SNMP Monitoring

This section describes Simple Network Management Protocol (SNMP v2c) support for remote monitoring certain conditions of ProtectServer Network HSMs. Thales provides the following Management Information Base files (MIBs) with the ProtectToolkit client software:

>SAFENET-PTK-GLOBAL-MIB.mib

The global MIB, describing the tree from the Thales Enterprise OID, to the PTK sub-tree.

>SAFENET-PTK-APPLIANCE-MIB.mib

Defines SNMP access to information about the ProtectServer appliance.

>SAFENET-PTK-HSM-MIB.mib

Defines SNMP access to information about the ProtectServer K6 HSM.

These MIBs are included in the client installer package directory SNMP-MIB. They must be loaded in your preferred SNMP client.

On Linux, if you are using snmp-utils, you can either edit the conguration file snmpd.conf in your home directory, or add the MIBs with the command line using snmpcmd -m <colon-separated_list_of_MIBs>.

Querying the ProtectServer Network HSM via SNMP

You can query the ProtectServer Network HSM for information by specifying the following Object Identifiers (OIDs):

.1.3.6.1.4.1 (enterprise)
           └───.31746 (Gemalto)
                    └───.1500 (SafeNet)
                            └───.6 (ProtectServer)
                                 ├───.1 (HSM)
                                 │    ├───.1 (hsmSerialNumber)
                                 │    ├───.2 (hsmFirmwareVersion)
                                 │    ├───.3 (hsmSecurityMode)
                                 │    ├───.4 (hsmModel)
                                 │    ├───.5 (hsmTransportMode)
                                 │    ├───.6 (hsmFMSupport)
                                 │    ├───.7 (hsmFMStatus)
                                 │    ├───.8 (hsmOpenSessionCount)
                                 │    ├───.9 (hsmNumberOfSlots)
                                 │    ├───.10 (hsmUsage)
                                 │    └───.11 (hsmState)
                                 └───.2 (Appliance)
                                      ├───.1 (appSoftwareVersion)
                                      ├───.2 (cprovVersion)
                                      ├───.3 (etnetserverRunning)
                                      └───.5 (audittraceRunning)

For example, querying the OID .1.3.6.1.4.1.31746.1500.6.1.2 will return the current HSM firmware version:

$ snmpget -c community -v2c 172.20.11.186 .1.3.6.1.4.1.31746.1500.6.1.2

.1.3.6.1.4.1.31746.1500.6.1.2 = STRING : 5.06.00

The MIBs allow you to simplify queries to use the strings listed above, instead of specifying the entire OID:

$ snmpget -c community -v2c 172.20.11.186 etnetserverRunning

SAFENET -PTK - APPLIANCE - MIB :: etnetserverRunning = INTEGER : true (1)

The following example uses a Windows SNMP client:

NOTE   SNMP information is placed in an internal cache on the ProtectServer appliance, so information reported by querying these OIDs could be up to 60 seconds old.

HSM Information

The following table describes the HSM information that is retrievable via SNMP.

Name OID Description
hsmSerialNumber .1.3.6.1.4.1.31746.1500.6.1.1 Serial number of the HSM adapter.
hsmFirmwareVersion .1.3.6.1.4.1.31746.1500.6.1.2 Current HSM firmware version.
hsmSecurityMode .1.3.6.1.4.1.31746.1500.6.1.3 Security flags currently set on the HSM (see Security Flags).
hsmModel .1.3.6.1.4.1.31746.1500.6.1.4 Model identifier for the HSM.
hsmTransportMode .1.3.6.1.4.1.31746.1500.6.1.5 Transport mode currently set on the HSM (see Using Transport Mode to Avoid a Board Removal Tamper).
hsmFMSupport .1.3.6.1.4.1.31746.1500.6.1.6 Indicates whether FMs are supported on the HSM.
hsmFMStatus .1.3.6.1.4.1.31746.1500.6.1.7 Current status of FM(s) loaded on the HSM.
hsmOpenSessionCount .1.3.6.1.4.1.31746.1500.6.1.8 Current number of open sessions on the HSM.
hsmNumberOfSlots .1.3.6.1.4.1.31746.1500.6.1.9 Current number of slots/tokens on the HSM.
hsmUsage .1.3.6.1.4.1.31746.1500.6.1.10 Current percentage of HSM CPU capacity in use (see hsmstate).
hsmState .1.3.6.1.4.1.31746.1500.6.1.11 Current state of the HSM (see hsmstate).

Appliance Information

The following table describes the HSM appliance information that is retrievable via SNMP.

Name OID Description

appSoftwareVersion

.1.3.6.1.4.1.31746.1500.6.2.1

Current appliance software version.

cprovVersion

.1.3.6.1.4.1.31746.1500.6.2.2

Current version of the ProtectToolkit-C PKCS#11 Cryptoki provider.

etnetserverRunning

.1.3.6.1.4.1.31746.1500.6.2.3

Indicates whether the etnetserver service is currently running on the appliance.

audittraceRunning

.1.3.6.1.4.1.31746.1500.6.2.5

Indicates whether the audittrace service is currently running on the appliance.