SNMP

The equipment can be monitored using protocol SNMP v2c. O HSM send traps (unsolicited notifications) on the occurrence of certain events, which can be directed to a standard SNMP collector. In addition HSM also responds to messages from Getaccording to the list of supported OIDs.

Info

SNMP Set operations are not supported.

O HSM has specific and proprietary OIDs under the .1.3.6.1.4.1.41054 entry (.iso.org.dod.internet.private.enterprises.dinamonetworks) in the MIB tree, defined in the proprietary MIB file. An OID is used for traps and another for Gets. IANA entry 41054 is registered to Dinamo Networks.

The SNMP configuration parameters via the console are:

  1. Sys Contact: information returned by the HSM in the standard SNMP Get message with OID .1.3.6.1.2.1.1.4 (mib 2 system group, see below). The registered information is free text chosen by the operator, and as recommended by the SNMP standard, the purpose of this OID is: The textual identification of the contact person for this managed node, together with information on how to contact this person.
  2. Sys Location: information returned by the HSM in the standard SNMP Get message with OID .1.3.6.1.2.1.1.6 (mib 2 system group, see below). The information entered is free text chosen by the operator, and as recommended by the SNMP standard, the purpose of this OID is: The physical location of this node (e.g.,'telephone closet,3rd floor').
  3. Get Community Name: SNMP community name for Get. Fixed (read only) in public.
  4. Trap Community Name: name of the SNMP community exclusively for sending traps. This name is only used for pairing in the protocol.
  5. Trap Targets: the list of IP addresses to which the traps generated by the HSM should be sent. Up to 04 targets can be configured.
                        Dinamo - Local Management Console
     ┌──────────────────────────────┤ SNMP ├──────────────────────────────┐
     │                                                                    │
     │  Sys Contact:         ___________________________________________  │
     │  Sys Location:        ___________________________________________  │
     │  Get Community Name:  public                                       │
     │  Trap Community Name: public_____________________________________  │
     │                                                                    │
     │  Trap Targets                                                      │
     │                                                                    │
     │  ┌──────────────────────────────────────────────────────┐ ┌─────┐  │
     │  │                                                      │ │ Add │  │
     │  │                                                      │ └─────┘  │
     │  │                                                      │          │
     │  │                                                      │ ┌─────┐  │
     │  │                                                      │ │ Del │  │
     │  └──────────────────────────────────────────────────────┘ └─────┘  │
     │                             ┌────────┐                             │
     │                             │   OK   │                             │
     │                             └────────┘                             │
     │                                                                    │
     └────────────────────────────────────────────────────────────────────┘


  Service running...                                Replication Domain: <none>
SNMP configuration

All the Get information returned by the HSM is non-sensitive or non-critical information and most of it is also available on the About screen of the Local Console, displayed before any operator authentication.

Gets are answered on HSM UDP port 161 and traps are sent to targets on UDP port 162.

Info

The SNMP community for Get is always public.

The formal definition of the HSM 's proprietary OIDs is in the file Dinamo-MIB .txt.

The HSM responds to the Gets of the MIB-2 standard, including the groups:

  • system:
OID name value
.1.3.6.1.2.1.1.1 sysDescr Text consisting of the HSM model and serial number, firmware version, hardware profile and TPKEY ID.
.1.3.6.1.2.1.1.2 sysObjectID Text hsmliteral.
.1.3.6.1.2.1.1.3 sysUpTime Time elapsed since the HSM was switched on.
.1.3.6.1.2.1.1.4 sysContact Text with the information registered in the HSM Console, see above.
.1.3.6.1.2.1.1.5 sysName HSM serial number.
.1.3.6.1.2.1.1.6 sysLocation Text with the information registered in the HSM Console, see above.
  • interfaces
  • ip
  • icmp
  • tcp
  • udp
  • snmp
  • host resources

The proprietary OIDs to which HSM responds Get are described in the table below. They are those below .1.3.6.1.4.1.41054 or .iso.org.dod.internet.private.enterprises.dinamonetworks.

OID name value
.1.3.6.1.4.1.41054.1.1.2.0.1 hsmUpTime Time elapsed since the HSM was switched on.
.1.3.6.1.4.1.41054.1.1.2.0.2 cpuLoadAverage Instant CPU consumption measured at the time of Get.
.1.3.6.1.4.1.41054.1.1.2.0.3 totalMemory Total memory HSM in percent, fixed value: 100.
.1.3.6.1.4.1.41054.1.1.2.0.4 usedMemory Percentage of instantaneous use of physical memory.
.1.3.6.1.4.1.41054.1.1.2.0.7 hsmCryptoBattery Percentage of charge in the safe zone of the tamper supervisor circuit battery.
.1.3.6.1.4.1.41054.1.1.2.0.8 diskBockSize Size in bytes of the individual block of the HSM storage system.
.1.3.6.1.4.1.41054.1.1.2.0.9 diskBlockCount Counting individual blocks of the storage system.
.1.3.6.1.4.1.41054.1.1.2.0.10 diskFreeBlockCount Counting unused individual blocks in the storage system.
.1.3.6.1.4.1.41054.1.1.2.0.11 hsmTamperingState HSM tamper status.
.1.3.6.1.4.1.41054.1.1.2.0.12 hsmNodeAlias Alias chosen by the operator for the HSM. The alias is defined in the local console.
.1.3.6.1.4.1.41054.1.1.2.0.13 usrCount Counting partitions in HSM.
.1.3.6.1.4.1.41054.1.1.2.0.14 objCount Counting objects in the HSM (on all partitions).
.1.3.6.1.4.1.41054.1.1.2.0.15 slbeLen Database size (in units of 4kb).
.1.3.6.1.4.1.41054.1.1.2.0.16 logSize Log file size (in bytes).
.1.3.6.1.4.1.41054.1.1.2.0.17 atokenCacheCount Number of a-tokens cached.
.1.3.6.1.4.1.41054.1.1.2.0.18 memTotal Usable RAM (100%).
.1.3.6.1.4.1.41054.1.1.2.0.19 memAvailable Estimated available memory (%).
.1.3.6.1.4.1.41054.1.1.2.0.20 memBuffers Raw blocks on disk (%).
.1.3.6.1.4.1.41054.1.1.2.0.21 memCached Memory cache (%)
.1.3.6.1.4.1.41054.1.1.2.0.22 memActive Recent recallable memory, unless absolutely necessary (%).
.1.3.6.1.4.1.41054.1.1.2.0.23 memInactive Old recallable memory, unless absolutely necessary (%).
.1.3.6.1.4.1.41054.1.1.2.0.24 anonPages Memory pages mapped in userspace tables (%).
.1.3.6.1.4.1.41054.1.1.2.0.25 shMem Memory consumed in IPC (%).
.1.3.6.1.4.1.41054.1.1.2.0.26 kernelSlab (Slab) cache of kernel data structures (%).
.1.3.6.1.4.1.41054.1.1.2.0.27 kernelSReclaimable Part of the slab that can be retrieved, such as caches (%).
.1.3.6.1.4.1.41054.1.1.2.0.28 sessionCount Counting user sessions.

The events that can generate traps in HSM are:

  1. Creating a private key
  2. Destruction of a private key
  3. Service start
  4. Service stop
  5. Automatic service recovery
  6. Use of smart cards
  7. HSM shutdown
  8. HSM reboot
  9. HSM database reset
  10. Authentication failure
  11. Changing user permissions
  12. User creation
  13. User removal
  14. Backup file generation
  15. Restoring a backup file
  16. Firmware update
  17. Private key export
  18. Private key import
  19. Lock in the local HSM console
  20. Unlock in the local HSM console
  21. Failure in the log subsystem(Broken Log)
  22. Replication, Busy return
  23. Replication, return from Peer Not Synced
  24. Replication, return of Cannot Peer to Peer
  25. Replication, return from Storage Layer Failure
  26. Replication, return from Cannot Validate Event
  27. Replication, Transaction Mismatch return
  28. Replication, return from Database Live Sync Error
  29. Replication, Transaction Log Error return
  30. Replication, return from Cannot Start Manager