SNMP monitoring
This section describes Simple Network Management Protocol (SNMP v2c) support for remote monitoring certain conditions of ProtectServer 3 Network HSMs. Thales provides the following Management Information Base files (MIBs) with the ProtectToolkit software:
-
SAFENET-PTK-GLOBAL-MIB.mib
The global MIB, describing the tree from the Thales Enterprise OID, to the PTK sub-tree.
-
SAFENET-PTK-APPLIANCE-MIB.mib
Defines SNMP access to information about the ProtectServer 3 appliance.
-
SAFENET-PTK-HSM-MIB.mib
Defines SNMP access to information about the ProtectServer K7 HSM.
These MIBs are included in the client installer package directory SNMP-MIB. They must be loaded in your preferred SNMP client.
On Linux, if you are using snmp-utils, you can either edit the conguration file snmpd.conf in your home directory, or add the MIBs with the command line using snmpcmd -m <colon-separated_list_of_MIBs>.
Querying the ProtectServer 3 Network HSM via SNMP
You can query the ProtectServer 3 Network HSM for information by specifying the following Object Identifiers (OIDs):
.1.3.6.1.4.1 (enterprise)
└───.31746 (Gemalto)
└───.1500 (SafeNet)
└───.6 (ProtectServer)
├───.1 (HSM)
│ ├───.1 (hsmSerialNumber)
│ ├───.2 (hsmFirmwareVersion)
│ ├───.3 (hsmSecurityMode)
│ ├───.4 (hsmModel)
│ ├───.5 (hsmTransportMode)
│ ├───.6 (hsmFMSupport)
│ ├───.7 (hsmFMStatus)
│ ├───.8 (hsmOpenSessionCount)
│ ├───.9 (hsmNumberOfSlots)
│ ├───.10 (hsmUsage)
│ └───.11 (hsmState)
└───.2 (Appliance)
├───.1 (appSoftwareVersion)
├───.2 (cprovVersion)
├───.3 (etnetserverRunning)
└───.5 (audittraceRunning)
For example, querying the OID .1.3.6.1.4.1.31746.1500.6.1.2 will return the current HSM firmware version:
$ snmpget -c community -v2c 172.20.11.186 .1.3.6.1.4.1.31746.1500.6.1.2
.1.3.6.1.4.1.31746.1500.6.1.2 = STRING : 5.06.00
The MIBs allow you to simplify queries to use the strings listed above, instead of specifying the entire OID:
$ snmpget -c community -v2c 172.20.11.186 etnetserverRunning
SAFENET -PTK - APPLIANCE - MIB :: etnetserverRunning = INTEGER : true (1)
Note
On Ubuntu 20.04 LTS host systems, all SNMP information must be obtained before querying the ProtectServer 3 Network HSM using strings as shown above. To obtain all SNMP information, run the following commands:
sudo apt-get install snmp-mibs-downloader
sudo download-mibs
sudo sed -i "s/^\(mibs *:\).*/#\1/" /etc/snmp/snmp.conf
sudo service snmpd restart
The following example uses a Windows SNMP client:
Note
SNMP information is placed in an internal cache on the appliance, so information reported by querying these OIDs could be up to 60 seconds old.
HSM information
The following table describes the HSM information that is retrievable via SNMP.
Name | OID | Description |
---|---|---|
hsmSerialNumber | .1.3.6.1.4.1.31746.1500.6.1.1 | Serial number of the HSM adapter. |
hsmFirmwareVersion | .1.3.6.1.4.1.31746.1500.6.1.2 | Current HSM firmware version. |
hsmSecurityMode | .1.3.6.1.4.1.31746.1500.6.1.3 | Security flags currently set on the HSM (see Security Flags). |
hsmModel | .1.3.6.1.4.1.31746.1500.6.1.4 | Model identifier for the HSM. |
hsmTransportMode | .1.3.6.1.4.1.31746.1500.6.1.5 | Transport mode currently set on the HSM (see Using Transport Mode to Avoid a Board Removal Tamper). |
hsmFMSupport | .1.3.6.1.4.1.31746.1500.6.1.6 | Indicates whether FMs are supported on the HSM. |
hsmFMStatus | .1.3.6.1.4.1.31746.1500.6.1.7 | Current status of FM(s) loaded on the HSM. |
hsmOpenSessionCount | .1.3.6.1.4.1.31746.1500.6.1.8 | Current number of open sessions on the HSM. |
hsmNumberOfSlots | .1.3.6.1.4.1.31746.1500.6.1.9 | Current number of slots/tokens on the HSM. |
hsmUsage | .1.3.6.1.4.1.31746.1500.6.1.10 | Current percentage of HSM CPU capacity in use (see hsmstate). |
hsmState | .1.3.6.1.4.1.31746.1500.6.1.11 | Current state of the HSM (see hsmstate). |
Appliance information
The following table describes the HSM appliance information that is retrievable via SNMP.
Name | OID | Description |
---|---|---|
appSoftwareVersion | .1.3.6.1.4.1.31746.1500.6.2.1 | Current appliance software version. |
cprovVersion | .1.3.6.1.4.1.31746.1500.6.2.2 | Current version of the ProtectToolkit-C PKCS#11 Cryptoki provider. |
etnetserverRunning | .1.3.6.1.4.1.31746.1500.6.2.3 | Indicates whether the etnetserver service is currently running on the appliance. |
audittraceRunning | .1.3.6.1.4.1.31746.1500.6.2.5 | Indicates whether the audittrace service is currently running on the appliance. |