|
Packit |
fcad23 |
SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
IMPORTS
|
|
Packit |
fcad23 |
MODULE-IDENTITY, OBJECT-TYPE,
|
|
Packit |
fcad23 |
OBJECT-IDENTITY, mib-2, snmpDomains,
|
|
Packit |
fcad23 |
Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE
|
|
Packit |
fcad23 |
FROM SNMPv2-SMI -- RFC 2578 or any update thereof
|
|
Packit |
fcad23 |
TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType,
|
|
Packit |
fcad23 |
AutonomousType
|
|
Packit |
fcad23 |
FROM SNMPv2-TC -- RFC 2579 or any update thereof
|
|
Packit |
fcad23 |
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
|
|
Packit |
fcad23 |
FROM SNMPv2-CONF -- RFC 2580 or any update thereof
|
|
Packit |
fcad23 |
SnmpAdminString
|
|
Packit |
fcad23 |
FROM SNMP-FRAMEWORK-MIB -- RFC 3411 or any update thereof
|
|
Packit |
fcad23 |
snmpTargetParamsName, snmpTargetAddrName
|
|
Packit |
fcad23 |
FROM SNMP-TARGET-MIB -- RFC 3413 or any update thereof
|
|
Packit |
fcad23 |
;
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmMIB MODULE-IDENTITY
|
|
Packit |
fcad23 |
LAST-UPDATED "201107190000Z"
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
ORGANIZATION "ISMS Working Group"
|
|
Packit |
fcad23 |
CONTACT-INFO "WG-EMail: isms@lists.ietf.org
|
|
Packit |
fcad23 |
Subscribe: isms-request@lists.ietf.org
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Chairs:
|
|
Packit |
fcad23 |
Juergen Schoenwaelder
|
|
Packit |
fcad23 |
Jacobs University Bremen
|
|
Packit |
fcad23 |
Campus Ring 1
|
|
Packit |
fcad23 |
28725 Bremen
|
|
Packit |
fcad23 |
Germany
|
|
Packit |
fcad23 |
+49 421 200-3587
|
|
Packit |
fcad23 |
j.schoenwaelder@jacobs-university.de
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Russ Mundy
|
|
Packit |
fcad23 |
SPARTA, Inc.
|
|
Packit |
fcad23 |
7110 Samuel Morse Drive
|
|
Packit |
fcad23 |
Columbia, MD 21046
|
|
Packit |
fcad23 |
USA
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Editor:
|
|
Packit |
fcad23 |
Wes Hardaker
|
|
Packit |
fcad23 |
SPARTA, Inc.
|
|
Packit |
fcad23 |
P.O. Box 382
|
|
Packit |
fcad23 |
Davis, CA 95617
|
|
Packit |
fcad23 |
USA
|
|
Packit |
fcad23 |
ietf@hardakers.net
|
|
Packit |
fcad23 |
"
|
|
Packit |
fcad23 |
DESCRIPTION "
|
|
Packit |
fcad23 |
The TLS Transport Model MIB
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Copyright (c) 2010-2011 IETF Trust and the persons identified
|
|
Packit |
fcad23 |
as authors of the code. All rights reserved.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Redistribution and use in source and binary forms, with or
|
|
Packit |
fcad23 |
without modification, is permitted pursuant to, and subject
|
|
Packit |
fcad23 |
to the license terms contained in, the Simplified BSD License
|
|
Packit |
fcad23 |
set forth in Section 4.c of the IETF Trust's Legal Provisions
|
|
Packit |
fcad23 |
Relating to IETF Documents
|
|
Packit |
fcad23 |
(http://trustee.ietf.org/license-info)."
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
REVISION "201107190000Z"
|
|
Packit |
fcad23 |
DESCRIPTION "This version of this MIB module is part of
|
|
Packit |
fcad23 |
RFC 6353; see the RFC itself for full legal
|
|
Packit |
fcad23 |
notices. The only change was to introduce
|
|
Packit |
fcad23 |
new wording to reflect require changes for
|
|
Packit |
fcad23 |
IDNA addresses in the SnmpTLSAddress TC."
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
REVISION "201005070000Z"
|
|
Packit |
fcad23 |
DESCRIPTION "This version of this MIB module is part of
|
|
Packit |
fcad23 |
RFC 5953; see the RFC itself for full legal
|
|
Packit |
fcad23 |
notices."
|
|
Packit |
fcad23 |
::= { mib-2 198 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
-- subtrees of the SNMP-TLS-TM-MIB
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 }
|
|
Packit |
fcad23 |
snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 }
|
|
Packit |
fcad23 |
snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 }
|
|
Packit |
fcad23 |
snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
-- snmpTlstmObjects - Objects
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTLSTCPDomain OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The SNMP over TLS via TCP transport domain. The
|
|
Packit |
fcad23 |
corresponding transport address is of type SnmpTLSAddress.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The securityName prefix to be associated with the
|
|
Packit |
fcad23 |
snmpTLSTCPDomain is 'tls'. This prefix may be used by
|
|
Packit |
fcad23 |
security models or other components to identify which secure
|
|
Packit |
fcad23 |
transport infrastructure authenticated a securityName."
|
|
Packit |
fcad23 |
REFERENCE
|
|
Packit |
fcad23 |
"RFC 2579: Textual Conventions for SMIv2"
|
|
Packit |
fcad23 |
::= { snmpDomains 8 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpDTLSUDPDomain OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The SNMP over DTLS via UDP transport domain. The
|
|
Packit |
fcad23 |
corresponding transport address is of type SnmpTLSAddress.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The securityName prefix to be associated with the
|
|
Packit |
fcad23 |
snmpDTLSUDPDomain is 'dtls'. This prefix may be used by
|
|
Packit |
fcad23 |
security models or other components to identify which secure
|
|
Packit |
fcad23 |
transport infrastructure authenticated a securityName."
|
|
Packit |
fcad23 |
REFERENCE
|
|
Packit |
fcad23 |
"RFC 2579: Textual Conventions for SMIv2"
|
|
Packit |
fcad23 |
::= { snmpDomains 9 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpTLSAddress ::= TEXTUAL-CONVENTION
|
|
Packit |
fcad23 |
DISPLAY-HINT "1a"
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"Represents an IPv4 address, an IPv6 address, or a
|
|
Packit |
fcad23 |
US-ASCII-encoded hostname and port number.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
An IPv4 address must be in dotted decimal format followed by a
|
|
Packit |
fcad23 |
colon ':' (US-ASCII character 0x3A) and a decimal port number
|
|
Packit |
fcad23 |
in US-ASCII.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
An IPv6 address must be a colon-separated format (as described
|
|
Packit |
fcad23 |
in RFC 5952), surrounded by square brackets ('[', US-ASCII
|
|
Packit |
fcad23 |
character 0x5B, and ']', US-ASCII character 0x5D), followed by
|
|
Packit |
fcad23 |
a colon ':' (US-ASCII character 0x3A) and a decimal port number
|
|
Packit |
fcad23 |
in US-ASCII.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
A hostname is always in US-ASCII (as per RFC 1123);
|
|
Packit |
fcad23 |
internationalized hostnames are encoded as A-labels as specified
|
|
Packit |
fcad23 |
in RFC 5890. The hostname is followed by a
|
|
Packit |
fcad23 |
colon ':' (US-ASCII character 0x3A) and a decimal port number
|
|
Packit |
fcad23 |
in US-ASCII. The name SHOULD be fully qualified whenever
|
|
Packit |
fcad23 |
possible.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Values of this textual convention may not be directly usable
|
|
Packit |
fcad23 |
as transport-layer addressing information, and may require
|
|
Packit |
fcad23 |
run-time resolution. As such, applications that write them
|
|
Packit |
fcad23 |
must be prepared for handling errors if such values are not
|
|
Packit |
fcad23 |
supported, or cannot be resolved (if resolution occurs at the
|
|
Packit |
fcad23 |
time of the management operation).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The DESCRIPTION clause of TransportAddress objects that may
|
|
Packit |
fcad23 |
have SnmpTLSAddress values must fully describe how (and
|
|
Packit |
fcad23 |
when) such names are to be resolved to IP addresses and vice
|
|
Packit |
fcad23 |
versa.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
This textual convention SHOULD NOT be used directly in object
|
|
Packit |
fcad23 |
definitions since it restricts addresses to a specific
|
|
Packit |
fcad23 |
format. However, if it is used, it MAY be used either on its
|
|
Packit |
fcad23 |
own or in conjunction with TransportAddressType or
|
|
Packit |
fcad23 |
TransportDomain as a pair.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
When this textual convention is used as a syntax of an index
|
|
Packit |
fcad23 |
object, there may be issues with the limit of 128
|
|
Packit |
fcad23 |
sub-identifiers specified in SMIv2 (STD 58). It is RECOMMENDED
|
|
Packit |
fcad23 |
that all MIB documents using this textual convention make
|
|
Packit |
fcad23 |
explicit any limitations on index component lengths that
|
|
Packit |
fcad23 |
management software must observe. This may be done either by
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
including SIZE constraints on the index components or by
|
|
Packit |
fcad23 |
specifying applicable constraints in the conceptual row
|
|
Packit |
fcad23 |
DESCRIPTION clause or in the surrounding documentation."
|
|
Packit |
fcad23 |
REFERENCE
|
|
Packit |
fcad23 |
"RFC 1123: Requirements for Internet Hosts - Application and
|
|
Packit |
fcad23 |
Support
|
|
Packit |
fcad23 |
RFC 5890: Internationalized Domain Names for Applications (IDNA):
|
|
Packit |
fcad23 |
Definitions and Document Framework
|
|
Packit |
fcad23 |
RFC 5952: A Recommendation for IPv6 Address Text Representation
|
|
Packit |
fcad23 |
"
|
|
Packit |
fcad23 |
SYNTAX OCTET STRING (SIZE (1..255))
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpTLSFingerprint ::= TEXTUAL-CONVENTION
|
|
Packit |
fcad23 |
DISPLAY-HINT "1x:1x"
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A fingerprint value that can be used to uniquely reference
|
|
Packit |
fcad23 |
other data of potentially arbitrary length.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
An SnmpTLSFingerprint value is composed of a 1-octet hashing
|
|
Packit |
fcad23 |
algorithm identifier followed by the fingerprint value. The
|
|
Packit |
fcad23 |
octet value encoded is taken from the IANA TLS HashAlgorithm
|
|
Packit |
fcad23 |
Registry (RFC 5246). The remaining octets are filled using the
|
|
Packit |
fcad23 |
results of the hashing algorithm.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
This TEXTUAL-CONVENTION allows for a zero-length (blank)
|
|
Packit |
fcad23 |
SnmpTLSFingerprint value for use in tables where the
|
|
Packit |
fcad23 |
fingerprint value may be optional. MIB definitions or
|
|
Packit |
fcad23 |
implementations may refuse to accept a zero-length value as
|
|
Packit |
fcad23 |
appropriate."
|
|
Packit |
fcad23 |
REFERENCE "RFC 5246: The Transport Layer
|
|
Packit |
fcad23 |
Security (TLS) Protocol Version 1.2
|
|
Packit |
fcad23 |
http://www.iana.org/assignments/tls-parameters/
|
|
Packit |
fcad23 |
"
|
|
Packit |
fcad23 |
SYNTAX OCTET STRING (SIZE (0..255))
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- Identities for use in the snmpTlstmCertToTSNTable
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER
|
|
Packit |
fcad23 |
::= { snmpTlstmIdentities 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertSpecified OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION "Directly specifies the tmSecurityName to be used for
|
|
Packit |
fcad23 |
this certificate. The value of the tmSecurityName
|
|
Packit |
fcad23 |
to use is specified in the snmpTlstmCertToTSNData
|
|
Packit |
fcad23 |
column. The snmpTlstmCertToTSNData column must
|
|
Packit |
fcad23 |
contain a non-zero length SnmpAdminString compliant
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
value or the mapping described in this row must be
|
|
Packit |
fcad23 |
considered a failure."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNMIdentities 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertSANRFC822Name OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION "Maps a subjectAltName's rfc822Name to a
|
|
Packit |
fcad23 |
tmSecurityName. The local part of the rfc822Name is
|
|
Packit |
fcad23 |
passed unaltered but the host-part of the name must
|
|
Packit |
fcad23 |
be passed in lowercase. This mapping results in a
|
|
Packit |
fcad23 |
1:1 correspondence between equivalent subjectAltName
|
|
Packit |
fcad23 |
rfc822Name values and tmSecurityName values except
|
|
Packit |
fcad23 |
that the host-part of the name MUST be passed in
|
|
Packit |
fcad23 |
lowercase.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Example rfc822Name Field: FooBar@Example.COM
|
|
Packit |
fcad23 |
is mapped to tmSecurityName: FooBar@example.com."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNMIdentities 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertSANDNSName OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION "Maps a subjectAltName's dNSName to a
|
|
Packit |
fcad23 |
tmSecurityName after first converting it to all
|
|
Packit |
fcad23 |
lowercase (RFC 5280 does not specify converting to
|
|
Packit |
fcad23 |
lowercase so this involves an extra step). This
|
|
Packit |
fcad23 |
mapping results in a 1:1 correspondence between
|
|
Packit |
fcad23 |
subjectAltName dNSName values and the tmSecurityName
|
|
Packit |
fcad23 |
values."
|
|
Packit |
fcad23 |
REFERENCE "RFC 5280 - Internet X.509 Public Key Infrastructure
|
|
Packit |
fcad23 |
Certificate and Certificate Revocation
|
|
Packit |
fcad23 |
List (CRL) Profile."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNMIdentities 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertSANIpAddress OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION "Maps a subjectAltName's iPAddress to a
|
|
Packit |
fcad23 |
tmSecurityName by transforming the binary encoded
|
|
Packit |
fcad23 |
address as follows:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
1) for IPv4, the value is converted into a
|
|
Packit |
fcad23 |
decimal-dotted quad address (e.g., '192.0.2.1').
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
2) for IPv6 addresses, the value is converted into a
|
|
Packit |
fcad23 |
32-character all lowercase hexadecimal string
|
|
Packit |
fcad23 |
without any colon separators.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
This mapping results in a 1:1 correspondence between
|
|
Packit |
fcad23 |
subjectAltName iPAddress values and the
|
|
Packit |
fcad23 |
tmSecurityName values.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The resulting length of an encoded IPv6 address is
|
|
Packit |
fcad23 |
the maximum length supported by the View-Based
|
|
Packit |
fcad23 |
Access Control Model (VACM). Using both the
|
|
Packit |
fcad23 |
Transport Security Model's support for transport
|
|
Packit |
fcad23 |
prefixes (see the SNMP-TSM-MIB's
|
|
Packit |
fcad23 |
snmpTsmConfigurationUsePrefix object for details)
|
|
Packit |
fcad23 |
will result in securityName lengths that exceed what
|
|
Packit |
fcad23 |
VACM can handle."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNMIdentities 4 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertSANAny OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION "Maps any of the following fields using the
|
|
Packit |
fcad23 |
corresponding mapping algorithms:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
|------------+----------------------------|
|
|
Packit |
fcad23 |
| Type | Algorithm |
|
|
Packit |
fcad23 |
|------------+----------------------------|
|
|
Packit |
fcad23 |
| rfc822Name | snmpTlstmCertSANRFC822Name |
|
|
Packit |
fcad23 |
| dNSName | snmpTlstmCertSANDNSName |
|
|
Packit |
fcad23 |
| iPAddress | snmpTlstmCertSANIpAddress |
|
|
Packit |
fcad23 |
|------------+----------------------------|
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The first matching subjectAltName value found in the
|
|
Packit |
fcad23 |
certificate of the above types MUST be used when
|
|
Packit |
fcad23 |
deriving the tmSecurityName. The mapping algorithm
|
|
Packit |
fcad23 |
specified in the 'Algorithm' column MUST be used to
|
|
Packit |
fcad23 |
derive the tmSecurityName.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
This mapping results in a 1:1 correspondence between
|
|
Packit |
fcad23 |
subjectAltName values and tmSecurityName values. The
|
|
Packit |
fcad23 |
three sub-mapping algorithms produced by this
|
|
Packit |
fcad23 |
combined algorithm cannot produce conflicting
|
|
Packit |
fcad23 |
results between themselves."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNMIdentities 5 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertCommonName OBJECT-IDENTITY
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName
|
|
Packit |
fcad23 |
after converting it to a UTF-8 encoding. The usage
|
|
Packit |
fcad23 |
of CommonNames is deprecated and users are
|
|
Packit |
fcad23 |
encouraged to use subjectAltName mapping methods
|
|
Packit |
fcad23 |
instead. This mapping results in a 1:1
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
correspondence between certificate CommonName values
|
|
Packit |
fcad23 |
and tmSecurityName values."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNMIdentities 6 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- The snmpTlstmSession Group
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionOpens OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times an openSession() request has been executed
|
|
Packit |
fcad23 |
as a (D)TLS client, regardless of whether it succeeded or
|
|
Packit |
fcad23 |
failed."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionClientCloses OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times a closeSession() request has been
|
|
Packit |
fcad23 |
executed as a (D)TLS client, regardless of whether it
|
|
Packit |
fcad23 |
succeeded or failed."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionOpenErrors OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times an openSession() request failed to open a
|
|
Packit |
fcad23 |
session as a (D)TLS client, for any reason."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionAccepts OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times a (D)TLS server has accepted a new
|
|
Packit |
fcad23 |
connection from a client and has received at least one SNMP
|
|
Packit |
fcad23 |
message through it."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 4 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionServerCloses OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times a closeSession() request has been
|
|
Packit |
fcad23 |
executed as a (D)TLS server, regardless of whether it
|
|
Packit |
fcad23 |
succeeded or failed."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 5 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionNoSessions OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times an outgoing message was dropped because
|
|
Packit |
fcad23 |
the session associated with the passed tmStateReference was no
|
|
Packit |
fcad23 |
longer (or was never) available."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 6 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times an incoming session was not established
|
|
Packit |
fcad23 |
on a (D)TLS server because the presented client certificate
|
|
Packit |
fcad23 |
was invalid. Reasons for invalidation include, but are not
|
|
Packit |
fcad23 |
limited to, cryptographic validation failures or lack of a
|
|
Packit |
fcad23 |
suitable mapping row in the snmpTlstmCertToTSNTable."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 7 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times an outgoing session was not established
|
|
Packit |
fcad23 |
on a (D)TLS client because the server certificate presented
|
|
Packit |
fcad23 |
by an SNMP over (D)TLS server was invalid because no
|
|
Packit |
fcad23 |
configured fingerprint or Certification Authority (CA) was
|
|
Packit |
fcad23 |
acceptable to validate it.
|
|
Packit |
fcad23 |
This may result because there was no entry in the
|
|
Packit |
fcad23 |
snmpTlstmAddrTable or because no path could be found to a
|
|
Packit |
fcad23 |
known CA."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 8 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of times an outgoing session was not established
|
|
Packit |
fcad23 |
on a (D)TLS client because the server certificate presented
|
|
Packit |
fcad23 |
by an SNMP over (D)TLS server could not be validated even if
|
|
Packit |
fcad23 |
the fingerprint or expected validation path was known. That
|
|
Packit |
fcad23 |
is, a cryptographic validation error occurred during
|
|
Packit |
fcad23 |
certificate validation processing.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Reasons for invalidation include, but are not
|
|
Packit |
fcad23 |
limited to, cryptographic validation failures."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 9 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidCaches OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Counter32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The number of outgoing messages dropped because the
|
|
Packit |
fcad23 |
tmStateReference referred to an invalid cache."
|
|
Packit |
fcad23 |
::= { snmpTlstmSession 10 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- Configuration Objects
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- Certificate mapping
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= { snmpTlstmConfig 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNCount OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Gauge32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A count of the number of entries in the
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNTable."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX TimeStamp
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The value of sysUpTime.0 when the snmpTlstmCertToTSNTable was
|
|
Packit |
fcad23 |
last modified through any means, or 0 if it has not been
|
|
Packit |
fcad23 |
modified since the command responder was started."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNTable OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"This table is used by a (D)TLS server to map the (D)TLS
|
|
Packit |
fcad23 |
client's presented X.509 certificate to a tmSecurityName.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
On an incoming (D)TLS/SNMP connection, the client's presented
|
|
Packit |
fcad23 |
certificate must either be validated based on an established
|
|
Packit |
fcad23 |
trust anchor, or it must directly match a fingerprint in this
|
|
Packit |
fcad23 |
table. This table does not provide any mechanisms for
|
|
Packit |
fcad23 |
configuring the trust anchors; the transfer of any needed
|
|
Packit |
fcad23 |
trusted certificates for path validation is expected to occur
|
|
Packit |
fcad23 |
through an out-of-band transfer.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Once the certificate has been found acceptable (either by path
|
|
Packit |
fcad23 |
validation or directly matching a fingerprint in this table),
|
|
Packit |
fcad23 |
this table is consulted to determine the appropriate
|
|
Packit |
fcad23 |
tmSecurityName to identify with the remote connection. This
|
|
Packit |
fcad23 |
is done by considering each active row from this table in
|
|
Packit |
fcad23 |
prioritized order according to its snmpTlstmCertToTSNID value.
|
|
Packit |
fcad23 |
Each row's snmpTlstmCertToTSNFingerprint value determines
|
|
Packit |
fcad23 |
whether the row is a match for the incoming connection:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
1) If the row's snmpTlstmCertToTSNFingerprint value
|
|
Packit |
fcad23 |
identifies the presented certificate, then consider the
|
|
Packit |
fcad23 |
row as a successful match.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
2) If the row's snmpTlstmCertToTSNFingerprint value
|
|
Packit |
fcad23 |
identifies a locally held copy of a trusted CA
|
|
Packit |
fcad23 |
certificate and that CA certificate was used to
|
|
Packit |
fcad23 |
validate the path to the presented certificate, then
|
|
Packit |
fcad23 |
consider the row as a successful match.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Once a matching row has been found, the
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMapType value can be used to determine how
|
|
Packit |
fcad23 |
the tmSecurityName to associate with the session should be
|
|
Packit |
fcad23 |
determined. See the snmpTlstmCertToTSNMapType column's
|
|
Packit |
fcad23 |
DESCRIPTION for details on determining the tmSecurityName
|
|
Packit |
fcad23 |
value. If it is impossible to determine a tmSecurityName from
|
|
Packit |
fcad23 |
the row's data combined with the data presented in the
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
certificate, then additional rows MUST be searched looking for
|
|
Packit |
fcad23 |
another potential match. If a resulting tmSecurityName mapped
|
|
Packit |
fcad23 |
from a given row is not compatible with the needed
|
|
Packit |
fcad23 |
requirements of a tmSecurityName (e.g., VACM imposes a
|
|
Packit |
fcad23 |
32-octet-maximum length and the certificate derived
|
|
Packit |
fcad23 |
securityName could be longer), then it must be considered an
|
|
Packit |
fcad23 |
invalid match and additional rows MUST be searched looking for
|
|
Packit |
fcad23 |
another potential match.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If no matching and valid row can be found, the connection MUST
|
|
Packit |
fcad23 |
be closed and SNMP messages MUST NOT be accepted over it.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Missing values of snmpTlstmCertToTSNID are acceptable and
|
|
Packit |
fcad23 |
implementations should continue to the next highest numbered
|
|
Packit |
fcad23 |
row. It is recommended that administrators skip index values
|
|
Packit |
fcad23 |
to leave room for the insertion of future rows (for example,
|
|
Packit |
fcad23 |
use values of 10 and 20 when creating initial rows).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Users are encouraged to make use of certificates with
|
|
Packit |
fcad23 |
subjectAltName fields that can be used as tmSecurityNames so
|
|
Packit |
fcad23 |
that a single root CA certificate can allow all child
|
|
Packit |
fcad23 |
certificate's subjectAltName to map directly to a
|
|
Packit |
fcad23 |
tmSecurityName via a 1:1 transformation. However, this table
|
|
Packit |
fcad23 |
is flexible to allow for situations where existing deployed
|
|
Packit |
fcad23 |
certificate infrastructures do not provide adequate
|
|
Packit |
fcad23 |
subjectAltName values for use as tmSecurityNames.
|
|
Packit |
fcad23 |
Certificates may also be mapped to tmSecurityNames using the
|
|
Packit |
fcad23 |
CommonName portion of the Subject field. However, the usage
|
|
Packit |
fcad23 |
of the CommonName field is deprecated and thus this usage is
|
|
Packit |
fcad23 |
NOT RECOMMENDED. Direct mapping from each individual
|
|
Packit |
fcad23 |
certificate fingerprint to a tmSecurityName is also possible
|
|
Packit |
fcad23 |
but requires one entry in the table per tmSecurityName and
|
|
Packit |
fcad23 |
requires more management operations to completely configure a
|
|
Packit |
fcad23 |
device."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNEntry OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpTlstmCertToTSNEntry
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A row in the snmpTlstmCertToTSNTable that specifies a mapping
|
|
Packit |
fcad23 |
for an incoming (D)TLS certificate to a tmSecurityName to use
|
|
Packit |
fcad23 |
for a connection."
|
|
Packit |
fcad23 |
INDEX { snmpTlstmCertToTSNID }
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNTable 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpTlstmCertToTSNEntry ::= SEQUENCE {
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNID Unsigned32,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMapType AutonomousType,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNData OCTET STRING,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNStorageType StorageType,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNRowStatus RowStatus
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNID OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Unsigned32 (1..4294967295)
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A unique, prioritized index for the given entry. Lower
|
|
Packit |
fcad23 |
numbers indicate a higher priority."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNEntry 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNFingerprint OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpTLSFingerprint (SIZE(1..255))
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A cryptographic hash of an X.509 certificate. The results of
|
|
Packit |
fcad23 |
a successful matching fingerprint to either the trusted CA in
|
|
Packit |
fcad23 |
the certificate validation path or to the certificate itself
|
|
Packit |
fcad23 |
is dictated by the snmpTlstmCertToTSNMapType column."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNEntry 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMapType OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX AutonomousType
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"Specifies the mapping type for deriving a tmSecurityName from
|
|
Packit |
fcad23 |
a certificate. Details for mapping of a particular type SHALL
|
|
Packit |
fcad23 |
be specified in the DESCRIPTION clause of the OBJECT-IDENTITY
|
|
Packit |
fcad23 |
that describes the mapping. If a mapping succeeds it will
|
|
Packit |
fcad23 |
return a tmSecurityName for use by the TLSTM model and
|
|
Packit |
fcad23 |
processing stops.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If the resulting mapped value is not compatible with the
|
|
Packit |
fcad23 |
needed requirements of a tmSecurityName (e.g., VACM imposes a
|
|
Packit |
fcad23 |
32-octet-maximum length and the certificate derived
|
|
Packit |
fcad23 |
securityName could be longer), then future rows MUST be
|
|
Packit |
fcad23 |
searched for additional snmpTlstmCertToTSNFingerprint matches
|
|
Packit |
fcad23 |
to look for a mapping that succeeds.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Suitable values for assigning to this object that are defined
|
|
Packit |
fcad23 |
within the SNMP-TLS-TM-MIB can be found in the
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMIdentities portion of the MIB tree."
|
|
Packit |
fcad23 |
DEFVAL { snmpTlstmCertSpecified }
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNEntry 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNData OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX OCTET STRING (SIZE(0..1024))
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"Auxiliary data used as optional configuration information for
|
|
Packit |
fcad23 |
a given mapping specified by the snmpTlstmCertToTSNMapType
|
|
Packit |
fcad23 |
column. Only some mapping systems will make use of this
|
|
Packit |
fcad23 |
column. The value in this column MUST be ignored for any
|
|
Packit |
fcad23 |
mapping type that does not require data present in this
|
|
Packit |
fcad23 |
column."
|
|
Packit |
fcad23 |
DEFVAL { "" }
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNEntry 4 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNStorageType OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX StorageType
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The storage type for this conceptual row. Conceptual rows
|
|
Packit |
fcad23 |
having the value 'permanent' need not allow write-access to
|
|
Packit |
fcad23 |
any columnar objects in the row."
|
|
Packit |
fcad23 |
DEFVAL { nonVolatile }
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNEntry 5 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNRowStatus OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX RowStatus
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The status of this conceptual row. This object may be used
|
|
Packit |
fcad23 |
to create or remove rows from this table.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To create a row in this table, an administrator must set this
|
|
Packit |
fcad23 |
object to either createAndGo(4) or createAndWait(5).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Until instances of all corresponding columns are appropriately
|
|
Packit |
fcad23 |
configured, the value of the corresponding instance of the
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus column is notReady(3).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
In particular, a newly created row cannot be made active until
|
|
Packit |
fcad23 |
the corresponding snmpTlstmCertToTSNFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMapType, and snmpTlstmCertToTSNData columns
|
|
Packit |
fcad23 |
have been set.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The following objects may not be modified while the
|
|
Packit |
fcad23 |
value of this object is active(1):
|
|
Packit |
fcad23 |
- snmpTlstmCertToTSNFingerprint
|
|
Packit |
fcad23 |
- snmpTlstmCertToTSNMapType
|
|
Packit |
fcad23 |
- snmpTlstmCertToTSNData
|
|
Packit |
fcad23 |
An attempt to set these objects while the value of
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus is active(1) will result in
|
|
Packit |
fcad23 |
an inconsistentValue error."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertToTSNEntry 6 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- Maps tmSecurityNames to certificates for use by the SNMP-TARGET-MIB
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsCount OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Gauge32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A count of the number of entries in the snmpTlstmParamsTable."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 4 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsTableLastChanged OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX TimeStamp
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The value of sysUpTime.0 when the snmpTlstmParamsTable
|
|
Packit |
fcad23 |
was last modified through any means, or 0 if it has not been
|
|
Packit |
fcad23 |
modified since the command responder was started."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 5 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsTable OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SEQUENCE OF SnmpTlstmParamsEntry
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"This table is used by a (D)TLS client when a (D)TLS
|
|
Packit |
fcad23 |
connection is being set up using an entry in the
|
|
Packit |
fcad23 |
SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's
|
|
Packit |
fcad23 |
snmpTargetParamsTable with a fingerprint of a certificate to
|
|
Packit |
fcad23 |
use when establishing such a (D)TLS connection."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 6 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsEntry OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpTlstmParamsEntry
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A conceptual row containing a fingerprint hash of a locally
|
|
Packit |
fcad23 |
held certificate for a given snmpTargetParamsEntry. The
|
|
Packit |
fcad23 |
values in this row should be ignored if the connection that
|
|
Packit |
fcad23 |
needs to be established, as indicated by the SNMP-TARGET-MIB
|
|
Packit |
fcad23 |
infrastructure, is not a certificate and (D)TLS based
|
|
Packit |
fcad23 |
connection. The connection SHOULD NOT be established if the
|
|
Packit |
fcad23 |
certificate fingerprint stored in this entry does not point to
|
|
Packit |
fcad23 |
a valid locally held certificate or if it points to an
|
|
Packit |
fcad23 |
unusable certificate (such as might happen when the
|
|
Packit |
fcad23 |
certificate's expiration date has been reached)."
|
|
Packit |
fcad23 |
INDEX { IMPLIED snmpTargetParamsName }
|
|
Packit |
fcad23 |
::= { snmpTlstmParamsTable 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpTlstmParamsEntry ::= SEQUENCE {
|
|
Packit |
fcad23 |
snmpTlstmParamsClientFingerprint SnmpTLSFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmParamsStorageType StorageType,
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus RowStatus
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsClientFingerprint OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpTLSFingerprint
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"This object stores the hash of the public portion of a
|
|
Packit |
fcad23 |
locally held X.509 certificate. The X.509 certificate, its
|
|
Packit |
fcad23 |
public key, and the corresponding private key will be used
|
|
Packit |
fcad23 |
when initiating a (D)TLS connection as a (D)TLS client."
|
|
Packit |
fcad23 |
::= { snmpTlstmParamsEntry 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsStorageType OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX StorageType
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The storage type for this conceptual row. Conceptual rows
|
|
Packit |
fcad23 |
having the value 'permanent' need not allow write-access to
|
|
Packit |
fcad23 |
any columnar objects in the row."
|
|
Packit |
fcad23 |
DEFVAL { nonVolatile }
|
|
Packit |
fcad23 |
::= { snmpTlstmParamsEntry 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX RowStatus
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The status of this conceptual row. This object may be used
|
|
Packit |
fcad23 |
to create or remove rows from this table.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To create a row in this table, an administrator must set this
|
|
Packit |
fcad23 |
object to either createAndGo(4) or createAndWait(5).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Until instances of all corresponding columns are appropriately
|
|
Packit |
fcad23 |
configured, the value of the corresponding instance of the
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus column is notReady(3).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
In particular, a newly created row cannot be made active until
|
|
Packit |
fcad23 |
the corresponding snmpTlstmParamsClientFingerprint column has
|
|
Packit |
fcad23 |
been set.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The snmpTlstmParamsClientFingerprint object may not be modified
|
|
Packit |
fcad23 |
while the value of this object is active(1).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
An attempt to set these objects while the value of
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus is active(1) will result in
|
|
Packit |
fcad23 |
an inconsistentValue error."
|
|
Packit |
fcad23 |
::= { snmpTlstmParamsEntry 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrCount OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX Gauge32
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A count of the number of entries in the snmpTlstmAddrTable."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 7 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrTableLastChanged OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX TimeStamp
|
|
Packit |
fcad23 |
MAX-ACCESS read-only
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The value of sysUpTime.0 when the snmpTlstmAddrTable
|
|
Packit |
fcad23 |
was last modified through any means, or 0 if it has not been
|
|
Packit |
fcad23 |
modified since the command responder was started."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 8 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrTable OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SEQUENCE OF SnmpTlstmAddrEntry
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"This table is used by a (D)TLS client when a (D)TLS
|
|
Packit |
fcad23 |
connection is being set up using an entry in the
|
|
Packit |
fcad23 |
SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTargetAddrTable so that the client can verify that the
|
|
Packit |
fcad23 |
correct server has been reached. This verification can use
|
|
Packit |
fcad23 |
either a certificate fingerprint, or an identity
|
|
Packit |
fcad23 |
authenticated via certification path validation.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If there is an active row in this table corresponding to the
|
|
Packit |
fcad23 |
entry in the SNMP-TARGET-MIB that was used to establish the
|
|
Packit |
fcad23 |
connection, and the row's snmpTlstmAddrServerFingerprint
|
|
Packit |
fcad23 |
column has non-empty value, then the server's presented
|
|
Packit |
fcad23 |
certificate is compared with the
|
|
Packit |
fcad23 |
snmpTlstmAddrServerFingerprint value (and the
|
|
Packit |
fcad23 |
snmpTlstmAddrServerIdentity column is ignored). If the
|
|
Packit |
fcad23 |
fingerprint matches, the verification has succeeded. If the
|
|
Packit |
fcad23 |
fingerprint does not match, then the connection MUST be
|
|
Packit |
fcad23 |
closed.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If the server's presented certificate has passed
|
|
Packit |
fcad23 |
certification path validation [RFC5280] to a configured
|
|
Packit |
fcad23 |
trust anchor, and an active row exists with a zero-length
|
|
Packit |
fcad23 |
snmpTlstmAddrServerFingerprint value, then the
|
|
Packit |
fcad23 |
snmpTlstmAddrServerIdentity column contains the expected
|
|
Packit |
fcad23 |
host name. This expected host name is then compared against
|
|
Packit |
fcad23 |
the server's certificate as follows:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
- Implementations MUST support matching the expected host
|
|
Packit |
fcad23 |
name against a dNSName in the subjectAltName extension
|
|
Packit |
fcad23 |
field and MAY support checking the name against the
|
|
Packit |
fcad23 |
CommonName portion of the subject distinguished name.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
- The '*' (ASCII 0x2a) wildcard character is allowed in the
|
|
Packit |
fcad23 |
dNSName of the subjectAltName extension (and in common
|
|
Packit |
fcad23 |
name, if used to store the host name), but only as the
|
|
Packit |
fcad23 |
left-most (least significant) DNS label in that value.
|
|
Packit |
fcad23 |
This wildcard matches any left-most DNS label in the
|
|
Packit |
fcad23 |
server name. That is, the subject *.example.com matches
|
|
Packit |
fcad23 |
the server names a.example.com and b.example.com, but does
|
|
Packit |
fcad23 |
not match example.com or a.b.example.com. Implementations
|
|
Packit |
fcad23 |
MUST support wildcards in certificates as specified above,
|
|
Packit |
fcad23 |
but MAY provide a configuration option to disable them.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
- If the locally configured name is an internationalized
|
|
Packit |
fcad23 |
domain name, conforming implementations MUST convert it to
|
|
Packit |
fcad23 |
the ASCII Compatible Encoding (ACE) format for performing
|
|
Packit |
fcad23 |
comparisons, as specified in Section 7 of [RFC5280].
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If the expected host name fails these conditions then the
|
|
Packit |
fcad23 |
connection MUST be closed.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If there is no row in this table corresponding to the entry
|
|
Packit |
fcad23 |
in the SNMP-TARGET-MIB and the server can be authorized by
|
|
Packit |
fcad23 |
another, implementation-dependent means, then the connection
|
|
Packit |
fcad23 |
MAY still proceed."
|
|
Packit |
fcad23 |
::= { snmpTlstmCertificateMapping 9 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrEntry OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpTlstmAddrEntry
|
|
Packit |
fcad23 |
MAX-ACCESS not-accessible
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A conceptual row containing a copy of a certificate's
|
|
Packit |
fcad23 |
fingerprint for a given snmpTargetAddrEntry. The values in
|
|
Packit |
fcad23 |
this row should be ignored if the connection that needs to be
|
|
Packit |
fcad23 |
established, as indicated by the SNMP-TARGET-MIB
|
|
Packit |
fcad23 |
infrastructure, is not a (D)TLS based connection. If an
|
|
Packit |
fcad23 |
snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, then
|
|
Packit |
fcad23 |
the presented server certificate MUST match or the connection
|
|
Packit |
fcad23 |
MUST NOT be established. If a row in this table does not
|
|
Packit |
fcad23 |
exist to match an snmpTargetAddrEntry row, then the connection
|
|
Packit |
fcad23 |
SHOULD still proceed if some other certificate validation path
|
|
Packit |
fcad23 |
algorithm (e.g., RFC 5280) can be used."
|
|
Packit |
fcad23 |
INDEX { IMPLIED snmpTargetAddrName }
|
|
Packit |
fcad23 |
::= { snmpTlstmAddrTable 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpTlstmAddrEntry ::= SEQUENCE {
|
|
Packit |
fcad23 |
snmpTlstmAddrServerFingerprint SnmpTLSFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmAddrServerIdentity SnmpAdminString,
|
|
Packit |
fcad23 |
snmpTlstmAddrStorageType StorageType,
|
|
Packit |
fcad23 |
snmpTlstmAddrRowStatus RowStatus
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrServerFingerprint OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpTLSFingerprint
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A cryptographic hash of a public X.509 certificate. This
|
|
Packit |
fcad23 |
object should store the hash of the public X.509 certificate
|
|
Packit |
fcad23 |
that the remote server should present during the (D)TLS
|
|
Packit |
fcad23 |
connection setup. The fingerprint of the presented
|
|
Packit |
fcad23 |
certificate and this hash value MUST match exactly or the
|
|
Packit |
fcad23 |
connection MUST NOT be established."
|
|
Packit |
fcad23 |
DEFVAL { "" }
|
|
Packit |
fcad23 |
::= { snmpTlstmAddrEntry 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrServerIdentity OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX SnmpAdminString
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The reference identity to check against the identity
|
|
Packit |
fcad23 |
presented by the remote system."
|
|
Packit |
fcad23 |
DEFVAL { "" }
|
|
Packit |
fcad23 |
::= { snmpTlstmAddrEntry 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrStorageType OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX StorageType
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The storage type for this conceptual row. Conceptual rows
|
|
Packit |
fcad23 |
having the value 'permanent' need not allow write-access to
|
|
Packit |
fcad23 |
any columnar objects in the row."
|
|
Packit |
fcad23 |
DEFVAL { nonVolatile }
|
|
Packit |
fcad23 |
::= { snmpTlstmAddrEntry 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmAddrRowStatus OBJECT-TYPE
|
|
Packit |
fcad23 |
SYNTAX RowStatus
|
|
Packit |
fcad23 |
MAX-ACCESS read-create
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The status of this conceptual row. This object may be used
|
|
Packit |
fcad23 |
to create or remove rows from this table.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To create a row in this table, an administrator must set this
|
|
Packit |
fcad23 |
object to either createAndGo(4) or createAndWait(5).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Until instances of all corresponding columns are
|
|
Packit |
fcad23 |
appropriately configured, the value of the
|
|
Packit |
fcad23 |
corresponding instance of the snmpTlstmAddrRowStatus
|
|
Packit |
fcad23 |
column is notReady(3).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
In particular, a newly created row cannot be made active until
|
|
Packit |
fcad23 |
the corresponding snmpTlstmAddrServerFingerprint column has been
|
|
Packit |
fcad23 |
set.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Rows MUST NOT be active if the snmpTlstmAddrServerFingerprint
|
|
Packit |
fcad23 |
column is blank and the snmpTlstmAddrServerIdentity is set to
|
|
Packit |
fcad23 |
'*' since this would insecurely accept any presented
|
|
Packit |
fcad23 |
certificate.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The snmpTlstmAddrServerFingerprint object may not be modified
|
|
Packit |
fcad23 |
while the value of this object is active(1).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
An attempt to set these objects while the value of
|
|
Packit |
fcad23 |
snmpTlstmAddrRowStatus is active(1) will result in
|
|
Packit |
fcad23 |
an inconsistentValue error."
|
|
Packit |
fcad23 |
::= { snmpTlstmAddrEntry 4 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
-- snmpTlstmNotifications - Notifications Information
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE
|
|
Packit |
fcad23 |
OBJECTS { snmpTlstmSessionUnknownServerCertificate }
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"Notification that the server certificate presented by an SNMP
|
|
Packit |
fcad23 |
over (D)TLS server was invalid because no configured
|
|
Packit |
fcad23 |
fingerprint or CA was acceptable to validate it. This may be
|
|
Packit |
fcad23 |
because there was no entry in the snmpTlstmAddrTable or
|
|
Packit |
fcad23 |
because no path could be found to known Certification
|
|
Packit |
fcad23 |
Authority.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To avoid notification loops, this notification MUST NOT be
|
|
Packit |
fcad23 |
sent to servers that themselves have triggered the
|
|
Packit |
fcad23 |
notification."
|
|
Packit |
fcad23 |
::= { snmpTlstmNotifications 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE
|
|
Packit |
fcad23 |
OBJECTS { snmpTlstmAddrServerFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidServerCertificates}
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"Notification that the server certificate presented by an SNMP
|
|
Packit |
fcad23 |
over (D)TLS server could not be validated even if the
|
|
Packit |
fcad23 |
fingerprint or expected validation path was known. That is, a
|
|
Packit |
fcad23 |
cryptographic validation error occurred during certificate
|
|
Packit |
fcad23 |
validation processing.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To avoid notification loops, this notification MUST NOT be
|
|
Packit |
fcad23 |
sent to servers that themselves have triggered the
|
|
Packit |
fcad23 |
notification."
|
|
Packit |
fcad23 |
::= { snmpTlstmNotifications 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
-- snmpTlstmCompliances - Conformance Information
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
-- Compliance statements
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmCompliance MODULE-COMPLIANCE
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"The compliance statement for SNMP engines that support the
|
|
Packit |
fcad23 |
SNMP-TLS-TM-MIB"
|
|
Packit |
fcad23 |
MODULE
|
|
Packit |
fcad23 |
MANDATORY-GROUPS { snmpTlstmStatsGroup,
|
|
Packit |
fcad23 |
snmpTlstmIncomingGroup,
|
|
Packit |
fcad23 |
snmpTlstmOutgoingGroup,
|
|
Packit |
fcad23 |
snmpTlstmNotificationGroup }
|
|
Packit |
fcad23 |
::= { snmpTlstmCompliances 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
-- Units of conformance
|
|
Packit |
fcad23 |
-- ************************************************
|
|
Packit |
fcad23 |
snmpTlstmStatsGroup OBJECT-GROUP
|
|
Packit |
fcad23 |
OBJECTS {
|
|
Packit |
fcad23 |
snmpTlstmSessionOpens,
|
|
Packit |
fcad23 |
snmpTlstmSessionClientCloses,
|
|
Packit |
fcad23 |
snmpTlstmSessionOpenErrors,
|
|
Packit |
fcad23 |
snmpTlstmSessionAccepts,
|
|
Packit |
fcad23 |
snmpTlstmSessionServerCloses,
|
|
Packit |
fcad23 |
snmpTlstmSessionNoSessions,
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidClientCertificates,
|
|
Packit |
fcad23 |
snmpTlstmSessionUnknownServerCertificate,
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidServerCertificates,
|
|
Packit |
fcad23 |
snmpTlstmSessionInvalidCaches
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A collection of objects for maintaining
|
|
Packit |
fcad23 |
statistical information of an SNMP engine that
|
|
Packit |
fcad23 |
implements the SNMP TLS Transport Model."
|
|
Packit |
fcad23 |
::= { snmpTlstmGroups 1 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmIncomingGroup OBJECT-GROUP
|
|
Packit |
fcad23 |
OBJECTS {
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNCount,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNTableLastChanged,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNMapType,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNData,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNStorageType,
|
|
Packit |
fcad23 |
snmpTlstmCertToTSNRowStatus
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A collection of objects for maintaining
|
|
Packit |
fcad23 |
incoming connection certificate mappings to
|
|
Packit |
fcad23 |
tmSecurityNames of an SNMP engine that implements the
|
|
Packit |
fcad23 |
SNMP TLS Transport Model."
|
|
Packit |
fcad23 |
::= { snmpTlstmGroups 2 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmOutgoingGroup OBJECT-GROUP
|
|
Packit |
fcad23 |
OBJECTS {
|
|
Packit |
fcad23 |
snmpTlstmParamsCount,
|
|
Packit |
fcad23 |
snmpTlstmParamsTableLastChanged,
|
|
Packit |
fcad23 |
snmpTlstmParamsClientFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmParamsStorageType,
|
|
Packit |
fcad23 |
snmpTlstmParamsRowStatus,
|
|
Packit |
fcad23 |
snmpTlstmAddrCount,
|
|
Packit |
fcad23 |
snmpTlstmAddrTableLastChanged,
|
|
Packit |
fcad23 |
snmpTlstmAddrServerFingerprint,
|
|
Packit |
fcad23 |
snmpTlstmAddrServerIdentity,
|
|
Packit |
fcad23 |
snmpTlstmAddrStorageType,
|
|
Packit |
fcad23 |
snmpTlstmAddrRowStatus
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"A collection of objects for maintaining
|
|
Packit |
fcad23 |
outgoing connection certificates to use when opening
|
|
Packit |
fcad23 |
connections as a result of SNMP-TARGET-MIB settings."
|
|
Packit |
fcad23 |
::= { snmpTlstmGroups 3 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpTlstmNotificationGroup NOTIFICATION-GROUP
|
|
Packit |
fcad23 |
NOTIFICATIONS {
|
|
Packit |
fcad23 |
snmpTlstmServerCertificateUnknown,
|
|
Packit |
fcad23 |
snmpTlstmServerInvalidCertificate
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
STATUS current
|
|
Packit |
fcad23 |
DESCRIPTION
|
|
Packit |
fcad23 |
"Notifications"
|
|
Packit |
fcad23 |
::= { snmpTlstmGroups 4 }
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
END
|