Sei sulla pagina 1di 3

1

Insta Certifier NMS support


Configuration
Note: The SNMP support in Insta Certifier requires Net-SNMP software to be installed to the Certifier
Engine host.
Management OIDs used by Insta Certifier are defined in INSTA-SMI.txt and
INSTA-PKIMGMT-MIB.txt. These files can be found under lib/snmp-mibs folder under Certifier
installation directory. The management server software needs these files to be able to interpret the
management information.
Certifier uses SNMPv3 authentication with SHA algorithm. Encryption is not used. Authentication
credentials for sending traps to the NMS are specified in engine.conf file, e.g:
(snmp (enabled "true")
(server-address "10.20.57.160")
(app-name "certifier-engine")
(security-name "certifier")
(security-passphrase "5cee8ca29b86e0da38aa4f11a7fc1b45")
(engine-id "certifier")
(engine-id-type "text")
(nic "eth0")
(features (ee-expiration-traps #t)
(ee-expiration-period 10080))) ;; minutes

SNMP can be disabled by setting enabled to "false". The server-address is the IP address where
SNMP traps are sent (to UDP port 162). The security-name along with the passphrase is used to
authenticate certifier host with the NMS. Note that Certifier uses SHA algorithm in the authentication.
The security passphrase is encrypted. If it needs to be changed, the encryption can be done using the
following command line:
echo <passphrase> | bin/ssh-encrypt -E -s -x -c aes-cbc

This outputs the encrypted passphrase.


SNMP EngineID type is configured with engine-id-type. EngineID type can either be "text"
(ASCII string), "ipv4" (IPv4), "ipv6" (IPv6) or "mac" (MAC address).
If the EngineID type is "text", the ASCII string defined by engine-id parameter is used as the
EngineID.
If the type is IPv4 or IPv6 the EngineID is the corresponding IP address. The IP address is chosen by
using OS functions gethostname and gethostbyname. When there are multiple network interfaces, the
correct IP can be configured by setting the corresponding IP and hostname to the file /etc/hosts. The
hostname that is used for the selection is configured in file /etc/sysconfig/network with
parameter HOSTNAME.
If IPv6 is not supported, IPv4 is used instead even if the type is IPv6. The type MAC uses MAC address
as the EngineID. When using MAC the nic parameter defines the network interface to use. Possible
values are "eth0", "eth1" etc. Use ifconfig or ip command to see the available interfaces and
their names.
In order to use IPv6 EngineID, the OS configuration must have these settings:
IPv6 address and host name in /etc/hosts, e.g:
1

2
::7 linux6

Network settings in /etc/sysconfig/network:


NETWORKING=YES
NETWORKING_IPV6=yes
HOSTNAME=linux6

Option in /etc/resolv.conf:
options inet6

If the EE expiration trap sending is enabled a periodic check is done to see which certificates will expire.
A trap eeCertificateExpires is sent for each certificate that will expire within the next period. The period is
configured with the ee-expiration-period parameter. Default value is 7 days. Note that the trap
may be sent more than once for the same certificate if the periodic expiration status updating does not take
place between the expiration checkings. This can happen if the expired-timeout-period is greater
than the ee-expiration-period.
(snmp ...
(features (ee-expiration-traps #t)
(ee-expiration-period 10080))) ;; minutes
...
(configuration (expired-timeout-period 3600))

Management Information
The OID hierarchy used by Certifier MIB starts with 1.3.6.1.4.1.36878.1.1 which is
iso.org.dod.internet.private.enterprise.insta.instaMgmt.pkiMgmt.
Under the pkiMgmt OID notifications, counters and alarms are defined as follows. Details can be found
from the MIB files.
pkiNotifs(0) - SNMP notifications (traps) and their data
serviceStart(1) : serviceID, serviceType, serviceName
serviceStop(2) : serviceID, serviceType, serviceName
serviceFail(3) : serviceID, serviceType, serviceName
caEngineStart(4)
caEngineStop(5)
caServerStart(6) : serverID
caServerStop(7) : serverID
crlGenerationFailure(8) : crlDistributionPoint, failureDescription
crlPublished(9) : crlDistributionPoint, crlCertificateEntries
operatorLogin(10) : operatorUsername
operatorLoginFail(11) : operatorUsername
caCertificateExpires(12) : caID, certificateExpirationDateAndTime, certificateAutoRenew
eeCertificateExpires(23) : caId, certificateSerialNumber, certificateExpirationDateAndTime
operatorAdded(13) : operatorUsername
databaseFailure(14) : failureDescription
scepRequestFailure(15) : sourceAddress, failureDescription
configurationUpdate(16) : operatorId
cmpRequestFailure(17) : requestSender, requestType, failureDescription
requestRejected(18) : requestSender, requestDetails, requestRejectionDetails
requestRejectedByPolicy(19) : requestSender, requestRejectionDetails
ocspRequestFailure(20) : sourceAddress, failureDescription
crlPublishFail(21) : crlDistributionPoint
hsmFail(22) : failureDescription

3
pkiObjects(1) - counters
caCounterTable(18)
ocspCounterTotalRequests(19) - Total number of OCSP requests.
ocspCounterGoodRequests(20) - Total number of GOOD state OCSP responses.
ocspCounterBadRequests(21) - Total number of BAD state OCSP responses.
pkiAlarms(2) - failure states
alarmServiceTable(1) - Certifier server services alarm (fail) states.
alarmHsm(2) - HSM alarm (fail) state.
alarmCrlGeneration(3) - CRL generation alarm (fail) state.
alarmCrlPublish(4) - CRL publish alarm (fail) state.
alarmDatabase(5) - Database alarm (fail) state.

Examples
Management information can be queried from Certifier Engine host with Net-SNMP tools in the
following fashion:
# snmpget -v3 -u <username> -a SHA -A <passphrase> -l authNoPriv <IP-address>
INSTA-PKIMGMT-MIB::ocspTotalRequests.0
# snmptable -v3 -u <username> -a SHA -A <passphrase> -l authNoPriv <IP-address>
INSTA-PKIMGMT-MIB::caCounterTable

The first command makes an SNMP query for a counter value of total OCSP requests received by the
Certifier. The second command makes an SNMP query for a table that contains statistics counters for each
CA.