Monitoring HSM memory usage

Written by Roland van Rijswijk in category: Crypto, Procedures, Resilience, Security, Technical

in-memory-analyticsIf, like us, you use an HSM to store your DNSSEC key material you may know that it is important to monitor memory usage in your HSM; with a typical DNSSEC key management scheme you may have as many as 5 keys active per signed domain. This can be a burden on your HSM, especially if it has a limited amount of storage like ours do. To automate this monitoring, we have created a little tool called “p11memmon”. It can be integrated as a Nagios check and monitors the amount of available memory through the PKCS #11 interface of your HSM. The tool can give a warning when memory saturation reaches a certain limit (75% is the default setting) and reports a critical status if the memory saturation exceeds a maximum limit (90% by default).

We’ve made this tool available in open source, you can download it here. The source includes a specification file that you can use to build an RPM package.

2 Comments to “Monitoring HSM memory usage”

  1. Bill says:


    Nice work!

    On my system, the p11memmon reports:

    # ./p11memmon -p /usr/lunasa/lib/ -l IEHSMHAGroup -v
    p11memmon v0.1 – Copyright (C) 2011-2013 SURFnet bv, All Rights Reserved
    Licenced under a 3-clause BSD licence (see source)
    Successfully loaded PKCS #11 library /usr/lunasa/lib/ with Cryptoki version 2.1
    Successfully initialized the PKCS #11 library /usr/lunasa/lib/
    Found 1 slots with a token, looking for token TOKENHAGROUP
    Found the token with label TOKENHAGROUP in slot 1
    Token reports 14242444 bytes of 14286412 bytes private memory free
    That means 43968 bytes of private memory are in use
    Based on 14286412 bytes of private memory in total that means 0% is in use
    Unloaded PKCS #11 library
    OK: HSM memory usage is at 0% (43968 bytes in use)

    And on my HSM (part of a 2x HA group), it reports

    lunash:>st me
    total used free shared buffers cached
    Mem: 2064760 275660 1789100 0 186456 62792
    -/+ buffers/cache: 26412 2038348
    Swap: 522104 0 522104
    Command Result : 0 (Success)

  2. Roland van Rijswijk says:

    Hi Bill,

    By the looks of it you’re using a SafeNet Luna SA device; the command you entered in the Luna shell shows the amount of free memory on the embedded Linux box that manages the HSM but not the actual HSM memory status. To see that, you should run the “partition show” command. The output should look something like this:

    [phobos] lunash:>partition show

    Partition SN: XXXXXXXX
    Partition Name: XXXXXXXX
    Activated: yes
    Auto Activation: yes
    Partition Owner Locked Out: no
    Partition Owner PIN To Be Changed: no
    Partition Owner Login Attempts Left: 10 before Owner is Locked Out
    Crypto-User Locked Out: no
    Crypto-User Challenge To Be Changed: no
    Crypto-User Login Attempts Left: 10 before Crypto User is Locked Out!
    Legacy Domain Has Been Set: no
    Partition Storage Information (Bytes): Total=2000000, Used=624860, Free=1375140
    Partition Object Count: 695

    Also note that the Luna SA 5 may not report the total amount of memory assigned to a partition correctly, hence the -m command-line option (SafeNet promised to fix this so it may be that newer versions of their PKCS #11 library don’t suffer from this problem).