If, like us, you use an HSM to store your DNSSEC key material you may know that it is important to monitor memory usage in your HSM; with a typical DNSSEC key management scheme you may have as many as 5 keys active per signed domain. This can be a burden on your HSM, especially if it has a limited amount of storage like ours do. To automate this monitoring, we have created a little tool called “p11memmon”. It can be integrated as a Nagios check and monitors the amount of available memory through the PKCS #11 interface of your HSM. The tool can give a warning when memory saturation reaches a certain limit (75% is the default setting) and reports a critical status if the memory saturation exceeds a maximum limit (90% by default).
We’ve made this tool available in open source, you can download it here. The source includes a specification file that you can use to build an RPM package.
26/06/2013 at 17:48
Hi,
Nice work!
On my system, the p11memmon reports:
# ./p11memmon -p /usr/lunasa/lib/libCryptoki2.so -l IEHSMHAGroup -v
p11memmon v0.1 – Copyright (C) 2011-2013 SURFnet bv, All Rights Reserved
Licenced under a 3-clause BSD licence (see source)
Successfully loaded PKCS #11 library /usr/lunasa/lib/libCryptoki2.so with Cryptoki version 2.1
Successfully initialized the PKCS #11 library /usr/lunasa/lib/libCryptoki2.so
Found 1 slots with a token, looking for token TOKENHAGROUP
Found the token with label TOKENHAGROUP in slot 1
Token reports 14242444 bytes of 14286412 bytes private memory free
That means 43968 bytes of private memory are in use
Based on 14286412 bytes of private memory in total that means 0% is in use
Unloaded PKCS #11 library
OK: HSM memory usage is at 0% (43968 bytes in use)
And on my HSM (part of a 2x HA group), it reports
lunash:>st me
total used free shared buffers cached
Mem: 2064760 275660 1789100 0 186456 62792
-/+ buffers/cache: 26412 2038348
Swap: 522104 0 522104
Command Result : 0 (Success)
26/06/2013 at 20:43
Hi Bill,
By the looks of it you’re using a SafeNet Luna SA device; the command you entered in the Luna shell shows the amount of free memory on the embedded Linux box that manages the HSM but not the actual HSM memory status. To see that, you should run the “partition show” command. The output should look something like this:
[phobos] lunash:>partition show
…
Partition SN: XXXXXXXX
Partition Name: XXXXXXXX
Activated: yes
Auto Activation: yes
Partition Owner Locked Out: no
Partition Owner PIN To Be Changed: no
Partition Owner Login Attempts Left: 10 before Owner is Locked Out
Crypto-User Locked Out: no
Crypto-User Challenge To Be Changed: no
Crypto-User Login Attempts Left: 10 before Crypto User is Locked Out!
Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=2000000, Used=624860, Free=1375140
Partition Object Count: 695
Also note that the Luna SA 5 may not report the total amount of memory assigned to a partition correctly, hence the -m command-line option (SafeNet promised to fix this so it may be that newer versions of their PKCS #11 library don’t suffer from this problem).