Metrics.

lunacm:> hsm changehsmpolicy -policy 49 -value 1

To view or save Partition Utilization Metrics without resetting

lunacm:> hsm showUtilization -serial <partition_SN)

To reset the Partition Utilization Metrics counters to zero

Metrics are reset whenever power is lost to the HSM or the HSM is reset, or the HSM is initialized. These events do not save the metrics.

To display the metrics since the last reset (making them available to be captured manually or by script) and then immediately reset the metrics:

lunacm:> hsm resetUtilization