idnits 2.17.1 draft-turner-ccmib-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 1, 2019) is 1668 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 5883 -- Looks like a reference, but probably isn't: '2' on line 5886 -- Looks like a reference, but probably isn't: '3' on line 5889 -- Looks like a reference, but probably isn't: '10' on line 5594 -- Looks like a reference, but probably isn't: '20' on line 5598 -- Looks like a reference, but probably isn't: '21' on line 5602 -- Looks like a reference, but probably isn't: '22' on line 5606 == Outdated reference: A later version (-08) exists of draft-turner-sodp-profile-04 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Sun 3 Internet-Draft M. Irani 4 Intended status: Informational T. Nguyen 5 Expires: April 3, 2020 Naval Information Warfare Center Pacific 6 R. Purvis 7 The MITRE Corporation 8 S. Turner 9 sn3rd 10 October 1, 2019 12 DoD Common Cryptographic MIB (CCMIB) 13 draft-turner-ccmib-04 15 Abstract 17 This document defines a portion of the Management Information Base 18 (MIB) for use with network management protocols in the Internet 19 community. In particular, it describes managed objects for key 20 management implementations including asymmetric keys, symmetric keys, 21 trust anchors, and cryptographic-related firmware. 23 This profile applies to the capabilities, configuration, and 24 operation of all components of US National Security Systems (SP 25 800-59). It is also appropriate for other US Government systems that 26 process high-value information. It is made publicly available for 27 use by developers and operators of these and any other system 28 deployments. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on April 3, 2020. 47 Copyright Notice 49 Copyright (c) 2019 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 4. The Internet-Standard Management Framework . . . . . . . . . 4 68 5. MIB Design . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 5.1. CC-ASSIGNMENTS-MIB . . . . . . . . . . . . . . . . . . . 4 70 5.2. CC-FEATURE-HIERARCHY-MIB . . . . . . . . . . . . . . . . 4 71 5.3. CC-DEVICE-INFO-MIB . . . . . . . . . . . . . . . . . . . 4 72 5.4. CC-KEY-MANAGEMENT-MIB . . . . . . . . . . . . . . . . . . 5 73 5.5. CC-KEY-TRANSFER-PULL-MIB . . . . . . . . . . . . . . . . 6 74 5.6. CC-KEY-TRANSFER-PUSH-MIB . . . . . . . . . . . . . . . . 6 75 5.7. CC-SECURE-POLICY-INFO-MIB . . . . . . . . . . . . . . . . 7 76 5.8. CC-SECURE-CONNECTION-INFO-MIB . . . . . . . . . . . . . . 7 77 6. Definition of the CC MIB module . . . . . . . . . . . . . . . 7 78 6.1. Assignments . . . . . . . . . . . . . . . . . . . . . . . 7 79 6.2. Feature Hierarchy . . . . . . . . . . . . . . . . . . . . 8 80 6.3. Device Info . . . . . . . . . . . . . . . . . . . . . . . 10 81 6.4. Key Management Information . . . . . . . . . . . . . . . 28 82 6.5. Key Transfer Pull . . . . . . . . . . . . . . . . . . . . 85 83 6.6. Key Transfer Push . . . . . . . . . . . . . . . . . . . . 100 84 6.7. Security Policy Information . . . . . . . . . . . . . . . 113 85 6.8. Secure Connection Information . . . . . . . . . . . . . . 119 86 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 127 87 8. Security Considerations . . . . . . . . . . . . . . . . . . . 127 88 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 130 89 9.1. Normative References . . . . . . . . . . . . . . . . . . 130 90 9.2. Informative References . . . . . . . . . . . . . . . . . 132 91 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 133 92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 133 94 1. Introduction 96 RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH PRIOR TO 97 PUBLICATION 99 The source for this draft is maintained in GitHub. Suggested changes 100 should be submitted as pull requests at 101 https://github.com/seanturner/draft-turner-ccmib. Instructions are 102 on that page as well. Editorial changes can be managed in GitHub. 104 This document defines a portion of the Management Information Base 105 (MIB) for use with network management protocols in the Internet 106 community. In particular, it describes managed objects used to 107 manage key management implementations including asymmetric keys, 108 symmetric keys, trust anchors, and cryptographic-related firmware. 110 This profile applies to the capabilities, configuration, and 111 operation of all components of US National Security Systems 112 [SP800-59]. It is also appropriate for other US Government systems 113 that process high-value information. It is made publicly available 114 for use by developers and operators of these and any other system 115 deployments. 117 2. Terminology 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 121 "OPTIONAL" in this document are to be interpreted as described in BCP 122 14 [RFC2119] [RFC8174] when, and only when, they appear in all 123 capitals, as shown here. 125 3. Acronyms 127 CA: Certification Authority 128 CDM: Cryptographic Device Material 129 CDML: Cryptographic Device Material List 130 CKL: Compromised Key List 131 CRL: Certificate Revocation List 132 DN: Distinguished Name 133 ECU: End Cryptographic Unit 134 HMI: Human Machine Interface 135 OID: Object Identifier 136 PAL: Product Availability List 137 PKC: Public Key Certificate 138 TA: Trust Anchor 139 TAMP: Trust Anchor Management Protocol 141 4. The Internet-Standard Management Framework 143 For a detailed overview of the documents that describe the current 144 Internet-Standard Management Framework, please refer to section 7 of 145 [RFC3410]. 147 Managed objects are accessed via a virtual information store, termed 148 the Management Information Base or MIB. MIB objects are generally 149 accessed through the Simple Network Management Protocol (SNMP). 150 Objects in the MIB are defined using the mechanisms defined in the 151 Structure of Management Information (SMI). This memo specifies a MIB 152 module that is compliant to the SMIv2, which is described in RFC 2578 153 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580 154 [RFC2580]. 156 5. MIB Design 158 Eight MIB are defined as part of the CCMIB to support key management 159 implementations, namely CC-ASSIGNMENTS-MIB, CC-FEATURE-HIERARCHY-MIB, 160 CC-DEVICE-INFO-MIB, CC-KEY-MANAGEMENT-MIB, CC-KEY-TRANSFER-PULL-MIB, 161 CC-KEY-TRANSFER-PUSH-MIB, CC-SECURE-POLICY-INFO-MIB, CC-SECURE- 162 CONNECTION-INFO-MIB. The following sections summarizes the modules 163 and the modules' objects. 165 5.1. CC-ASSIGNMENTS-MIB 167 The Assignments MIB defines the "ccmib" OID, which is the OID prefix 168 for all others definitions in the CCMIB. 170 5.2. CC-FEATURE-HIERARCHY-MIB 172 The Feature Hierarchy MIB defines OIDs for the remaining MIB modules, 173 namely ccDeviceInfo, ccKeyManagement, ccKeyTransferPull, 174 ccKeyTransferPush, ccSecurePolicyInfo, and ccSecureConnectionInfo. 175 This module imports the ccmib OID from the Assignments MIB and the 176 remaining 6 MIB modules import an OID from the Feature Hierarchy MIB. 178 5.3. CC-DEVICE-INFO-MIB 180 The Device Info MIB configures basic characteristics of the device. 181 Details of the defined tables follow. 183 cDeviceComponentVersTable is used to manage the specification 184 versions of components or specifications supported by the ECU. 186 cBatteryInfoTable is used to manage information on each of the 187 batteries installed in the device, along with their type, operational 188 status, and battery low notification thresehold. 190 cFirmwareInformationTable is used to manage firmware versions 191 available in the device, along with their versions, type, and source. 193 5.4. CC-KEY-MANAGEMENT-MIB 195 The Key Management MIB configures key management information related 196 to the following types of keys: 198 o symmetric keys, e.g., [RFC6031] 200 o asymmetric keys, e.g., [RFC5280] and [RFC5958] 202 o trust anchors, e.g., [RFC5280] and [RFC5914], 204 o CRLs and CKLs, e.g., [RFC5280] 206 o encrypted keys, e.g., [RFC6032] 208 Details of the defined tables follow. 210 cSymmetricKeyTable is used to manage symmetric keys used by the 211 device. Each table entry supports values for fingerprint, usages, 212 identifier, effective date, expiration date, expiry warning, number 213 of transactions, friendly name, classification, and source. 215 cAsymKeyTable is used to manage asymmetric keys used by the device. 216 Each table entry supports values for fingerprint, friendly name, 217 serial number, issuer, signature algorithm, public key algorithm, 218 effective date, expiration date, expiry warning, subject, subject 219 type, subject alternative name, usage, classification, source, 220 version, rekey, and type as well as automatic rekey is enabled. 222 cTrustAnchorTable is used to manage Trust Anchors used by the device. 223 Each table entry supports fingerprint, format type, name, usage type, 224 key identifier, public key algorithm, contingency availability, and 225 version. 227 cCKLTable is used to manage both CRLs and CKLs. Each table entry 228 supports an index, issuer, revoked serial number, issue date, next 229 update, version, and last updated. 231 cCDMStoreTable is used to manage the types of stored CDM that are 232 destined for this device and/or destined for another device. Types 233 include symmetric key, asymmetric key, TA, CRL, CKL, and firmware as 234 well as store and forward unencrypted and encrypted packages meant 235 for another device. 237 cCertSubAltNameTable is used to manage the devices subject 238 alternative names [RFC5280]. 240 cCertPathCtrlsTable is used to manage the controls and constraints 241 applied to a certificate in order to process certificate trust paths 242 [RFC5280]. 244 cCertPolicyTable is used to manage the devices certificate policies 245 [RFC5280]. 247 cPolicyMappingTable is used to manage the devices mapped certificate 248 policies [RFC5280]. 250 cNameConstraintTable is used to manage the devices name constraints 251 [RFC5280]. 253 cRemoteKeyMaterialTable is used to manage the key material 254 information used by the remote peer, i.e., the key material used to 255 establish the secure connection. 257 5.5. CC-KEY-TRANSFER-PULL-MIB 259 The Key Transfer Pull MIB configures information used by devices to 260 retrieve CDM from CDM servers. Details of the defined tables follow. 262 cCDMServerTable is used to mange CDM servers that will be queried for 263 available CDMs. It is also used to obtain the location for the CDML, 264 which is a list detailing available CDMs and their associated 265 location for obtainment. [I-D.turner-sodp-profile] is an example of 266 a CDM server that contains a CDML, which is referred to as Product 267 Availability List (PAL) in [I-D.turner-sodp-profile]. 269 cCDMDeliveryTable is used to manage information about cryptographic 270 device materials (CDMs) that are ready/available for retrieval. 272 5.6. CC-KEY-TRANSFER-PUSH-MIB 274 The Key Transfer Push MIB configures information used by senders to 275 push CDMs to devices. Details of the defined tables follow. 277 cCDMPushDestTable is used to manage the information a sender needs to 278 initiate a CDM send to a receiving device. 280 cCDMTransferPkgTable is used to configure single or multiple CDM in a 281 package that can be transferred on a send operation. 283 cCDMPushSrcTable provides is used to list the authorized senders that 284 this receiving device will accept CDM transfers from. 286 5.7. CC-SECURE-POLICY-INFO-MIB 288 The Secure Policy Information MIB defines one table, 289 cSecPolicyRuleTable, to manage the security policy rules that are 290 compared against inbound and outbound data traffic flow to determine 291 how the data traffic flow should be treated (e.g., protect, bypass, 292 discard). 294 5.8. CC-SECURE-CONNECTION-INFO-MIB 296 The Secure Connection Information MIB defines one table, 297 cSecConTable, to manage the base/common information for secure 298 connections: data plane identifier, type (e.g., 'tls', 'ipsec'), 299 direction (inbound, outbound, bidirectional), local and remote key 300 material references, cryptographic suite, establishment time, and 301 status. 303 6. Definition of the CC MIB module 305 6.1. Assignments 307 This MIB module makes reference to the following document: [RFC2578]. 309 CC-ASSIGNMENTS-MIB DEFINITIONS ::= BEGIN 311 IMPORTS 312 MODULE-IDENTITY, enterprises 313 FROM SNMPv2-SMI; -- RFC 2578 315 ccAssignmentsMIB MODULE-IDENTITY 316 LAST-UPDATED "201609302154Z" 317 ORGANIZATION "CCMIB CCB" 318 CONTACT-INFO 319 "CC MIB Configuration Control Board 320 Email: CCMIB.CCB@us.af.mil" 321 DESCRIPTION 322 "This MIB defines the CC MIB tree hierarchical assignments 323 below it and acts as a reservation mechanism. 325 Copyright (c) 2019 IETF Trust and the persons 326 identified as authors of the code. All rights reserved. 328 Redistribution and use in source and binary forms, with 329 or without modification, is permitted pursuant to, and 330 subject to the license terms contained in, the Simplified 331 BSD License set forth in Section 4.c of the IETF Trust's 332 Legal Provisions Relating to IETF Documents 333 (http://trustee.ietf.org/license-info). 335 This version of this MIB module is part of RFC xxxx; 336 see the RFC itself for full legal notices." 337 REVISION "201609302154Z" 338 -- RFC EDITOR: Please update XXXX with the assigned RFC number. 339 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 340 ::= { ccmib 3 } 342 ccmib OBJECT IDENTIFIER ::= { enterprises 34493 } 344 -- 345 -- Note: Current top-level OID assignments within the CC MIB tree: 346 -- ccmib.3 : CC-ASSIGNMENTS-MIB (this MIB) 347 -- ccmib.3.1 : CC-FEATURE-HIERARCHY-MIB 349 END 351 6.2. Feature Hierarchy 353 This MIB module makes reference to the following document: [RFC2578]. 355 CC-FEATURE-HIERARCHY-MIB DEFINITIONS ::= BEGIN 356 IMPORTS 357 ccAssignmentsMIB 358 FROM CC-ASSIGNMENTS-MIB -- FROM Section 6.1 359 MODULE-IDENTITY 360 FROM SNMPv2-SMI; -- FROM RFC 2578 362 ccFeatureHierarchyMIB MODULE-IDENTITY 363 LAST-UPDATED "201609302154Z" 364 ORGANIZATION "CCMIB CCB" 365 CONTACT-INFO 366 "CC MIB Configuration Control Board 367 Email: CCMIB.CCB@us.af.mil" 368 DESCRIPTION 369 "This MIB defines the CC MIB features in hierarchical MIB 370 tree assignments. It acts as a reservation mechanism for 371 other MIB sets to be anchored below it. 373 Copyright (c) 2019 IETF Trust and the persons 374 identified as authors of the code. All rights reserved. 376 Redistribution and use in source and binary forms, with 377 or without modification, is permitted pursuant to, and 378 subject to the license terms contained in, the Simplified 379 BSD License set forth in Section 4.c of the IETF Trust's 380 Legal Provisions Relating to IETF Documents 381 (http://trustee.ietf.org/license-info). 383 This version of this MIB module is part of RFC xxxx; 384 see the RFC itself for full legal notices." 385 -- RFC Ed.: RFC-editor please fill in xxxx. 386 REVISION "201609302154Z" 387 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 388 -- RFC Ed.: RFC-editor please fill in xxxx. 389 ::= { ccAssignmentsMIB 1 } 391 ccDeviceInfo OBJECT IDENTIFIER 392 ::= { ccFeatureHierarchyMIB 2 } 393 ccKeyManagement OBJECT IDENTIFIER 394 ::= { ccFeatureHierarchyMIB 3 } 395 ccKeyTransferPull OBJECT IDENTIFIER 396 ::= { ccFeatureHierarchyMIB 4 } 397 ccKeyTransferPush OBJECT IDENTIFIER 398 ::= { ccFeatureHierarchyMIB 5 } 399 ccSecurePolicyInfo OBJECT IDENTIFIER 400 ::= { ccFeatureHierarchyMIB 6 } 401 ccSecureConnectionInfo OBJECT IDENTIFIER 402 ::= { ccFeatureHierarchyMIB 7 } 404 END 406 6.3. Device Info 408 This MIB module makes reference to the following documents: 409 [RFC1213], [RFC2578], [RFC2579], [RFC2580], [RFC3411], and [RFC3418]. 411 CC-DEVICE-INFO-MIB DEFINITIONS ::= BEGIN 413 IMPORTS 414 ccDeviceInfo 415 FROM CC-FEATURE-HIERARCHY-MIB -- FROM Sec 6.2 416 MODULE-COMPLIANCE, OBJECT-GROUP, 417 NOTIFICATION-GROUP 418 FROM SNMPv2-CONF -- FROM RFC 2580 419 OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE, 420 MODULE-IDENTITY, TimeTicks, Integer32 421 FROM SNMPv2-SMI -- FROM RFC 2578 422 SnmpAdminString 423 FROM SNMP-FRAMEWORK-MIB -- FROM RFC 3411 424 DateAndTime, TruthValue, TimeStamp, RowStatus 425 FROM SNMPv2-TC; -- FROM RFC 2579 427 ccDeviceInfoMIB MODULE-IDENTITY 428 LAST-UPDATED "201609302154Z" 429 ORGANIZATION "CCMIB CCB" 430 CONTACT-INFO 431 "CC MIB Configuration Control Board 432 Email: CCMIB.CCB@us.af.mil" 433 DESCRIPTION 434 "This MIB defines the CC MIB Device Information objects. 436 Copyright (c) 2019 IETF Trust and the persons 437 identified as authors of the code. All rights reserved. 439 Redistribution and use in source and binary forms, with 440 or without modification, is permitted pursuant to, and 441 subject to the license terms contained in, the Simplified 442 BSD License set forth in Section 4.c of the IETF Trust's 443 Legal Provisions Relating to IETF Documents 444 (http://trustee.ietf.org/license-info). 446 This version of this MIB module is part of RFC xxxx; 447 see the RFC itself for full legal notices." 448 -- RFC Ed.: RFC-editor please fill in xxxx. 449 REVISION "201609302154Z" 450 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 451 -- RFC Ed.: RFC-editor please fill in xxxx. 453 ::= { ccDeviceInfo 1 } 455 -- ***************************************************************** 456 -- Device Information Segments 457 -- ***************************************************************** 459 cDeviceInfoConformance OBJECT IDENTIFIER 460 ::= { ccDeviceInfoMIB 1 } 461 cDeviceComponentVersInfo OBJECT IDENTIFIER 462 ::= { ccDeviceInfoMIB 2 } 463 cBatteryInfo OBJECT IDENTIFIER 464 ::= { ccDeviceInfoMIB 3 } 465 cFirmwareInfo OBJECT IDENTIFIER 466 ::= { ccDeviceInfoMIB 4 } 467 cDeviceInfoScalars OBJECT IDENTIFIER 468 ::= { ccDeviceInfoMIB 5 } 469 cDeviceInfoNotify OBJECT IDENTIFIER 470 ::= { ccDeviceInfoMIB 6 } 472 -- ***************************************************************** 473 -- General Device Information Scalars 474 -- ***************************************************************** 476 cSystemDate OBJECT-TYPE 477 SYNTAX DateAndTime 478 MAX-ACCESS read-write 479 STATUS current 480 DESCRIPTION 481 "The host's notion of the local date and time of day. Note, 482 some implementations will not allow changing of this object 483 and will send an inconsistentValue error." 484 ::= { cDeviceInfoScalars 1 } 486 cSystemUpTime OBJECT-TYPE 487 SYNTAX TimeTicks 488 MAX-ACCESS read-only 489 STATUS current 490 DESCRIPTION 491 "The amount of time since this host was last initialized. 492 Note that this is different from sysUpTime in the SNMPv2-MIB 493 RFC 3418 because sysUpTime is the uptime of the network 494 management portion of the system." 495 ::= { cDeviceInfoScalars 2 } 497 cSystemInitialLoadParameters OBJECT-TYPE 498 SYNTAX SnmpAdminString (SIZE(0..128)) 499 MAX-ACCESS read-write 500 STATUS current 501 DESCRIPTION 502 "This object contains the parameters (e.g., a pathname and 503 parameter) supplied to the load device when requesting the 504 initial operating system configuration from that device. 506 Note that writing to this object just changes the 507 configuration that will be used the next time the operating 508 system is loaded and does not actually cause the reload to 509 occur." 510 ::= { cDeviceInfoScalars 3 } 512 cSecurityLevel OBJECT-TYPE 513 SYNTAX SnmpAdminString (SIZE(0..255)) 514 MAX-ACCESS read-write 515 STATUS current 516 DESCRIPTION 517 "The security level that this object is working at. 518 Different communities of interest may have different 519 conventions. The following values are defined and when used 520 by agents have specific meaning: UNCLASSIFIED, RESTRICTED, 521 CONFIDENTIAL, SECRET, TOP_SECRET." 522 ::= { cDeviceInfoScalars 4 } 524 cElectronicSerialNumber OBJECT-TYPE 525 SYNTAX OCTET STRING 526 MAX-ACCESS read-only 527 STATUS current 528 DESCRIPTION 529 "The Electronic Serial Number of the device. This may be the 530 chassis serial number or an internal serial number." 531 ::= { cDeviceInfoScalars 5 } 533 cLastChanged OBJECT-TYPE 534 SYNTAX TimeTicks 535 MAX-ACCESS read-only 536 STATUS current 537 DESCRIPTION 538 "The value of cSystemUpTime the last time any configurable 539 object within the MIBs supported by the device has been 540 modified, created, or deleted by either SNMP, agent, or 541 other management method (e.g., via an HMI). Managers can 542 use this object to ensure that no changes to any 543 configuration within the device have happened since the last 544 time it examined the device. A value of 0 indicates that no 545 objects have been changed since the agent initialized." 546 ::= { cDeviceInfoScalars 6 } 548 cResetDevice OBJECT-TYPE 549 SYNTAX TruthValue 550 MAX-ACCESS read-write 551 STATUS current 552 DESCRIPTION 553 "The indication of whether a device should be reset. Setting 554 this object to 'true' will perform a reset operation of the 555 device. This must not affect the state of any persistent 556 configuration data, zeroize any of the key material or erase 557 the audit log. When read this object should return false. 558 When set to false this object must not perform any operation 559 but should accept this as a valid SET operation." 560 ::= { cDeviceInfoScalars 7 } 562 cSanitizeDevice OBJECT-TYPE 563 SYNTAX TruthValue 564 MAX-ACCESS read-write 565 STATUS current 566 DESCRIPTION 567 "The indication of whether persistent data should be erased. 568 Setting this object to 'true' will erase all persistent data 569 and return the box to an uninitialized state. It will 570 zeroize all keying data, erase all persistent storage and 571 auditing information. Setting this object will certainly 572 render the device unreachable from distant managers since it 573 will be unconfigured. When read this object should return 574 false. When set to false this object must not perform any 575 operation but should accept this as a valid SET operation." 576 ::= { cDeviceInfoScalars 8 } 578 cRenderInoperable OBJECT-TYPE 579 SYNTAX TruthValue 580 MAX-ACCESS read-write 581 STATUS current 582 DESCRIPTION 583 "The indication of whether persistent data should be erased. 584 Setting this object to 'true' will erase all persistent data 585 and return the box to an uninitialized state. It will 586 zeroize all keying data, erase all persistent storage and 587 auditing information. In addition, when supported, the 588 device is expected to perform some internal function that 589 will make the box unusable without returning to the factory 590 or some equivalent. Setting this object will certainly 591 render the device unreachable from distant managers since it 592 will be unconfigured. When read this object should return 593 false. When set to false this object must not perform any 594 operation but should accept this as a valid SET operation." 595 ::= { cDeviceInfoScalars 9 } 597 cVendorName OBJECT-TYPE 598 SYNTAX OCTET STRING 599 MAX-ACCESS read-only 600 STATUS current 601 DESCRIPTION 602 "This object stores the device's vendor name and is intended 603 to be displayed and meaningful to the human operator (e.g. 604 Flinstones Inc). In other words, this object is not intended 605 to store the vendor's authoritative identification value 606 (i.e., sysObjectID RFC 1213)." 607 ::= { cDeviceInfoScalars 10 } 609 cModelIdentifier OBJECT-TYPE 610 SYNTAX OCTET STRING 611 MAX-ACCESS read-only 612 STATUS current 613 DESCRIPTION 614 "This object stores the device's model identifier. In 615 general, this would include the model name and model 616 number." 617 ::= { cDeviceInfoScalars 11 } 619 cHardwareVersionNumber OBJECT-TYPE 620 SYNTAX OCTET STRING 621 MAX-ACCESS read-only 622 STATUS current 623 DESCRIPTION 624 "This object stores the device's hardware version number." 625 ::= { cDeviceInfoScalars 12 } 627 -- ***************************************************************** 628 -- Device Information Notifications 629 -- ***************************************************************** 631 cFirmwareInstallFailed NOTIFICATION-TYPE 632 STATUS current 633 DESCRIPTION 634 "A notification from the device to the management station 635 indicating a firmware install failed." 636 ::= { cDeviceInfoNotify 1 } 638 cFirmwareInstallSuccess NOTIFICATION-TYPE 639 OBJECTS { 640 cFirmwareName, 641 cFirmwareVersion, 642 cFirmwareSource 643 } 644 STATUS current 645 DESCRIPTION 646 "A notification from the device to the management station 647 indicating a firmware intsall succeeded." 648 ::= {cDeviceInfoNotify 2} 650 cResetDeviceInitialized NOTIFICATION-TYPE 651 STATUS current 652 DESCRIPTION 653 "A notification from the device to the management station 654 indicating that the device is being reset due to a change in 655 the value of cResetDevice. This notification should be sent 656 before the device performs any other reset operations (such 657 as shutting down interfaces, etc.)" 658 ::= { cDeviceInfoNotify 3 } 660 cSanitizeDeviceInitialized NOTIFICATION-TYPE 661 STATUS current 662 DESCRIPTION 663 "A notification from the device to the management station 664 indicating that the device is being sanitized due to a 665 change in the value of cSanitizeDevice. This notification 666 should be sent before the device performs any other sanitize 667 operations (such as shutting down interfaces, etc.)" 668 ::= { cDeviceInfoNotify 4 } 670 cTamperEventIndicated NOTIFICATION-TYPE 671 STATUS current 672 DESCRIPTION 673 "A notification from the device to the management station 674 indicating that the device has detected a tamper event. This 675 notification should be sent before the device performs any 676 operations (such as shutting down interfaces, etc.)" 677 ::= { cDeviceInfoNotify 5 } 679 cBatteryLow NOTIFICATION-TYPE 680 OBJECTS { 681 cBatteryType, 682 cBatteryOpStatus, 683 cBatteryLowThreshold 684 } 685 STATUS current 686 DESCRIPTION 687 "A notification from the device to the management station 688 indicating a battery has reached the threshold at which a 689 battery warning is indicated." 690 ::= { cDeviceInfoNotify 6 } 692 cBatteryRequiresReplacement NOTIFICATION-TYPE 693 OBJECTS { cBatteryType, cBatteryOpStatus } 694 STATUS current 695 DESCRIPTION 696 "A notification from the device to the management station 697 indicating a battery should be charged or changed 698 immediately." 699 ::= { cDeviceInfoNotify 7 } 701 cDeviceOnBattery NOTIFICATION-TYPE 702 OBJECTS { cBatteryType, cBatteryOpStatus } 703 STATUS current 704 DESCRIPTION 705 "A notification from the device to the management station 706 indicating the device is on battery power. This 707 notification is sent when the device is no longer 708 connected to an external power source and is operating 709 using a battery for main power." 710 ::= { cDeviceInfoNotify 8 } 712 cDeviceComponentDisabled NOTIFICATION-TYPE 713 OBJECTS { 714 cDeviceComponentName, 715 cDeviceComponentVersion, 716 cDeviceComponentOpStatus 717 } 718 STATUS current 719 DESCRIPTION 720 "A notification from the device to the management station 721 indicating a component described in the 722 cDeviceComponentVersTable has been disabled." 723 ::= { cDeviceInfoNotify 9 } 725 cDeviceComponentEnabled NOTIFICATION-TYPE 726 OBJECTS { 727 cDeviceComponentName, 728 cDeviceComponentVersion 729 } 730 STATUS current 731 DESCRIPTION 732 "A notification from the device to the management station 733 indicating a component described in the 734 cDeviceComponentVersTable has been enabled." 735 ::= { cDeviceInfoNotify 10 } 737 -- ***************************************************************** 738 -- CC MIB cDeviceComponentVersTable 739 -- ***************************************************************** 740 cDeviceComponentVersTableCount OBJECT-TYPE 741 SYNTAX Unsigned32 742 MAX-ACCESS read-only 743 STATUS current 744 DESCRIPTION 745 "The number of rows in the cDeviceComponentVersTable." 746 ::= { cDeviceComponentVersInfo 1 } 748 cDeviceComponentVersTableLastChanged OBJECT-TYPE 749 SYNTAX TimeStamp 750 MAX-ACCESS read-only 751 STATUS current 752 DESCRIPTION 753 "The last time any entry in the table was modified, created, 754 or deleted by either SNMP, agent, or other management method 755 (e.g., via an HMI). Managers can use this object to ensure 756 that no changes to configuration of this table have happened 757 since the last time it examined the table. A value of 0 758 indicates that no entry has been changed since the agent 759 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 760 should be used to populate this column." 761 ::= { cDeviceComponentVersInfo 2 } 763 cDeviceComponentVersTable OBJECT-TYPE 764 SYNTAX SEQUENCE OF CDeviceComponentVersEntry 765 MAX-ACCESS not-accessible 766 STATUS current 767 DESCRIPTION 768 "The table containing a description of the specification 769 versions of components or specifications supported by the 770 ECU. Note that it is possible for multiple versions of a 771 given specification to be registered within the table." 772 ::= { cDeviceComponentVersInfo 3 } 774 cDeviceComponentVersEntry OBJECT-TYPE 775 SYNTAX CDeviceComponentVersEntry 776 MAX-ACCESS not-accessible 777 STATUS current 778 DESCRIPTION 779 "A row containing a module descriptive name and its version 780 that is supported by this device." 781 INDEX { cDeviceComponentName, cDeviceComponentVersion } 782 ::= { cDeviceComponentVersTable 1 } 784 CDeviceComponentVersEntry ::= SEQUENCE 785 { 786 cDeviceComponentName SnmpAdminString, 787 cDeviceComponentVersion SnmpAdminString, 788 cDeviceComponentOpStatus INTEGER, 789 cDeviceComponentDescription OCTET STRING 790 } 792 cDeviceComponentName OBJECT-TYPE 793 SYNTAX SnmpAdminString (SIZE(1..32)) 794 MAX-ACCESS read-only 795 STATUS current 796 DESCRIPTION 797 "The module name or specification name. The string value to 798 be used in this field should be documented in the text of 799 the specification a given row is reporting information on. 801 Specification names beginning with a prefix of 'vendor-' are 802 reserved for private use by the vendor of the device. 804 The string 'device' (exact) is reserved for vendors to 805 register a software revision version of the device. 807 The string 'hardware' (exact) is reserved for vendors to 808 register a model number of the hardware of the device." 809 ::= { cDeviceComponentVersEntry 1 } 811 cDeviceComponentVersion OBJECT-TYPE 812 SYNTAX SnmpAdminString (SIZE(1..32)) 813 MAX-ACCESS read-only 814 STATUS current 815 DESCRIPTION 816 "The version of the specification or module name listed in 817 the cDeviceComponentName object field in this row. The 818 string value to be used in this field should be documented 819 in the text of a specification, of the device, or elsewhere. 820 If the cDeviceComponentName begins with a 'vendor-' prefix, 821 the format of this field is vendor specific." 822 ::= { cDeviceComponentVersEntry 2 } 824 cDeviceComponentOpStatus OBJECT-TYPE 825 SYNTAX INTEGER { up(1), notReady(2), 826 administrativelyDown(3) } 827 MAX-ACCESS read-write 828 STATUS current 829 DESCRIPTION 830 "The current operational state of the interface feature. 832 This row may be used to enable/disable components or modules 833 in the device, and some implementations may allow for 834 various versions of a component to be activated. Devices may 835 use this construct to roll back versions of a device 836 software, or to allow various software feature versions to 837 be installed. 839 Agents may reject the changing this object for certain rows. 840 An example of this is changing the operational status of a 841 row that describes the software version of the device and 842 not a particular feature. In this event, the agent should 843 return an inconsistentValue error." 844 ::= { cDeviceComponentVersEntry 3 } 846 cDeviceComponentDescription OBJECT-TYPE 847 SYNTAX OCTET STRING 848 MAX-ACCESS read-write 849 STATUS current 850 DESCRIPTION 851 "A description of the component. Agents may reject changing 852 this object for certain rows. In this event, the agent 853 should return an inconsistentValue error." 854 ::= { cDeviceComponentVersEntry 4 } 856 -- ***************************************************************** 857 -- CC MIB cBatteryInfoTable 858 -- ***************************************************************** 860 cBatteryInfoTableCount OBJECT-TYPE 861 SYNTAX Unsigned32 862 MAX-ACCESS read-only 863 STATUS current 864 DESCRIPTION 865 "The number of rows in the cBatteryInfoTable." 866 ::= { cBatteryInfo 1 } 868 cBatteryInfoTableLastChanged OBJECT-TYPE 869 SYNTAX TimeStamp 870 MAX-ACCESS read-only 871 STATUS current 872 DESCRIPTION 873 "The last time any entry in the table was modified, created, 874 or deleted by either SNMP, agent, or other management 875 method (e.g., via an HMI). Managers can use this object to 876 ensure that no changes to configuration of this table have 877 happened since the last time it examined the table. A 878 value of 0 indicates that no entry has been changed since 879 the agent initialized. The value in CC-DEVICE-INFO-MIB 880 cSystemUpTime should be used to populate this column." 881 ::= { cBatteryInfo 2 } 883 cBatteryInfoTable OBJECT-TYPE 884 SYNTAX SEQUENCE OF CBatteryInfoEntry 885 MAX-ACCESS not-accessible 886 STATUS current 887 DESCRIPTION 888 "The table containing information on each of the batteries 889 installed in the device." 890 ::= { cBatteryInfo 3 } 892 cBatteryInfoEntry OBJECT-TYPE 893 SYNTAX CBatteryInfoEntry 894 MAX-ACCESS not-accessible 895 STATUS current 896 DESCRIPTION 897 "A row contining information on a specific battery. If a 898 device cannot return status of a battery it should not 899 create a row in this table for that battery." 900 INDEX { cBatteryIndex } 901 ::= { cBatteryInfoTable 1 } 903 CBatteryInfoEntry ::= SEQUENCE 904 { 905 cBatteryIndex Unsigned32, 906 cBatteryType INTEGER, 907 cBatteryOpStatus INTEGER, 908 cBatteryLowThreshold Integer32 909 } 911 cBatteryIndex OBJECT-TYPE 912 SYNTAX Unsigned32 913 MAX-ACCESS not-accessible 914 STATUS current 915 DESCRIPTION 916 "A numerical index used to identify the battery. This value 917 uniquely identifies a battery on this device. The value 918 should be persistent for a given battery, but management 919 stations should not depend on it as it may not be possible 920 for some devices to retain identical indexes (especially 921 across reboots)." 922 ::= { cBatteryInfoEntry 1 } 924 cBatteryType OBJECT-TYPE 925 SYNTAX INTEGER { other(1), main(2), clock(3), security(4) } 926 MAX-ACCESS read-only 927 STATUS current 928 DESCRIPTION 929 "The type of battery. Main(2) batteries are used for 930 operation of the device when not connected to a power 931 source. Clock(3) is used to describe batteries which cannot 932 provide main power to the device but maintain clock or 933 other persistent data. Security(4) is used for batteries 934 which perform specific security functions or which may 935 render the device inoperable when the battery is depleted. 936 If a battery is used for both clock and security, Security 937 should be returned. Other(1) describes a battery which is 938 not otherwise defined here." 939 ::= { cBatteryInfoEntry 2 } 941 cBatteryOpStatus OBJECT-TYPE 942 SYNTAX INTEGER { unknown(1), batteryNormal(2), 943 batteryLow(3), batteryDepleted(4), 944 batteryMissing(5) } 945 MAX-ACCESS read-only 946 STATUS current 947 DESCRIPTION 948 "Indication of the status of the battery." 949 ::= { cBatteryInfoEntry 3 } 951 cBatteryLowThreshold OBJECT-TYPE 952 SYNTAX Integer32 (0..100) 953 MAX-ACCESS read-write 954 STATUS current 955 DESCRIPTION 956 "The percentage of capacity at which the cBatteryLow 957 notification will be generated. A value of zero indicates 958 that the notification should never be sent for this 959 battery. This object should not be implemented if the 960 device will detect a low battery, but the actual percentage 961 is not measurable. This object only needs be writable for 962 implementations that support modification of the warning 963 level percentage." 964 ::= { cBatteryInfoEntry 4 } 966 -- ***************************************************************** 967 -- CC MIB cFirmwareInformationTable 968 -- ***************************************************************** 970 cFirmwareInformationTableCount OBJECT-TYPE 971 SYNTAX Unsigned32 972 MAX-ACCESS read-only 973 STATUS current 974 DESCRIPTION 975 "The number of rows in the cFirmwareInformationTable." 976 ::= { cFirmwareInfo 1 } 978 cFirmwareInformationTableLastChanged OBJECT-TYPE 979 SYNTAX TimeStamp 980 MAX-ACCESS read-only 981 STATUS current 982 DESCRIPTION 983 "The last time any entry in the table was modified, created, 984 or deleted by either SNMP, agent, or other management 985 method (e.g., via an HMI). Managers can use this object to 986 ensure that no changes to configuration of this table have 987 happened since the last time it examined the table. A value 988 of 0 indicates that no entry has been changed since the 989 agent initialized. The value in CC-DEVICE-INFO-MIB 990 cSystemUpTime should be used to populate this column." 991 ::= { cFirmwareInfo 2 } 993 cFirmwareInformationTable OBJECT-TYPE 994 SYNTAX SEQUENCE OF CFirmwareInformationEntry 995 MAX-ACCESS not-accessible 996 STATUS current 997 DESCRIPTION 998 "A table that lists firmware versions available in the 999 device, along with their versions and type. This is used to 1000 list currently loaded firmware versions of running firmware 1001 and other available firmware versions in support of 1002 returning to a previous version of the firmware." 1003 ::= { cFirmwareInfo 3 } 1005 cFirmwareInformationEntry OBJECT-TYPE 1006 SYNTAX CFirmwareInformationEntry 1007 MAX-ACCESS not-accessible 1008 STATUS current 1009 DESCRIPTION 1010 "A row containing a firmware package name, version, and 1011 source." 1012 INDEX { cFirmwareName } 1013 ::= { cFirmwareInformationTable 1 } 1015 CFirmwareInformationEntry ::= SEQUENCE 1016 { 1017 cFirmwareName OCTET STRING, 1018 cFirmwareVersion SnmpAdminString, 1019 cFirmwareSource SnmpAdminString, 1020 cFirmwareRunning TruthValue, 1021 cFirmwareRowStatus RowStatus 1022 } 1024 cFirmwareName OBJECT-TYPE 1025 SYNTAX OCTET STRING (SIZE(1..255)) 1026 MAX-ACCESS read-only 1027 STATUS current 1028 DESCRIPTION 1029 "Unique identifier provided in the firmware package." 1030 ::= { cFirmwareInformationEntry 1 } 1032 cFirmwareVersion OBJECT-TYPE 1033 SYNTAX SnmpAdminString (SIZE(1..255)) 1034 MAX-ACCESS read-only 1035 STATUS current 1036 DESCRIPTION 1037 "Version of firmware (provided in the package); for legacy 1038 firmware packages, this column would be the empty string, 1039 ''." 1040 ::= { cFirmwareInformationEntry 2 } 1042 cFirmwareSource OBJECT-TYPE 1043 SYNTAX SnmpAdminString (SIZE(1..255)) 1044 MAX-ACCESS read-only 1045 STATUS current 1046 DESCRIPTION 1047 "This column is used by the implementation to describe how 1048 the firmware was received. Agents may use any string which 1049 adequately describes the interface such as 'USB.' Agents may 1050 also reference entries in the ifTable when appropriate. If 1051 received using a Cryptographic Device Material server, the 1052 exact URI that was used to retrieve the firmware package 1053 would be configured in this column." 1054 ::= { cFirmwareInformationEntry 3 } 1056 cFirmwareRunning OBJECT-TYPE 1057 SYNTAX TruthValue 1058 MAX-ACCESS read-write 1059 STATUS current 1060 DESCRIPTION 1061 "Indicates if the firmware is currently running. Only one 1062 row in the table should have this object set to True at 1063 any given time. If this object is set from False to True, 1064 the agent must install the firmware, uninstall the previous 1065 running firmware and change the cFirmwareRunning object for 1066 the previous running firmware from True to False." 1067 ::= { cFirmwareInformationEntry 4 } 1069 cFirmwareRowStatus OBJECT-TYPE 1070 SYNTAX RowStatus 1071 MAX-ACCESS read-write 1072 STATUS current 1073 DESCRIPTION 1074 "The status of the row, by which old entries may be deleted 1075 from this table. 1077 At a minimum, implementations must support destroy 1078 management functions. Support for active, notInService, 1079 and notReady management functions is optional." 1080 ::= {cFirmwareInformationEntry 5} 1082 -- ***************************************************************** 1083 -- Module Conformance Information 1084 -- ***************************************************************** 1086 cDeviceInfoCompliances OBJECT IDENTIFIER 1087 ::= { cDeviceInfoConformance 1} 1089 cDeviceInfoGroups OBJECT IDENTIFIER 1090 ::= { cDeviceInfoConformance 2} 1092 cDeviceInfoSystemCompliance MODULE-COMPLIANCE 1093 STATUS current 1094 DESCRIPTION 1095 "Compliance levels for system information." 1096 MODULE 1097 MANDATORY-GROUPS { cDeviceInfoSystemGroup } 1099 GROUP cDeviceInfoSystemNotifyGroup 1100 DESCRIPTION 1101 "This notification group is optional for implementation." 1103 OBJECT cSystemInitialLoadParameters 1104 MIN-ACCESS not-accessible 1105 DESCRIPTION 1106 "Implementation of this object is optional." 1108 OBJECT cSecurityLevel 1109 MIN-ACCESS not-accessible 1110 DESCRIPTION 1111 "Implementation of this object is optional." 1113 OBJECT cSanitizeDevice 1114 MIN-ACCESS not-accessible 1115 DESCRIPTION 1116 "Implementation of this object is optional." 1118 OBJECT cRenderInoperable 1119 MIN-ACCESS not-accessible 1120 DESCRIPTION 1121 "Implementation of this object is optional." 1122 ::= { cDeviceInfoCompliances 1 } 1124 cDeviceInfoComponentCompliance MODULE-COMPLIANCE 1125 STATUS current 1126 DESCRIPTION 1127 "Compliance levels for component information." 1128 MODULE 1129 MANDATORY-GROUPS { cDeviceInfoComponentGroup } 1131 GROUP cDeviceInfoComponentNotifyGroup 1132 DESCRIPTION 1133 "This notification group is optional for implementation." 1134 ::= { cDeviceInfoCompliances 2 } 1136 cDeviceInfoBatteryCompliance MODULE-COMPLIANCE 1137 STATUS current 1138 DESCRIPTION 1139 "Compliance levels for battery information." 1140 MODULE 1141 MANDATORY-GROUPS { cDeviceInfoBatteryGroup } 1143 GROUP cDeviceInfoBatteryNotifyGroup 1144 DESCRIPTION 1145 "This notification group is optional for implementation." 1147 OBJECT cBatteryLowThreshold 1148 MIN-ACCESS not-accessible 1149 DESCRIPTION 1150 "Implementation of this object is optional." 1151 ::= { cDeviceInfoCompliances 3 } 1153 cDeviceInfoFirmwareCompliance MODULE-COMPLIANCE 1154 STATUS current 1155 DESCRIPTION 1156 "Compliance levels for firmware information." 1157 MODULE 1158 MANDATORY-GROUPS { cDeviceInfoFirmwareGroup } 1160 GROUP cDeviceInfoFirmwareNotifyGroup 1161 DESCRIPTION 1162 "This notification group is optional for implementation." 1163 ::= { cDeviceInfoCompliances 4 } 1165 cDeviceInfoSystemGroup OBJECT-GROUP 1166 OBJECTS { 1167 cSystemDate, 1168 cSystemUpTime, 1169 cSystemInitialLoadParameters, 1170 cSecurityLevel, 1171 cElectronicSerialNumber, 1172 cLastChanged, 1173 cResetDevice, 1174 cSanitizeDevice, 1175 cRenderInoperable, 1176 cVendorName, 1177 cModelIdentifier, 1178 cHardwareVersionNumber 1179 } 1180 STATUS current 1181 DESCRIPTION 1182 "This group is composed of objects related to system 1183 information." 1184 ::= { cDeviceInfoGroups 1 } 1186 cDeviceInfoComponentGroup OBJECT-GROUP 1187 OBJECTS { 1188 cDeviceComponentVersTableCount, 1189 cDeviceComponentVersTableLastChanged, 1190 cDeviceComponentName, 1191 cDeviceComponentVersion, 1192 cDeviceComponentOpStatus, 1193 cDeviceComponentDescription 1194 } 1195 STATUS current 1196 DESCRIPTION 1197 "This group is composed of objects related to component 1198 information." 1199 ::= { cDeviceInfoGroups 2 } 1201 cDeviceInfoBatteryGroup OBJECT-GROUP 1202 OBJECTS { 1203 cBatteryInfoTableCount, 1204 cBatteryInfoTableLastChanged, 1205 cBatteryType, 1206 cBatteryOpStatus, 1207 cBatteryLowThreshold 1208 } 1209 STATUS current 1210 DESCRIPTION 1211 "This group is composed of objects related to battery 1212 information." 1213 ::= { cDeviceInfoGroups 3 } 1215 cDeviceInfoFirmwareGroup OBJECT-GROUP 1216 OBJECTS { 1217 cFirmwareInformationTableCount, 1218 cFirmwareInformationTableLastChanged, 1219 cFirmwareName, 1220 cFirmwareVersion, 1221 cFirmwareSource, 1222 cFirmwareRunning, 1223 cFirmwareRowStatus 1224 } 1225 STATUS current 1226 DESCRIPTION 1227 "This group is composed of objects related to firmware 1228 information." 1229 ::= { cDeviceInfoGroups 4 } 1231 cDeviceInfoSystemNotifyGroup NOTIFICATION-GROUP 1232 NOTIFICATIONS { 1233 cResetDeviceInitialized, 1234 cSanitizeDeviceInitialized, 1235 cTamperEventIndicated, 1236 cSanitizeDeviceInitialized 1237 } 1238 STATUS current 1239 DESCRIPTION 1240 "This group is composed of notifications related to system 1241 information." 1242 ::= { cDeviceInfoGroups 5 } 1244 cDeviceInfoComponentNotifyGroup NOTIFICATION-GROUP 1245 NOTIFICATIONS { 1246 cDeviceComponentDisabled, 1247 cDeviceComponentEnabled 1248 } 1249 STATUS current 1250 DESCRIPTION 1251 "This group is composed of notifications related to 1252 component information." 1253 ::= { cDeviceInfoGroups 6 } 1255 cDeviceInfoBatteryNotifyGroup NOTIFICATION-GROUP 1256 NOTIFICATIONS { 1257 cBatteryLow, 1258 cBatteryRequiresReplacement, 1259 cDeviceOnBattery 1260 } 1261 STATUS current 1262 DESCRIPTION 1263 "This group is composed of notifications related to battery 1264 information." 1265 ::= { cDeviceInfoGroups 7 } 1267 cDeviceInfoFirmwareNotifyGroup NOTIFICATION-GROUP 1268 NOTIFICATIONS { 1269 cFirmwareInstallFailed, 1270 cFirmwareInstallSuccess 1271 } 1272 STATUS current 1273 DESCRIPTION 1274 "This group is composed of notifications related to firmware 1275 information." 1276 ::= { cDeviceInfoGroups 8 } 1278 END 1280 6.4. Key Management Information 1282 This MIB module makes references to the following documents: 1283 [RFC2578], [RFC2579], [RFC2580], [RFC3411], [RFC5280], [RFC5914], 1284 [RFC6030], and [RFC6353]. 1286 CC-KEY-MANAGEMENT-MIB DEFINITIONS ::= BEGIN 1288 IMPORTS 1289 ccKeyManagement 1290 FROM CC-FEATURE-HIERARCHY-MIB -- FROM Sec 6.2 1291 OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE, 1292 MODULE-IDENTITY 1293 FROM SNMPv2-SMI -- FROM RFC 2578 1294 SnmpAdminString 1295 FROM SNMP-FRAMEWORK-MIB -- FROM RFC 3411 1296 RowPointer, RowStatus, DateAndTime, 1297 TruthValue, TimeStamp 1298 FROM SNMPv2-TC -- FROM RFC 2579 1299 MODULE-COMPLIANCE, OBJECT-GROUP, 1300 NOTIFICATION-GROUP 1301 FROM SNMPv2-CONF -- FROM RFC 2580 1302 SnmpTLSFingerprint 1303 FROM SNMP-TLS-TM-MIB; -- FROM RFC 6353 1305 ccKeyManagementMIB MODULE-IDENTITY 1306 LAST-UPDATED "201609302154Z" 1307 ORGANIZATION "CCMIB CCB" 1308 CONTACT-INFO 1309 "CC MIB Configuration Control Board 1310 Email: CCMIB.CCB@us.af.mil" 1311 DESCRIPTION 1312 "This MIB defines the CC MIB Key Management objects. 1314 Copyright (c) 2019 IETF Trust and the persons 1315 identified as authors of the code. All rights reserved. 1317 Redistribution and use in source and binary forms, with 1318 or without modification, is permitted pursuant to, and 1319 subject to the license terms contained in, the Simplified 1320 BSD License set forth in Section 4.c of the IETF Trust's 1321 Legal Provisions Relating to IETF Documents 1322 (http://trustee.ietf.org/license-info). 1324 This version of this MIB module is part of RFC xxxx; 1325 see the RFC itself for full legal notices." 1326 -- RFC Ed.: RFC-editor please fill in xxxx. 1327 REVISION "201609302154Z" 1328 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 1329 -- RFC Ed.: RFC-editor please fill in xxxx. 1330 ::= { ccKeyManagement 1 } 1332 -- ***************************************************************** 1333 -- Key Management Information Segments 1334 -- ***************************************************************** 1336 cSymmetricKeyInfo OBJECT IDENTIFIER 1337 ::= { ccKeyManagementMIB 1 } 1338 cAsymKeyInfo OBJECT IDENTIFIER 1339 ::= { ccKeyManagementMIB 2 } 1340 cTrustAnchorInfo OBJECT IDENTIFIER 1341 ::= { ccKeyManagementMIB 3 } 1342 cCKLInfo OBJECT IDENTIFIER 1343 ::= { ccKeyManagementMIB 4 } 1344 cCDMStoreInfo OBJECT IDENTIFIER 1345 ::= { ccKeyManagementMIB 5 } 1346 cCertSubAltNameInfo OBJECT IDENTIFIER 1347 ::= { ccKeyManagementMIB 6 } 1348 cCertPathCtrlsInfo OBJECT IDENTIFIER 1349 ::= { ccKeyManagementMIB 7 } 1350 cCertPolicyInfo OBJECT IDENTIFIER 1351 ::= { ccKeyManagementMIB 8 } 1352 cPolicyMappingInfo OBJECT IDENTIFIER 1353 ::= { ccKeyManagementMIB 9 } 1354 cNameConstraintInfo OBJECT IDENTIFIER 1355 ::= { ccKeyManagementMIB 10 } 1356 cKeyManagementScalars OBJECT IDENTIFIER 1357 ::= { ccKeyManagementMIB 11 } 1358 cKeyManagementNotify OBJECT IDENTIFIER 1359 ::= { ccKeyManagementMIB 12 } 1360 cKeyManagementConformance OBJECT IDENTIFIER 1361 ::= { ccKeyManagementMIB 13 } 1362 cRemoteKeyMaterialInfo OBJECT IDENTIFIER 1363 ::= { ccKeyManagementMIB 14 } 1365 -- ***************************************************************** 1366 -- Key Management Information Scalars 1367 -- ***************************************************************** 1369 cZeroizeAllKeys OBJECT-TYPE 1370 SYNTAX TruthValue 1371 MAX-ACCESS read-write 1372 STATUS current 1373 DESCRIPTION 1374 "Setting this object to 'true' removes all entries in key 1375 material tables and zeroizes key materials. It is applicable 1376 to symmetric keys, asymmetric keys, and Trust Anchors (TA). 1377 It must not modify any other information in the device such 1378 as the persistent storage or the audit log. When read this 1379 object should return false. If this object is set to the 1380 same value as the current value, the device must not perform 1381 any operation but should accept this as a valid SET 1382 operation. Note after being set to true, an agent should 1383 reset this object to false once it has zeroized all the keys 1384 stored in the device." 1385 ::= { cKeyManagementScalars 1 } 1387 cZeroizeSymmetricKeyTable OBJECT-TYPE 1388 SYNTAX TruthValue 1389 MAX-ACCESS read-write 1390 STATUS current 1391 DESCRIPTION 1392 "Setting this object to 'true' removes all entries in the 1393 cSymmetricKeyTablekey and zeroizes the associated key 1394 materials. This operation must not modify any other 1395 information in the device such as the persistent storage or 1396 the audit log. When read this object should return false. If 1397 this object is set to the same value as the current value, 1398 the device must not perform any operation but should accept 1399 this as a valid SET operation. Note after being set to true, 1400 an agent should reset this object to false once it has 1401 zeroized the specific key materials stored in the device." 1402 ::= { cKeyManagementScalars 2 } 1404 cZeroizeAsymKeyTable OBJECT-TYPE 1405 SYNTAX TruthValue 1406 MAX-ACCESS read-write 1407 STATUS current 1408 DESCRIPTION 1409 "Setting this object to 'true' removes all entries in the 1410 cAsymKeyTable, cCertSubAltNameTable, and zeroizes the 1411 associated key materials. This operation must not modify any 1412 other information in the device such as the persistent 1413 storage or the audit log. When read this object should 1414 return false. If this object is set to the same value as the 1415 current value, the device must not perform any operation but 1416 should accept this as a valid SET operation. Note after 1417 being set to true, an agent should reset this object to 1418 false once it has zeroized the specific key materials stored 1419 in the device." 1420 ::= { cKeyManagementScalars 3 } 1422 cZeroizeTrustAnchorTable OBJECT-TYPE 1423 SYNTAX TruthValue 1424 MAX-ACCESS read-write 1425 STATUS current 1426 DESCRIPTION 1427 "Setting this object to 'true' removes all entries in the 1428 cTrustAnchorTable. This operation must not modify any other 1429 information in the device such as the persistent storage or 1430 the audit log. When read this object should return false. If 1431 this object is set to the same value as the current value, 1432 the device must not perform any operation but should accept 1433 this as a valid SET operation. Note after being set to true, 1434 an agent should reset this object to false once it has 1435 zeroized the specific key materials stored in the device. 1437 Some implementations may restrict the deletion of Trust 1438 Anchors to specific protocols (e.g., TAMP)." 1439 ::= { cKeyManagementScalars 4 } 1441 cZeroizeCDMStoreTable OBJECT-TYPE 1442 SYNTAX TruthValue 1443 MAX-ACCESS read-write 1444 STATUS current 1445 DESCRIPTION 1446 "Setting this object to 'true' removes all entries in the 1447 cCDMStoreTable that are of type symkey, asymkey, and 1448 trustAnchor. This operation must not modify any other 1449 information in the device such as the persistent storage or 1450 the audit log. When read this object should return false. If 1451 this object is set to the same value as the current value, 1452 the device must not perform any operation but should accept 1453 this as a valid SET operation. Note after being set to true, 1454 an agent should reset this object to false once it has 1455 zeroized the specific key materials stored in the device." 1456 ::= { cKeyManagementScalars 5 } 1458 cKeyMaterialTableOID OBJECT-TYPE 1459 SYNTAX OBJECT IDENTIFIER 1460 MAX-ACCESS read-write 1461 STATUS current 1462 DESCRIPTION 1463 "The OID of the table for which (1) a successful or failed 1464 configuration occurred upon a key material load or (2) a key 1465 material has expired, will expire, or had its expiration 1466 date changed (3) a key material has been zeroized." 1467 ::= { cKeyManagementScalars 6 } 1469 cKeyMaterialFingerprint OBJECT-TYPE 1470 SYNTAX SnmpTLSFingerprint 1471 MAX-ACCESS accessible-for-notify 1472 STATUS current 1473 DESCRIPTION 1474 "The fingerprint of the key material to be transmitted in a 1475 notification." 1476 ::= { cKeyManagementScalars 7 } 1478 cSymKeyGlobalExpiryWarning OBJECT-TYPE 1479 SYNTAX Unsigned32 1480 UNITS "days" 1481 MAX-ACCESS read-write 1482 STATUS current 1483 DESCRIPTION 1484 "A global setting, indicating the number of days prior to 1485 the expiration date of a symmetric key (value of 1486 cSymKeyExpirationDate in the associated cSymmetricKeyTable 1487 entry) for which the cKeyMaterialExpiring notification will 1488 be transmitted. 1490 The value in this object is only used if no value exists for 1491 the associated cSymmetricKeyTable entry's 1492 cSymKeyExpiryWarning object." 1493 ::= { cKeyManagementScalars 8 } 1495 cAsymKeyGlobalExpiryWarning OBJECT-TYPE 1496 SYNTAX Unsigned32 1497 UNITS "days" 1498 MAX-ACCESS read-write 1499 STATUS current 1500 DESCRIPTION 1501 "A global setting, indicating the number of days prior to 1502 the expiration date of an asymmetric key (value of 1503 cAsymKeyExpirationDate in the associated cAsymKeyTable 1504 entry) for which the cKeyMaterialExpiring notification will 1505 be transmitted. 1507 The value in this object is only used if no value exists for 1508 the associated cAsymKeyTable entry's cAsymKeyExpiryWarning 1509 object." 1510 ::= { cKeyManagementScalars 9 } 1512 cGenerateKeyType OBJECT-TYPE 1513 SYNTAX INTEGER { x509v3(1), psk(2) } 1514 MAX-ACCESS read-write 1515 STATUS current 1516 DESCRIPTION 1517 "The type of key material to be generated 1519 [1] x509v3: X.509v3 certificate per RFC 5280. 1520 [2] Symmetric Pre-Shared Key." 1521 ::= { cKeyManagementScalars 10 } 1523 cGenerateKey OBJECT-TYPE 1524 SYNTAX TruthValue 1525 MAX-ACCESS read-write 1526 STATUS current 1527 DESCRIPTION 1528 "Setting this object to 'true' will force the generation of 1529 key material, based on the type of key material described in 1530 cGenerateKeyType. Post-generation, the agent must create an 1531 entry in the appropriate key material table that captures 1532 information on this key. 1534 Note after being set to true, an agent should reset this 1535 object to false once the key material has been generated and 1536 an entry created in the appropriate table." 1537 ::= { cKeyManagementScalars 11 } 1539 -- ***************************************************************** 1540 -- Key Management Notifications 1541 -- ***************************************************************** 1543 cKeyMaterialLoadSuccess NOTIFICATION-TYPE 1544 OBJECTS { cKeyMaterialTableOID } 1545 STATUS current 1546 DESCRIPTION 1547 "An attempt to load the device with key material, identified 1548 by the table identifier (e.g., cSymmetricKeyTable), has 1549 succeeded. This notification may be sent upon a single 1550 successful key material load or may be sent upon a series of 1551 successful single key material loads." 1552 ::= { cKeyManagementNotify 1 } 1554 cKeyMaterialLoadFail NOTIFICATION-TYPE 1555 OBJECTS { cKeyMaterialTableOID } 1556 STATUS current 1557 DESCRIPTION 1558 "An attempt to load the device with key material, identified 1559 by the table identifier (e.g., cSymmetricKeyTable), has 1560 failed." 1561 ::= { cKeyManagementNotify 2 } 1563 cKeyMaterialExpiring NOTIFICATION-TYPE 1564 OBJECTS { 1565 cKeyMaterialFingerprint, 1566 cKeyMaterialTableOID 1567 } 1568 STATUS current 1569 DESCRIPTION 1570 "Key Material, identified by Key Fingerprint and OID of the 1571 associated key material table, is about to expire. This 1572 notification is transmitted prior to the key material's 1573 configured expiration date 1574 (cSymKeyExpirationDate/cAsymKeyExpirationDate) as indicated 1575 by a global setting 1576 (cSymKeyGlobalExpiryWarning/cAsymKeyGlobalExpiryWarning) or 1577 the granular setting per key material table entry 1578 (cSymKeyExpiryWarning/cAsymKeyExpiryWarning) if configured." 1579 ::= { cKeyManagementNotify 3 } 1581 cKeyMaterialExpired NOTIFICATION-TYPE 1582 OBJECTS { 1583 cKeyMaterialFingerprint, 1584 cKeyMaterialTableOID 1585 } 1586 STATUS current 1587 DESCRIPTION 1588 "Key Material, identified by Key Fingerprint and OID of the 1589 associated key material table, has expired." 1590 ::= { cKeyManagementNotify 4 } 1592 cKeyMaterialExpirationChanged NOTIFICATION-TYPE 1593 OBJECTS { 1594 cKeyMaterialFingerprint, 1595 cKeyMaterialTableOID 1596 } 1597 STATUS current 1598 DESCRIPTION 1599 "The expiration date of Key Material, identified by Key 1600 Fingerprint and the OID of the associated key material 1601 table, has changed. This can happen by either the 1602 'Expiration' object in the table changing or by the device 1603 making a change due to some other automated security policy 1604 change such as automatically extending a key when no new key 1605 is available." 1606 ::= { cKeyManagementNotify 5 } 1608 cKeyMaterialZeroized NOTIFICATION-TYPE 1609 OBJECTS { 1610 cKeyMaterialFingerprint, 1611 cKeyMaterialTableOID 1612 } 1613 STATUS current 1614 DESCRIPTION 1615 "A key material, identified by fingerprint and OID of the 1616 associated key material table, has been securely deleted and 1617 zeroized. This notification is transmitted upon setting the 1618 Row Status object of the associated key material table entry 1619 to 'destroy', setting the cZeroizeAllKeys object to 'true', 1620 setting the cZeroizeSymmetricKeyTable object to 'true', 1621 setting the cZeroizeAsymKeyTable object to 'true', setting 1622 the cZeroizeTrustAnchorTable object to 'true', or setting 1623 the cZeroizeCDMStoreTable object to 'true'." 1624 ::= { cKeyManagementNotify 6 } 1626 cCKLLoadSuccess NOTIFICATION-TYPE 1627 OBJECTS { 1628 cCKLIndex, 1629 cCKLIssuer 1630 } 1631 STATUS current 1632 DESCRIPTION 1633 "An attempt to load the device with CKL, identified by 1634 cCKLIndex and cCKLIssuer (indexes to the cCKLTable), has 1635 succeeded." 1636 ::= { cKeyManagementNotify 7 } 1638 cCKLLoadFail NOTIFICATION-TYPE 1639 STATUS current 1640 DESCRIPTION 1641 "An attempt to load the device with CKL has failed." 1642 ::= { cKeyManagementNotify 8 } 1644 cCDMAdded NOTIFICATION-TYPE 1645 OBJECTS { 1646 cCDMStoreIndex, 1647 cCDMStoreType 1648 } 1649 STATUS current 1650 DESCRIPTION 1651 "A new cryptographic device material (CDM) entry has been 1652 added to the cCDMStoreTable, as identified cCDMStoreIndex 1653 and cCDMStoreType." 1654 ::= { cKeyManagementNotify 9 } 1656 cCDMDeleted NOTIFICATION-TYPE 1657 OBJECTS { 1658 cCDMStoreIndex, 1659 cCDMStoreType, 1660 cCDMStoreFriendlyName 1661 } 1662 STATUS current 1663 DESCRIPTION 1664 "A cryptographic device material (CDM) entry has been 1665 deleted from the cCDMStoreTable, as identified 1666 cCDMStoreIndex, cCDMStoreType and cCDMStoreFriendlyName." 1667 ::= { cKeyManagementNotify 10 } 1669 cTrustAnchorAdded NOTIFICATION-TYPE 1670 OBJECTS { 1671 cTrustAnchorFingerprint, 1672 cTrustAnchorFormatType, 1673 cTrustAnchorUsageType 1674 } 1675 STATUS current 1676 DESCRIPTION 1677 "A trust anchor has been added to the cTrustAnchorTable, as 1678 identified by cTrustAnchorFingerprint, 1679 cTrustAnchorFormatType, and cTrustAnchorUsageType." 1680 ::= { cKeyManagementNotify 11 } 1682 cTrustAnchorUpdated NOTIFICATION-TYPE 1683 OBJECTS { 1684 cTrustAnchorFingerprint, 1685 cTrustAnchorFormatType, 1686 cTrustAnchorUsageType 1687 } 1688 STATUS current 1689 DESCRIPTION 1690 "A trust anchor has been updated in the cTrustAnchorTable, 1691 as identified by cTrustAnchorFingerprint, 1692 cTrustAnchorFormatType, and cTrustAnchorUsageType." 1693 ::= { cKeyManagementNotify 12 } 1695 cTrustAnchorRemoved NOTIFICATION-TYPE 1696 OBJECTS { 1697 cTrustAnchorFingerprint, 1698 cTrustAnchorFormatType, 1699 cTrustAnchorUsageType 1700 } 1702 STATUS current 1703 DESCRIPTION 1704 "A trust anchor has been removed from the cTrustAnchorTable, 1705 as identified by cTrustAnchorFingerprint, 1706 cTrustAnchorFormatType, and cTrustAnchorUsageType." 1707 ::= { cKeyManagementNotify 13 } 1709 -- ***************************************************************** 1710 -- CC MIB cSymmetricKeyTable 1711 -- ***************************************************************** 1713 cSymmetricKeyTableCount OBJECT-TYPE 1714 SYNTAX Unsigned32 1715 MAX-ACCESS read-only 1716 STATUS current 1717 DESCRIPTION 1718 "The number of rows in the cSymmetricKeyTable." 1719 ::= { cSymmetricKeyInfo 1 } 1721 cSymmetricKeyTableLastChanged OBJECT-TYPE 1722 SYNTAX TimeStamp 1723 MAX-ACCESS read-only 1724 STATUS current 1725 DESCRIPTION 1726 "The last time any entry in the table was modified, created, 1727 or deleted by either SNMP, agent, or other management method 1728 (e.g., via an HMI). Managers can use this object to ensure 1729 that no changes to configuration of this table have happened 1730 since the last time it examined the table. A value of 0 1731 indicates that no entry has been changed since the agent 1732 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 1733 should be used to populate this column." 1734 ::= { cSymmetricKeyInfo 2 } 1736 cSymmetricKeyTable OBJECT-TYPE 1737 SYNTAX SEQUENCE OF CSymmetricKeyEntry 1738 MAX-ACCESS not-accessible 1739 STATUS current 1740 DESCRIPTION 1741 "The table containing the various types of symmetric keys 1742 used by the device." 1743 ::= { cSymmetricKeyInfo 3 } 1745 cSymmetricKeyEntry OBJECT-TYPE 1746 SYNTAX CSymmetricKeyEntry 1747 MAX-ACCESS not-accessible 1748 STATUS current 1749 DESCRIPTION 1750 "A row containing information about a Symmetric Key." 1751 INDEX { cSymKeyFingerprint } 1752 ::= { cSymmetricKeyTable 1 } 1754 CSymmetricKeyEntry ::= SEQUENCE { 1755 cSymKeyFingerprint SnmpTLSFingerprint, 1756 cSymKeyUsage BITS, 1757 cSymKeyID OCTET STRING, 1758 cSymKeyIssuer OCTET STRING, 1759 cSymKeyEffectiveDate DateAndTime, 1760 cSymKeyExpirationDate DateAndTime, 1761 cSymKeyExpiryWarning Unsigned32, 1762 cSymKeyNumberOfTransactions Unsigned32, 1763 cSymKeyFriendlyName SnmpAdminString, 1764 cSymKeyClassification BITS, 1765 cSymKeySource OCTET STRING, 1766 cSymKeyRowStatus RowStatus 1767 } 1769 cSymKeyFingerprint OBJECT-TYPE 1770 SYNTAX SnmpTLSFingerprint 1771 MAX-ACCESS not-accessible 1772 STATUS current 1773 DESCRIPTION 1774 "An inherent identification of the symmetric key and the 1775 primary index to the cSymmetricKeyTable. 1777 This MIB does not provide any additional requirements on 1778 developing the fingerprint. Implementations are cautioned to 1779 develop the hash in a manner that does not compromise the 1780 security of the key material." 1781 ::= { cSymmetricKeyEntry 1 } 1783 cSymKeyUsage OBJECT-TYPE 1784 SYNTAX BITS { oneTimePassword(0), challengeResponse(1), 1785 unlock(2), encrypt(3), decrypt(4), 1786 integrity(5), verify(6), keyWrap(7), 1787 unwrap(8), derive(9), generate(10), 1788 sharedSecret(11) } 1789 MAX-ACCESS read-create 1790 STATUS current 1791 DESCRIPTION 1792 "The intended usage for the key: One Time Password (OTP), 1793 Challenge/Response (CR), Unlock, Encrypt, Decrypt, 1794 Integrity, Verify, KeyWrap, Unwrap, Derive, Generate, 1795 Shared Secret. From RFC 6030 section 5. 1797 OTP: The key is used for One Time Password (OTP) generation. 1799 CR: The key is used for Challenge/Response purposes. 1801 Unlock: The key is used for an inverse challenge response in 1802 the case where a user has locked the device by entering a 1803 wrong password too many times (for devices with password 1804 input capability). 1806 Encrypt: The key is used for data encryption purposes. 1808 Integrity: The key is used to generate a keyed message 1809 digest for data integrity or authentication purposes. 1811 Verify: The key is used to verify a keyed message digest for 1812 data integrity or authentication purposes (this is the 1813 opposite key usage of 'Integrity'). 1815 Decrypt: The key is used for data decryption purposes. 1817 KeyWrap: The key is used for key wrap purposes. 1819 Unwrap: The key is used for key unwrap purposes. 1821 Derive: The key is used with a key derivation function to 1822 derive a new key. 1824 Generate: The key is used to generate a new key based on a 1825 random number and the previous value of the key. 1827 Shared Secret: The key is used as a shared secret between 1828 entities. 1830 Bit value translation: 1831 1000 0000 0000 0000 = OneTimePassword 1832 0100 0000 0000 0000 = ChallengeResponse 1833 0010 0000 0000 0000 = Unlock 1834 0001 0000 0000 0000 = Encrypt 1835 0000 1000 0000 0000 = Decrypt 1836 0000 0100 0000 0000 = Integrity 1837 0000 0010 0000 0000 = Verify 1838 0000 0001 0000 0000 = KeyWrap 1839 0000 0000 1000 0000 = Unwrap 1840 0000 0000 0100 0000 = Derive 1841 0000 0000 0010 0000 = Generate 1842 0000 0000 0001 0000 = SharedSecret" 1843 ::= { cSymmetricKeyEntry 2 } 1845 cSymKeyID OBJECT-TYPE 1846 SYNTAX OCTET STRING (SIZE(1..255)) 1847 MAX-ACCESS read-create 1848 STATUS current 1849 DESCRIPTION 1850 "Represents a unique identifier assigned to this symmetric 1851 key. This would typically be an identifier inherent to the 1852 key material, such as a serial number or other form of 1853 identifier derived from a tag or other key wrapper. This 1854 object differs from cSymKeyFriendlyName which is a 1855 user-defined ID." 1856 ::= { cSymmetricKeyEntry 3 } 1858 cSymKeyIssuer OBJECT-TYPE 1859 SYNTAX OCTET STRING (SIZE(1..255)) 1860 MAX-ACCESS read-create 1861 STATUS current 1862 DESCRIPTION 1863 "Represents the name of the entity which issued the key. Use 1864 a distinguished name (DN) when one is available." 1865 ::= { cSymmetricKeyEntry 4 } 1867 cSymKeyEffectiveDate OBJECT-TYPE 1868 SYNTAX DateAndTime 1869 MAX-ACCESS read-create 1870 STATUS current 1871 DESCRIPTION 1872 "The effective date of the key." 1873 ::= { cSymmetricKeyEntry 5 } 1875 cSymKeyExpirationDate OBJECT-TYPE 1876 SYNTAX DateAndTime 1877 MAX-ACCESS read-create 1878 STATUS current 1879 DESCRIPTION 1880 "The expiration date of the key." 1881 ::= { cSymmetricKeyEntry 6 } 1883 cSymKeyExpiryWarning OBJECT-TYPE 1884 SYNTAX Unsigned32 1885 UNITS "days" 1886 MAX-ACCESS read-create 1887 STATUS current 1888 DESCRIPTION 1889 "The number of days prior to the expiration date of this key 1890 (cSymKeyExpirationDate) for which the cKeyMaterialExpiring 1891 notification will be transmitted. 1893 If configured, the scalar value of 1894 cSymKeyGlobalExpiryWarning will be ignored. The value of 1895 cSymKeyGlobalExpiryWarning will only be used if this column 1896 is not populated, populated with 0, or not implemented." 1897 ::= { cSymmetricKeyEntry 7 } 1899 cSymKeyNumberOfTransactions OBJECT-TYPE 1900 SYNTAX Unsigned32 1901 MAX-ACCESS read-create 1902 STATUS current 1903 DESCRIPTION 1904 "Indicates the maximum number of times a key can be used 1905 after having received it. If this column is not implemented, 1906 then there is no restriction regarding the number of times a 1907 key can be used. 1909 When this number is reached, implementations supporting this 1910 object should stop using this key and send a 1911 cKeyMaterialExpired notification." 1912 ::= { cSymmetricKeyEntry 8 } 1914 cSymKeyFriendlyName OBJECT-TYPE 1915 SYNTAX SnmpAdminString 1916 MAX-ACCESS read-create 1917 STATUS current 1918 DESCRIPTION 1919 "A human readable label of the key for easier reference. It 1920 is used only for helpful or informational purposes." 1921 ::= { cSymmetricKeyEntry 9 } 1923 cSymKeyClassification OBJECT-TYPE 1924 SYNTAX BITS { unclassified(0), restricted(1), 1925 confidential(2), secret(3), topSecret(4) } 1926 MAX-ACCESS read-create 1927 STATUS current 1928 DESCRIPTION 1929 "The classification of the key. 1930 Bit value translation: 1931 1000 0000 = unclassified 1932 0100 0000 = restricted 1933 0010 0000 = confidential 1934 0001 0000 = secret 1935 0000 1000 = topSecret 1936 This column does not exist for devices that do not have the 1937 concept of classification." 1938 ::= { cSymmetricKeyEntry 10 } 1940 cSymKeySource OBJECT-TYPE 1941 SYNTAX OCTET STRING (SIZE(1..255)) 1942 MAX-ACCESS read-create 1943 STATUS current 1944 DESCRIPTION 1945 "The source of the key material. This can be the URI of a 1946 key source entity. If the key was derived from a user-input 1947 password, the string should say PASSWORD. 1949 Keys developed by the device should contain the string 1950 DEVICE-GENERATED. If the key was filled locally then this 1951 column should begin with the word FILL followed by the fill 1952 protocol. If the source is unknown, this column should not 1953 be populated or be set to an empty string, ''." 1954 ::= { cSymmetricKeyEntry 11 } 1956 cSymKeyRowStatus OBJECT-TYPE 1957 SYNTAX RowStatus 1958 MAX-ACCESS read-create 1959 STATUS current 1960 DESCRIPTION 1961 "The status of this row by which existing entries may be 1962 deleted from this table. Setting this column to destroy is 1963 synonymous with zeroizing the key. Any reference(s) to this 1964 object, upon setting this RowStatus to destroy, should be 1965 destroyed as well. 1967 Upon populating this row, this column should automatically 1968 be set to notReady. Only after valid information has been 1969 entered by the manager, can the manager set this column to 1970 active. 1972 At a minimum, implementations must support active and 1973 destroy management functions. Implementations must support 1974 createAndWait and createAndGo management functions for this 1975 object if the symmetric key material can be manually entered 1976 by the manager." 1977 ::= { cSymmetricKeyEntry 12 } 1979 -- ***************************************************************** 1980 -- CC MIB cAsymKeyTable 1981 -- ***************************************************************** 1983 cAsymKeyTableCount OBJECT-TYPE 1984 SYNTAX Unsigned32 1985 MAX-ACCESS read-only 1986 STATUS current 1987 DESCRIPTION 1988 "The number of rows in the cAsymKeyTable." 1989 ::= { cAsymKeyInfo 1 } 1991 cAsymKeyTableLastChanged OBJECT-TYPE 1992 SYNTAX TimeStamp 1993 MAX-ACCESS read-only 1994 STATUS current 1995 DESCRIPTION 1996 "The last time any entry in the table was modified, created, 1997 or deleted by either SNMP, agent, or other management method 1998 (e.g., via an HMI). Managers can use this object to ensure 1999 that no changes to configuration of this table have happened 2000 since the last time it examined the table. A value of 0 2001 indicates that no entry has been changed since the agent 2002 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 2003 should be used to populate this column." 2004 ::= { cAsymKeyInfo 2 } 2006 cAsymKeyTable OBJECT-TYPE 2007 SYNTAX SEQUENCE OF CAsymKeyEntry 2008 MAX-ACCESS not-accessible 2009 STATUS current 2010 DESCRIPTION 2011 "The table containing the Asymmetric Key Material and 2012 Certificates used by the device. Enumeration values, when 2013 applicable follow the conventions in RFC 5280." 2014 ::= { cAsymKeyInfo 3 } 2016 cAsymKeyEntry OBJECT-TYPE 2017 SYNTAX CAsymKeyEntry 2018 MAX-ACCESS not-accessible 2019 STATUS current 2020 DESCRIPTION 2021 "A row containing information about an Asymmetric Key or 2022 Certificate." 2023 INDEX { cAsymKeyFingerprint } 2024 ::= { cAsymKeyTable 1 } 2026 CAsymKeyEntry ::= SEQUENCE { 2027 cAsymKeyFingerprint SnmpTLSFingerprint, 2028 cAsymKeyFriendlyName SnmpAdminString, 2029 cAsymKeySerialNumber OCTET STRING, 2030 cAsymKeyIssuer OCTET STRING, 2031 cAsymKeySignatureAlgorithm OCTET STRING, 2032 cAsymKeyPublicKeyAlgorithm OCTET STRING, 2033 cAsymKeyEffectiveDate DateAndTime, 2034 cAsymKeyExpirationDate DateAndTime, 2035 cAsymKeyExpiryWarning Unsigned32, 2036 cAsymKeySubject OCTET STRING, 2037 cAsymKeySubjectType BITS, 2038 cAsymKeySubjectAltName SnmpAdminString, 2039 cAsymKeyUsage BITS, 2040 cAsymKeyClassification BITS, 2041 cAsymKeySource OCTET STRING, 2042 cAsymKeyRowStatus RowStatus, 2043 cAsymKeyVersion INTEGER, 2044 cAsymKeyRekey TruthValue, 2045 cAsymKeyType OCTET STRING, 2046 cAsymKeyAutoRekeyEnable TruthValue 2047 } 2049 cAsymKeyFingerprint OBJECT-TYPE 2050 SYNTAX SnmpTLSFingerprint 2051 MAX-ACCESS read-only 2052 STATUS current 2053 DESCRIPTION 2054 "An inherent identification of the asymmetric key and the 2055 primary index to the cAsymKeyTable." 2056 ::= { cAsymKeyEntry 1 } 2058 cAsymKeyFriendlyName OBJECT-TYPE 2059 SYNTAX SnmpAdminString 2060 MAX-ACCESS read-write 2061 STATUS current 2062 DESCRIPTION 2063 "A human readable label of the key for easier reference. It 2064 is used only for helpful or informational purposes." 2065 ::= { cAsymKeyEntry 2 } 2067 cAsymKeySerialNumber OBJECT-TYPE 2068 SYNTAX OCTET STRING (SIZE(1..255)) 2069 MAX-ACCESS read-only 2070 STATUS current 2071 DESCRIPTION 2072 "The unique positive integer assigned to the Asymmetric 2073 Key. For Public Key Certificate (PKC) this serial number is 2074 assigned by the Certification Authority (CA). The value in 2075 this column can be up to 20 bytes long per Section 2076 '4.1.2.2. Serial Number' of RFC 5280. Other types of Key 2077 Material may have different serial number format as defined 2078 by the issuer (e.g., a Key Material ID)." 2079 ::= { cAsymKeyEntry 3 } 2081 cAsymKeyIssuer OBJECT-TYPE 2082 SYNTAX OCTET STRING (SIZE(1..255)) 2083 MAX-ACCESS read-only 2084 STATUS current 2085 DESCRIPTION 2086 "The issuer of this key material. For Public Key 2087 Certificates, this is the distinguished name (DN) of the 2088 entity that has signed and issued the Public Key 2089 Certificate (PKC). Other issuers shall be defined by the 2090 class of device and will reference the Key Management 2091 System that delivers the key material for that device." 2092 ::= { cAsymKeyEntry 4 } 2094 cAsymKeySignatureAlgorithm OBJECT-TYPE 2095 SYNTAX OCTET STRING 2096 MAX-ACCESS read-only 2097 STATUS current 2098 DESCRIPTION 2099 "Signature algorithm used by a Certification Authority to 2100 sign this asymmetric key material (e.g., X.509 2101 Certificate). If no signature/signature algorithm is 2102 provided/used, this column would not exist. 2104 Note, this is a free form OCTET STRING column, meaning 2105 implementations may utilize a standardized definition of 2106 string values or use a proprietary definition of string 2107 values for supported signature algorithms." 2108 ::= { cAsymKeyEntry 5 } 2110 cAsymKeyPublicKeyAlgorithm OBJECT-TYPE 2111 SYNTAX OCTET STRING 2112 MAX-ACCESS read-only 2113 STATUS current 2114 DESCRIPTION 2115 "Public key algorithm with which the public key is used (as 2116 associated with the asymmetric key material (e.g., X.509 2117 Certificate)). 2119 Note, this is a free form OCTET STRING column, meaning 2120 implementations may utilize a standardized definition of 2121 string values or use a proprietary definition of string 2122 values for supported public key algorithms." 2123 ::= { cAsymKeyEntry 6 } 2125 cAsymKeyEffectiveDate OBJECT-TYPE 2126 SYNTAX DateAndTime 2127 MAX-ACCESS read-write 2128 STATUS current 2129 DESCRIPTION 2130 "The date on which the validity period of the Asymmetric 2131 Key begins. This column must not exist when the key 2132 material does not have an inherent and associated effective 2133 date." 2134 ::= { cAsymKeyEntry 7 } 2136 cAsymKeyExpirationDate OBJECT-TYPE 2137 SYNTAX DateAndTime 2138 MAX-ACCESS read-write 2139 STATUS current 2140 DESCRIPTION 2141 "The date on which the validity period of the Asymmetric 2142 Key ends. This column must not exist when the key material 2143 does not have an inherent and associated expiration date." 2144 ::= { cAsymKeyEntry 8 } 2146 cAsymKeyExpiryWarning OBJECT-TYPE 2147 SYNTAX Unsigned32 2148 UNITS "days" 2149 MAX-ACCESS read-write 2150 STATUS current 2151 DESCRIPTION 2152 "The number of days prior to the expiration date of this 2153 key (cAsymKeyExpirationDate) for which the 2154 cKeyMaterialExpiring notification will be transmitted. 2156 If configured, the scalar value of 2157 cAsymKeyGlobalExpiryWarning will be ignored. The value of 2158 cAsymKeyGlobalExpiryWarning will only be used if this 2159 column is not populated, populated with 0, or not 2160 implemented." 2161 ::= { cAsymKeyEntry 9 } 2163 cAsymKeySubject OBJECT-TYPE 2164 SYNTAX OCTET STRING (SIZE(1..255)) 2165 MAX-ACCESS read-only 2166 STATUS current 2167 DESCRIPTION 2168 "The entity associated with this Asymmetric Key. 2170 For non-X.509 based key material, or when this object does 2171 not apply for the key material, this column will not 2172 exist." 2173 ::= { cAsymKeyEntry 10 } 2175 cAsymKeySubjectType OBJECT-TYPE 2176 SYNTAX BITS { other(0), certificationAuthority(1), 2177 crlIssuer(2) } 2178 MAX-ACCESS read-only 2179 STATUS current 2180 DESCRIPTION 2181 "Defines the type of subject based on the following 2182 choices. certificationAuthority(1) - When set to 1 2183 indicates that the subject (cAsymKeySubject) of the Public 2184 Key Certificate (PKC) is a Certification Authority (CA). 2185 crlIssuer(2) - When set to 1 indicates that the subject 2186 (cCertificateSubject) of the Public Key Certificate (PKC) 2187 is a Certificate Revocation List (CRL) issuer. 2188 Bit value translation: 2189 1000 0000 = other 2190 0100 0000 = certificationAuthority 2191 0010 0000 = crlIssuer 2192 For non-X.509 based key material, or when this object does 2193 not apply for the key material, this column will not 2194 exist." 2195 ::= { cAsymKeyEntry 11 } 2197 cAsymKeySubjectAltName OBJECT-TYPE 2198 SYNTAX SnmpAdminString (SIZE(1..32)) 2199 MAX-ACCESS read-write 2200 STATUS current 2201 DESCRIPTION 2202 "A reference string that points to a set of Certificate 2203 Subject Alternative Subject Names in the 2204 cCertSubAltNameTable. 2206 This column should contain an empty string if the 2207 Certificate has no associating Subject Alternative Names. 2209 For non-X.509 based key material, or when this object does 2210 not apply for the key material, this column will not 2211 exist." 2212 ::= { cAsymKeyEntry 12 } 2214 cAsymKeyUsage OBJECT-TYPE 2215 SYNTAX BITS { other(0), digitalSignature(1), 2216 nonRepudiation(2), keyEncipherment(3), 2217 dataEncipherment(4), keyAgreement(5), 2218 keyCertSign(6), cRLSign(7), encipherOnly(8), 2219 decipherOnly(9) } 2220 MAX-ACCESS read-write 2221 STATUS current 2222 DESCRIPTION 2223 "Provides the intended type of usage for the Asymmetric 2224 Key. The following types are supported (defined in Section 2225 4.2.1.3 Key Usage of RFC 5280 for PKC): 2226 other(0), digitalSignature(1), nonRepudiation(2), 2227 keyEncipherment(3), dataEncipherment(4), keyAgreement(5), 2228 keyCertSign(6), cRLSign(7), encipherOnly(8), and 2229 decipherOnly(9) 2230 Bit value translation: 2231 1000 0000 0000 0000 = other 2232 0100 0000 0000 0000 = digitalSignature 2233 0010 0000 0000 0000 = nonRepudiation 2234 0001 0000 0000 0000 = keyEncipherment 2235 0000 1000 0000 0000 = dataEncipherment 2236 0000 0100 0000 0000 = keyAgreement 2237 0000 0010 0000 0000 = keyCertSign 2238 0000 0001 0000 0000 = cRLSign 2239 0000 0000 1000 0000 = encipherOnly 2240 0000 0000 0100 0000 = decipherOnly 2241 Devices using asymmetric key material not adhering to RFC 2242 5280 (X.509 format) may still use an applicable value for 2243 the Usage, or may use 'other'." 2244 ::= { cAsymKeyEntry 13 } 2246 cAsymKeyClassification OBJECT-TYPE 2247 SYNTAX BITS { unclassified(0), restricted(1), 2248 confidential(2), secret(3), topSecret(4) } 2249 MAX-ACCESS read-only 2250 STATUS current 2251 DESCRIPTION 2252 "The supported classification level supported by the 2253 cAsymKeySubject used by this key material 2254 Bit value translation: 2255 1000 0000 = unclassified, 2256 0100 0000 = restricted, 2257 0010 0000 = confidential, 2258 0001 0000 = secret, 2259 0000 1000 = topSecret. 2261 This column does not exist for devices that do not have the 2262 concept of classification." 2263 ::= { cAsymKeyEntry 14 } 2265 cAsymKeySource OBJECT-TYPE 2266 SYNTAX OCTET STRING (SIZE(1..255)) 2267 MAX-ACCESS read-write 2268 STATUS current 2269 DESCRIPTION 2270 "The source of the key material. This can be the URI of a 2271 key source entity. Keys developed by the device should 2272 contain the string DEVICE-GENERATED. If the key was filled 2273 locally then this column should begin with the word FILL 2274 followed by the fill protocol. If the source is unknown, 2275 this column should be blank." 2276 ::= { cAsymKeyEntry 15 } 2278 cAsymKeyRowStatus OBJECT-TYPE 2279 SYNTAX RowStatus 2280 MAX-ACCESS read-write 2281 STATUS current 2282 DESCRIPTION 2283 "The status of this row by which existing entries may be 2284 deleted from this table. Deleting a row in this table will 2285 also delete analogous rows in the cCertSubAltNameTable that 2286 are referenced by the cAsymKeySubjectAltName. 2288 Setting this column to destroy is synonymous with zeroizing 2289 the key material. Any reference(s) to this object, upon 2290 setting this RowStatus to destroy, should be destroyed as 2291 well. At a minimum, implementations must support active and 2292 destroy management functions. Support for notInService and 2293 notReady management functions is optional. Implementations 2294 must not support createAndWait and createAndGo management 2295 functions for this object." 2296 ::= { cAsymKeyEntry 16 } 2298 cAsymKeyVersion OBJECT-TYPE 2299 SYNTAX INTEGER 2300 MAX-ACCESS read-only 2301 STATUS current 2302 DESCRIPTION 2303 "The version of the asymmetric key material. For example, 2304 X.509 Version 3 certificates would have a value of '2', as 2305 defined in RFC 5280 - Section 4.1.2.1. 2307 When this object does not apply for the key material, this 2308 column will not exist." 2309 ::= { cAsymKeyEntry 17 } 2311 cAsymKeyRekey OBJECT-TYPE 2312 SYNTAX TruthValue 2313 MAX-ACCESS read-create 2314 STATUS current 2315 DESCRIPTION 2316 "Setting this object to 'true' initates a rekey operation 2317 for the asymmetric key material. Note, additional 2318 configurations will likely be required based on the 2319 supported key management protocol. 2321 Note after being set to true, an agent should reset this 2322 object to false once the rekey operation has completed." 2323 ::= { cAsymKeyEntry 18 } 2325 cAsymKeyType OBJECT-TYPE 2326 SYNTAX OCTET STRING (SIZE(1..255)) 2327 MAX-ACCESS read-only 2328 STATUS current 2329 DESCRIPTION 2330 "This column describes the type of asymmetric key material. 2332 Note, this is a free form OCTET STRING column. 2333 Implementations are expected to utilize definition of string 2334 values that apply to their specific nomenclature supported. 2335 If no such nomenclature exists, this column should not be 2336 populated or be set to an empty string (i.e., '')." 2337 ::= { cAsymKeyEntry 19 } 2339 cAsymKeyAutoRekeyEnable OBJECT-TYPE 2340 SYNTAX TruthValue 2341 MAX-ACCESS read-write 2342 STATUS current 2343 DESCRIPTION 2344 "Controls the automatic rekey settings for this PKC. 2346 [true] Enables automatic rekey. 2347 [false] Disables automatic rekey. 2349 This column is optional to support." 2350 DEFVAL { false } 2351 ::= { cAsymKeyEntry 20 } 2353 -- ***************************************************************** 2354 -- CC MIB cTrustAnchorTable 2355 -- ***************************************************************** 2357 cTrustAnchorTableCount OBJECT-TYPE 2358 SYNTAX Unsigned32 2359 MAX-ACCESS read-only 2360 STATUS current 2361 DESCRIPTION 2362 "The number of rows in the cTrustAnchorTable." 2363 ::= { cTrustAnchorInfo 1 } 2365 cTrustAnchorTableLastChanged OBJECT-TYPE 2366 SYNTAX TimeStamp 2367 MAX-ACCESS read-only 2368 STATUS current 2369 DESCRIPTION 2370 "The last time any entry in the table was modified, created, 2371 or deleted by either SNMP, agent, or other management method 2372 (e.g., via an HMI). Managers can use this object to ensure 2373 that no changes to configuration of this table have happened 2374 since the last time it examined the table. A value of 0 2375 indicates that no entry has been changed since the agent 2376 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 2377 should be used to populate this column." 2378 ::= { cTrustAnchorInfo 2 } 2380 cTrustAnchorTable OBJECT-TYPE 2381 SYNTAX SEQUENCE OF CTrustAnchorEntry 2382 MAX-ACCESS not-accessible 2383 STATUS current 2384 DESCRIPTION 2385 "The table containing the Trust Anchors (TAs) in this 2386 device." 2387 ::= { cTrustAnchorInfo 3 } 2389 cTrustAnchorEntry OBJECT-TYPE 2390 SYNTAX CTrustAnchorEntry 2391 MAX-ACCESS not-accessible 2392 STATUS current 2393 DESCRIPTION 2394 "A row containing information about a Trust Anchor (TA) that 2395 has been loaded into the device." 2396 INDEX { cTrustAnchorFingerprint } 2397 ::= { cTrustAnchorTable 1 } 2399 CTrustAnchorEntry ::= SEQUENCE { 2400 cTrustAnchorFingerprint SnmpTLSFingerprint, 2401 cTrustAnchorFormatType INTEGER, 2402 cTrustAnchorName OCTET STRING, 2403 cTrustAnchorUsageType INTEGER, 2404 cTrustAnchorKeyIdentifier OCTET STRING, 2405 cTrustAnchorPublicKeyAlgorithm OCTET STRING, 2406 cTrustAnchorContingencyAvail TruthValue, 2407 cTrustAnchorRowStatus RowStatus, 2408 cTrustAnchorVersion OCTET STRING 2409 } 2411 cTrustAnchorFingerprint OBJECT-TYPE 2412 SYNTAX SnmpTLSFingerprint 2413 MAX-ACCESS read-only 2414 STATUS current 2415 DESCRIPTION 2416 "An inherent identification of the trust anchor and the 2417 primary index to the cTrustAnchorTable." 2418 ::= { cTrustAnchorEntry 1 } 2420 cTrustAnchorFormatType OBJECT-TYPE 2421 SYNTAX INTEGER { x509v3(1), trustAnchorFormat(2), 2422 tbsCertificate(3) } 2424 MAX-ACCESS read-only 2425 STATUS current 2426 DESCRIPTION 2427 "The type/format of the trust anchor. 2429 [1] x509v3: X.509v3 certificate per RFC 5280. 2430 [2] trustAnchorFormat: Trust Anchor Format per RFC 5914. 2431 [3] tbsCertificate: To Be Signed Certificate per RFC 5280." 2432 ::= { cTrustAnchorEntry 2 } 2434 cTrustAnchorName OBJECT-TYPE 2435 SYNTAX OCTET STRING (SIZE(0..255)) 2436 MAX-ACCESS read-only 2437 STATUS current 2438 DESCRIPTION 2439 "The name of the Trust Anchor. When available, this is the 2440 X.500 distinguished name (DN) associated with the Trust 2441 Anchor (TA) used to construct and validate an X.509 2442 certification path. When the value of cTrustAnchorFormatType 2443 is 'trustAnchorFormat', this column is populated with the 2444 value from the taTitle field of the TrustAnchorInfo 2445 structure defined in RFC 5914, which is a human-readable 2446 name for the trust anchor. Otherwise, this column should be 2447 blank." 2448 ::= { cTrustAnchorEntry 3 } 2450 cTrustAnchorUsageType OBJECT-TYPE 2451 SYNTAX INTEGER { other(1), apex(2), management(3), 2452 identity(4), firmware(5), crl(6) } 2453 MAX-ACCESS read-only 2454 STATUS current 2455 DESCRIPTION 2456 "The usage type for the Trust Anchor (TA). Note, crl(6) also 2457 applies to compromised key lists." 2458 ::= { cTrustAnchorEntry 4 } 2460 cTrustAnchorKeyIdentifier OBJECT-TYPE 2461 SYNTAX OCTET STRING (SIZE(1..255)) 2462 MAX-ACCESS read-only 2463 STATUS current 2464 DESCRIPTION 2465 "The identifier of the Trust Anchor's (TA's) public key." 2466 ::= { cTrustAnchorEntry 5 } 2468 cTrustAnchorPublicKeyAlgorithm OBJECT-TYPE 2469 SYNTAX OCTET STRING 2470 MAX-ACCESS read-only 2471 STATUS current 2472 DESCRIPTION 2473 "Public key algorithm with which the public key is used (as 2474 associated with the trust anchor). 2476 Note, this is a free form OCTET STRING column, meaning 2477 implementations may utilize a standardized definition of 2478 string values or use a proprietary definition of string 2479 values for supported public key algorithms." 2480 ::= { cTrustAnchorEntry 6 } 2482 cTrustAnchorContingencyAvail OBJECT-TYPE 2483 SYNTAX TruthValue 2484 MAX-ACCESS read-only 2485 STATUS current 2486 DESCRIPTION 2487 "An indication of the availability of a contingency key for 2488 an Apex Trust Anchor. When set to 'True', a contingency key 2489 is available." 2490 ::= { cTrustAnchorEntry 7 } 2492 cTrustAnchorRowStatus OBJECT-TYPE 2493 SYNTAX RowStatus 2494 MAX-ACCESS read-write 2495 STATUS current 2496 DESCRIPTION 2497 "The status of this row by which existing entries may be 2498 deleted from this table. Setting this column to destroy is 2499 synonymous with zeroizing the Trust Anchor (TA). Any 2500 reference(s) to this object, upon setting this RowStatus to 2501 destroy, should be destroyed as well. 2503 At a minimum, implementations must support active and 2504 destroy management functions. Support for notInService and 2505 notReady management functions is optional. Implementations 2506 must not support createAndWait and createAndGo management 2507 functions for this object. 2509 Some implementations may restrict the deletion of Trust 2510 Anchors to specific protocols (e.g., TAMP)." 2511 ::= { cTrustAnchorEntry 8 } 2513 cTrustAnchorVersion OBJECT-TYPE 2514 SYNTAX OCTET STRING 2515 MAX-ACCESS read-only 2516 STATUS current 2517 DESCRIPTION 2518 "The version of the Trust Anchor." 2519 ::= { cTrustAnchorEntry 9 } 2521 -- ***************************************************************** 2522 -- CC MIB cCKLTable 2523 -- ***************************************************************** 2525 cCKLTableCount OBJECT-TYPE 2526 SYNTAX Unsigned32 2527 MAX-ACCESS read-only 2528 STATUS current 2529 DESCRIPTION 2530 "The number of rows in the cCKLTable." 2531 ::= { cCKLInfo 1 } 2533 cCKLLastChanged OBJECT-TYPE 2534 SYNTAX TimeStamp 2535 MAX-ACCESS read-only 2536 STATUS current 2537 DESCRIPTION 2538 "The last time any entry in the table was modified, created, 2539 or deleted by either SNMP, agent, or other management method 2540 (e.g., via an HMI). Managers can use this object to ensure 2541 that no changes to configuration of this table have happened 2542 since the last time it examined the table. A value of 0 2543 indicates that no entry has been changed since the agent 2544 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 2545 should be used to populate this column." 2546 ::= { cCKLInfo 2 } 2548 cCKLTable OBJECT-TYPE 2549 SYNTAX SEQUENCE OF CCKLEntry 2550 MAX-ACCESS not-accessible 2551 STATUS current 2552 DESCRIPTION 2553 "The table containing the Compromised Key Lists and 2554 Certificate Revocation Lists (CRLS) used by the device. This 2555 table is used both for CRLs as defined in RFC 5280 and for 2556 other formats of revocation lists (such as Compromised Key 2557 Lists.)" 2558 ::= { cCKLInfo 3 } 2560 cCKLEntry OBJECT-TYPE 2561 SYNTAX CCKLEntry 2562 MAX-ACCESS not-accessible 2563 STATUS current 2564 DESCRIPTION 2565 "A row containing information about a Compromised Key List 2566 or Certificate Revocation List (CRL) used by the device." 2567 INDEX { cCKLIndex, cCKLIssuer } 2568 ::= { cCKLTable 1 } 2570 CCKLEntry ::= SEQUENCE { 2571 cCKLIndex Unsigned32, 2572 cCKLIssuer OCTET STRING, 2573 cCKLSerialNumber OCTET STRING, 2574 cCKLIssueDate DateAndTime, 2575 cCKLNextUpdate DateAndTime, 2576 cCKLRowStatus RowStatus, 2577 cCKLVersion INTEGER, 2578 cCKLLastUpdate DateAndTime 2579 } 2581 cCKLIndex OBJECT-TYPE 2582 SYNTAX Unsigned32 2583 MAX-ACCESS read-only 2584 STATUS current 2585 DESCRIPTION 2586 "An ID that uniquely identifies the Compromised Key List 2587 (CKL) in this table." 2588 ::= { cCKLEntry 1 } 2590 cCKLIssuer OBJECT-TYPE 2591 SYNTAX OCTET STRING (SIZE(0..255)) 2592 MAX-ACCESS read-only 2593 STATUS current 2594 DESCRIPTION 2595 "For devices adhering to RFC 5280 this is the X.500 2596 distinguished name (DN) of the entity that has signed and 2597 issued the Certificate Revocation List (CRL). 2599 Other CRL/CKL issuers may use proprietary naming conventions 2600 or formats. 2602 If the source is unknown, this column should not be 2603 populated or be set to an empty string, ''." 2604 ::= { cCKLEntry 2 } 2606 cCKLSerialNumber OBJECT-TYPE 2607 SYNTAX OCTET STRING (SIZE(0..255)) 2608 MAX-ACCESS read-only 2609 STATUS current 2610 DESCRIPTION 2611 "A Serial Number for this CRL or CKL. 2613 For CRLs adhering to RFC 5280, this will be a monotonically 2614 increasing sequence number for a given Certificate 2615 Revocation List (CRL) scope and CRL issuer. The CRL Number 2616 allows users to easily determine when a particular CKL/CRL 2617 supersedes another CKL/CRL." 2619 ::= { cCKLEntry 3 } 2621 cCKLIssueDate OBJECT-TYPE 2622 SYNTAX DateAndTime 2623 MAX-ACCESS read-only 2624 STATUS current 2625 DESCRIPTION 2626 "The issue date of this CRL/CKL." 2627 ::= { cCKLEntry 4 } 2629 cCKLNextUpdate OBJECT-TYPE 2630 SYNTAX DateAndTime 2631 MAX-ACCESS read-only 2632 STATUS current 2633 DESCRIPTION 2634 "The date by which the next CKL/CRL issued. The next CRL 2635 could be issued before the indicated date, but it will not 2636 be issued any later than the indicated date. 2638 If this value is unknown, this column should not be 2639 populated or be set to an empty string, ''." 2640 ::= { cCKLEntry 5 } 2642 cCKLRowStatus OBJECT-TYPE 2643 SYNTAX RowStatus 2644 MAX-ACCESS read-write 2645 STATUS current 2646 DESCRIPTION 2647 "The status of this row by which existing entries may be 2648 deleted from this table. 2650 At a minimum, implementations must support active and 2651 destroy management functions. Support for notInService and 2652 notReady management functions is optional. Implementations 2653 must not support createAndWait and createAndGo management 2654 functions for this object." 2655 ::= { cCKLEntry 6 } 2657 cCKLVersion OBJECT-TYPE 2658 SYNTAX INTEGER 2659 MAX-ACCESS read-only 2660 STATUS current 2661 DESCRIPTION 2662 "The version of the CKL/CRL. For example, X.509 Version 2 2663 CRLs would have a value of '1', as defined in RFC 5280 - 2664 Section 5.1.2.1. 2666 When this object does not apply for the CKL/CRL, this column 2667 will not exist." 2668 ::= { cCKLEntry 7 } 2670 cCKLLastUpdate OBJECT-TYPE 2671 SYNTAX DateAndTime 2672 MAX-ACCESS read-only 2673 STATUS current 2674 DESCRIPTION 2675 "The date this CKL/CRL was last updated." 2676 ::= { cCKLEntry 8 } 2678 -- ***************************************************************** 2679 -- CC MIB cCDMStoreTable 2680 -- ***************************************************************** 2682 cCDMStoreTableCount OBJECT-TYPE 2683 SYNTAX Unsigned32 2684 MAX-ACCESS read-only 2685 STATUS current 2686 DESCRIPTION 2687 "The number of rows in the cCDMStoreTable." 2688 ::= { cCDMStoreInfo 1 } 2690 cCDMStoreTableLastChanged OBJECT-TYPE 2691 SYNTAX TimeStamp 2692 MAX-ACCESS read-only 2693 STATUS current 2694 DESCRIPTION 2695 "The last time any entry in the table was modified, created, 2696 or deleted by either SNMP, agent, or other management method 2697 (e.g., via an HMI). Managers can use this object to ensure 2698 that no changes to configuration of this table have happened 2699 since the last time it examined the table. A value of 0 2700 indicates that no entry has been changed since the agent 2701 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 2702 should be used to populate this column." 2703 ::= { cCDMStoreInfo 2 } 2705 cCDMStoreTable OBJECT-TYPE 2706 SYNTAX SEQUENCE OF CCDMStoreEntry 2707 MAX-ACCESS not-accessible 2708 STATUS current 2709 DESCRIPTION 2710 "The table containing various types of stored Crypto Device 2711 Material (CDM) that are destined for this device and/or 2712 destined for another device. When sending CDM to a destined 2713 device, the cCDMTransferPkgLocatorRowPtr from the 2714 CC-KEY-TRANSFER-PUSH-MIB can be used to point to the rows in 2715 this table." 2716 ::= { cCDMStoreInfo 3 } 2718 cCDMStoreEntry OBJECT-TYPE 2719 SYNTAX CCDMStoreEntry 2720 MAX-ACCESS not-accessible 2721 STATUS current 2722 DESCRIPTION 2723 "A row containing information about stored Crypto Device 2724 Material (CDM)." 2725 INDEX { cCDMStoreIndex } 2726 ::= { cCDMStoreTable 1 } 2728 CCDMStoreEntry ::= SEQUENCE { 2729 cCDMStoreIndex Unsigned32, 2730 cCDMStoreType INTEGER, 2731 cCDMStoreSource SnmpAdminString, 2732 cCDMStoreID OCTET STRING, 2733 cCDMStoreFriendlyName SnmpAdminString, 2734 cCDMStoreControl INTEGER, 2735 cCDMStoreRowStatus RowStatus 2736 } 2738 cCDMStoreIndex OBJECT-TYPE 2739 SYNTAX Unsigned32 2740 MAX-ACCESS read-only 2741 STATUS current 2742 DESCRIPTION 2743 "A numeric index that identifies a unique location in this 2744 table." 2745 ::= { cCDMStoreEntry 1 } 2747 cCDMStoreType OBJECT-TYPE 2748 SYNTAX INTEGER { symKey(1), asymKey(2), trustAnchor(3), 2749 crl(4), ckl(5), firmware(6), 2750 storeAndForwardWrappedPkg(7), 2751 storeAndForwardPkg(8) } 2752 MAX-ACCESS read-only 2753 STATUS current 2754 DESCRIPTION 2755 "The type of Crypto Device Material (CDM) populated in this 2756 row. 2758 (1) symKey - This row contains information about a stored 2759 symmetric key. 2760 (2) asymKey - This row contains information about a stored 2761 asymmetric key. 2762 (3) trustAnchor - This row contains information about a 2763 stored Trust Anchor (TA). 2764 (4) crl - This row contains information about a stored 2765 Certificate Revocation List (CRL). 2766 (5) ckl - This row contains information about a stored 2767 Compromised Key List (CKL). 2768 (6) firmware - This row contains information about stored 2769 firmware. 2770 (7) storeAndForwardWrappedPkg - This row contains 2771 information about a stored encrypted wrapped package, 2772 typically meant to be forwarded to another device. 2773 (8) storeAndForwardPkg - This row contains information 2774 about a stored unencrypted, typically meant to be 2775 forwarded to another device." 2776 ::= { cCDMStoreEntry 2 } 2778 cCDMStoreSource OBJECT-TYPE 2779 SYNTAX SnmpAdminString 2780 MAX-ACCESS read-only 2781 STATUS current 2782 DESCRIPTION 2783 "An administrative name that identifies the source of this 2784 Crypto Device Material (CDM). This could be the URI used 2785 when downloaded from the CDM server or a physical port 2786 designator for CDM downloaded via HMI." 2787 ::= { cCDMStoreEntry 3 } 2789 cCDMStoreID OBJECT-TYPE 2790 SYNTAX OCTET STRING (SIZE(1..255)) 2791 MAX-ACCESS read-write 2792 STATUS current 2793 DESCRIPTION 2794 "Represents a unique identifier assigned to this Crypto 2795 Device Material (CDM). This would typically be an identifier 2796 inherent to the CDM, such as a serial number or other form 2797 of identifier derived from a tag or other CDM wrapper. This 2798 object differs from cCDMStoreFriendlyName which is a 2799 user-defined ID." 2800 ::= { cCDMStoreEntry 4 } 2802 cCDMStoreFriendlyName OBJECT-TYPE 2803 SYNTAX SnmpAdminString 2804 MAX-ACCESS read-write 2805 STATUS current 2806 DESCRIPTION 2807 "A human readable label of this Crypto Device Material (CDM) 2808 for easier reference. It is used only for helpful or 2809 informational purposes." 2810 ::= { cCDMStoreEntry 5 } 2812 cCDMStoreControl OBJECT-TYPE 2813 SYNTAX INTEGER { readyForInstall(1), install(2), 2814 installAndDiscard(3), other (4) } 2815 MAX-ACCESS read-write 2816 STATUS current 2817 DESCRIPTION 2818 "A means to control what happens to the Crypto Device 2819 Material (CDM) stored in this table. 2820 (1) readyForInstall - The CDM is ready for installation. 2821 (2) install - The CDM will be installed in the appropriate 2822 table based on the cCDMStoreType. 2823 (3) installAndDiscard - The CDM will be installed in the 2824 appropriate table based on the cCDMStoreType and 2825 discarded from this table after the install operation is 2826 complete. 2827 (4) other - The CDM will be processed based on family 2828 extension specific action. 2830 Note, setting the cCDMStoreRowStatus object to 'destroy' 2831 will discard the CDM." 2832 ::= { cCDMStoreEntry 6 } 2834 cCDMStoreRowStatus OBJECT-TYPE 2835 SYNTAX RowStatus 2836 MAX-ACCESS read-write 2837 STATUS current 2838 DESCRIPTION 2839 "The status of this row by which existing entries may be 2840 deleted from this table. 2842 At a minimum, implementations must support active and 2843 destroy management functions. Support for notInService and 2844 notReady management functions is optional. Implementations 2845 must not support createAndWait and createAndGo management 2846 functions for this object." 2847 ::= { cCDMStoreEntry 7 } 2849 -- ***************************************************************** 2850 -- CC MIB cCertSubAltNameTable 2851 -- ***************************************************************** 2853 cCertSubAltNameTableCount OBJECT-TYPE 2854 SYNTAX Unsigned32 2855 MAX-ACCESS read-only 2856 STATUS current 2857 DESCRIPTION 2858 "The number of rows in the cCertSubAltNameTable." 2859 ::= { cCertSubAltNameInfo 1 } 2861 cCertSubAltNameTableLastChanged OBJECT-TYPE 2862 SYNTAX TimeStamp 2863 MAX-ACCESS read-only 2864 STATUS current 2865 DESCRIPTION 2866 "The last time any entry in the table was modified, created, 2867 or deleted by either SNMP, agent, or other management method 2868 (e.g., via an HMI). Managers can use this object to ensure 2869 that no changes to configuration of this table have happened 2870 since the last time it examined the table. A value of 0 2871 indicates that no entry has been changed since the agent 2872 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 2873 should be used to populate this column." 2874 ::= { cCertSubAltNameInfo 2 } 2876 cCertSubAltNameTable OBJECT-TYPE 2877 SYNTAX SEQUENCE OF CCertSubAltNameTableEntry 2878 MAX-ACCESS not-accessible 2879 STATUS current 2880 DESCRIPTION 2881 "The table containing a list of Subject Alternative Names 2882 associated with the certificate." 2883 ::= { cCertSubAltNameInfo 3 } 2885 cCertSubAltNameTableEntry OBJECT-TYPE 2886 SYNTAX CCertSubAltNameTableEntry 2887 MAX-ACCESS not-accessible 2888 STATUS current 2889 DESCRIPTION 2890 "A row containing information about a Subject Alternative 2891 Name and its type." 2892 INDEX { cCertSubAltNameList, cCertSubAltNameListIndex } 2893 ::= { cCertSubAltNameTable 1 } 2895 CCertSubAltNameTableEntry ::= SEQUENCE { 2896 cCertSubAltNameList SnmpAdminString, 2897 cCertSubAltNameListIndex Unsigned32, 2898 cCertSubAltNameType INTEGER, 2899 cCertSubAltNameValue1 OCTET STRING, 2900 cCertSubAltNameValue2 OCTET STRING, 2901 cCertSubAltNameRowStatus RowStatus 2902 } 2904 cCertSubAltNameList OBJECT-TYPE 2905 SYNTAX SnmpAdminString (SIZE(1..32)) 2906 MAX-ACCESS not-accessible 2907 STATUS current 2908 DESCRIPTION 2909 "The administrative name defining the set of Subject 2910 Alternative Names that are associated with the certificate. 2911 Multiple Subject Alternative Names may use the same 2912 administrative name, implying a group. It is the combination 2913 of cCertSubAltNameList and cCertSubAltNameListIndex that 2914 uniquely identifies each row or set of Subject Alternative 2915 Names." 2916 ::= { cCertSubAltNameTableEntry 1 } 2918 cCertSubAltNameListIndex OBJECT-TYPE 2919 SYNTAX Unsigned32 2920 MAX-ACCESS not-accessible 2921 STATUS current 2922 DESCRIPTION 2923 "A unique numeric index for rows, or sets of Subject 2924 Alternative Names, with the same cCertSubAltNameList value. 2925 This value, in combination with cCertSubAltNameList, 2926 uniquely identifies each row, or set of Subject Alternative 2927 Names." 2928 ::= { cCertSubAltNameTableEntry 2 } 2930 cCertSubAltNameType OBJECT-TYPE 2931 SYNTAX INTEGER { otherName(0), rfc822Name(1), dNSName(2), 2932 x400Address(3), directoryName(4), 2933 ediPartyName(5), 2934 uniformResourceIdentifier(6), ipAddress(7), 2935 registeredID(8) } 2936 MAX-ACCESS read-only 2937 STATUS current 2938 DESCRIPTION 2939 "The type of the Subject Alternative Name as defined in RFC 2940 5280, Section 4.2.1.6. Specifically, the value of this 2941 object determines the format of cCertSubAltNameValue1 and 2942 cCertSubAltNameValue2." 2943 ::= { cCertSubAltNameTableEntry 3 } 2945 cCertSubAltNameValue1 OBJECT-TYPE 2946 SYNTAX OCTET STRING 2947 MAX-ACCESS read-only 2948 STATUS current 2949 DESCRIPTION 2950 "The main value of the Subject Alternative Name. The format 2951 of the value must match its Type as defined in RFC 5280, 2952 Section 4.2.1.6. 2954 This column is the main value and is used for all 2955 cCertSubAltNameType types. For otherName(0), this column 2956 provides the value of the 'value' field. For 2957 ediPartyName(5), this column provides the value of the 2958 'partyName'. For all other types, this column provides the 2959 value as defined in RFC 5280, Section 4.2.1.6." 2960 ::= { cCertSubAltNameTableEntry 4 } 2962 cCertSubAltNameValue2 OBJECT-TYPE 2963 SYNTAX OCTET STRING 2964 MAX-ACCESS read-only 2965 STATUS current 2966 DESCRIPTION 2967 "This column is a supplement to the main value 2968 cCertSubAltNameValue1 and may only be used when the 2969 cCertSubAltNameType is either otherName(0) or 2970 ediPartyName(5). For otherName(0), this column provides the 2971 value of the 'type-id' as defined in RFC 5280, Section 2972 4.2.1.6. For ediPartyName(5), this column provides the value 2973 of the 'nameAssigner' as defined in RFC 5280, Section 2974 4.2.1.6. 2976 For all other values of cCertSubAltNameType or when the 2977 'nameAssigner' is not used for ediPartyName(5), this column 2978 will not exist. 2980 Note: Support for multiple otherName(0) or ediPartyName(5) 2981 alternate names is provided by allowing multiple rows of the 2982 same cCertSubAltNameType and cCertSubAltNameList but with a 2983 unique cCertSubAltNameListIndex." 2984 ::= { cCertSubAltNameTableEntry 5 } 2986 cCertSubAltNameRowStatus OBJECT-TYPE 2987 SYNTAX RowStatus 2988 MAX-ACCESS read-create 2989 STATUS current 2990 DESCRIPTION 2991 "The status of this row by which existing entries may be 2992 deleted from this table. 2994 At a minimum, implementations must support active and 2995 destroy management functions. Support for notInService and 2996 notReady management functions is optional. Implementations 2997 must not support createAndWait and createAndGo management 2998 functions for this object." 2999 ::= { cCertSubAltNameTableEntry 6 } 3001 -- ***************************************************************** 3002 -- CC MIB cCertPathCtrlsTable 3003 -- ***************************************************************** 3004 cCertPathCtrlsTableCount OBJECT-TYPE 3005 SYNTAX Unsigned32 3006 MAX-ACCESS read-only 3007 STATUS current 3008 DESCRIPTION 3009 "The number of rows in the cCertPathCtrlsTable." 3010 ::= { cCertPathCtrlsInfo 1 } 3012 cCertPathCtrlsTableLastChanged OBJECT-TYPE 3013 SYNTAX TimeStamp 3014 MAX-ACCESS read-only 3015 STATUS current 3016 DESCRIPTION 3017 "The last time any entry in the table was modified, created, 3018 or deleted by either SNMP, agent, or other management method 3019 (e.g., via an HMI). Managers can use this object to ensure 3020 that no changes to configuration of this table have happened 3021 since the last time it examined the table. A value of 0 3022 indicates that no entry has been changed since the agent 3023 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 3024 should be used to populate this column." 3025 ::= { cCertPathCtrlsInfo 2 } 3027 cCertPathCtrlsTable OBJECT-TYPE 3028 SYNTAX SEQUENCE OF CCertPathCtrlsEntry 3029 MAX-ACCESS not-accessible 3030 STATUS current 3031 DESCRIPTION 3032 "The table containing the controls and constraints applied 3033 to a certificate in order to process certificate trust 3034 paths." 3035 ::= { cCertPathCtrlsInfo 3 } 3037 cCertPathCtrlsEntry OBJECT-TYPE 3038 SYNTAX CCertPathCtrlsEntry 3039 MAX-ACCESS not-accessible 3040 STATUS current 3041 DESCRIPTION 3042 "A row containing information about certificate path 3043 controls and constraints." 3044 INDEX { cCertPathCtrlsKeyFingerprint } 3045 ::= { cCertPathCtrlsTable 1 } 3047 CCertPathCtrlsEntry ::= SEQUENCE { 3048 cCertPathCtrlsKeyFingerprint SnmpTLSFingerprint, 3049 cCertPathCtrlsCertificate RowPointer, 3050 cCertPathCtrlsCertPolicies OCTET STRING, 3051 cCertPathCtrlsPolicyMappings OCTET STRING, 3052 cCertPathCtrlsPolicyFlags BITS, 3053 cCertPathCtrlsNamesPermitted OCTET STRING, 3054 cCertPathCtrlsNamesExcluded OCTET STRING, 3055 cCertPathCtrlsMaxPathLength Unsigned32 3056 } 3058 cCertPathCtrlsKeyFingerprint OBJECT-TYPE 3059 SYNTAX SnmpTLSFingerprint 3060 MAX-ACCESS not-accessible 3061 STATUS current 3062 DESCRIPTION 3063 "Identifies a trust anchor in the cTrustAnchorTable or a 3064 certificate in the cAsymKeyTable. This column is the 3065 primary index to the cCertPathCtrlsTable." 3066 ::= {cCertPathCtrlsEntry 1} 3068 cCertPathCtrlsCertificate OBJECT-TYPE 3069 SYNTAX RowPointer 3070 MAX-ACCESS read-only 3071 STATUS current 3072 DESCRIPTION 3073 "Optional reference to an X.509 certificate defined in the 3074 cAsymKeyTable to assist with certification path development 3075 and validation." 3076 ::= { cCertPathCtrlsEntry 2 } 3078 cCertPathCtrlsCertPolicies OBJECT-TYPE 3079 SYNTAX OCTET STRING 3080 MAX-ACCESS read-only 3081 STATUS current 3082 DESCRIPTION 3083 "Indicates a grouping of one or more policies for this 3084 certificate. The value of this column corresponds to the 3085 cCertPolicyInformation column in the cCertPolicyTable. 3087 When this object does not apply for the key material, this 3088 column will not exist." 3089 ::= { cCertPathCtrlsEntry 3 } 3091 cCertPathCtrlsPolicyMappings OBJECT-TYPE 3092 SYNTAX OCTET STRING 3093 MAX-ACCESS read-only 3094 STATUS current 3095 DESCRIPTION 3096 "For a Certification Authority (CA) certificate, this 3097 indicates a grouping of policy mappings between a 3098 certificate issuer CA domain policy and a domain policy of 3099 the subject certificate CA. The value of this column 3100 corresponds to the cPolicyMappingGroup column of the 3101 cPolicyMappingTable. 3103 For non-X.509 based key material, or when this object does 3104 not apply for the key material, this column will not exist." 3105 ::= { cCertPathCtrlsEntry 4 } 3107 cCertPathCtrlsPolicyFlags OBJECT-TYPE 3108 SYNTAX BITS { inhibitPolicyMapping(0), 3109 requireExplicitPolicy(1), 3110 inhibitAnyPolicy(2) } 3111 MAX-ACCESS read-only 3112 STATUS current 3113 DESCRIPTION 3114 "Optional certificate path policy flags consisting of the 3115 following: inhibitPolicyMapping, requireExplicitPolicy, and 3116 inhibitAnyPolicy. 3118 inhibitPolicyMapping: Indicates if policy mapping is allowed 3119 in the certification path. 3121 requireExplicitPolicy: Indicates if the certification path 3122 must be valid for at least one of the certificate policies 3123 in cCertPathCtrlsCertPolicies. 3125 inhibitAnyPolicy: Indicates whether the special anyPolicy 3126 policy identifier is considered an explicit match for other 3127 certificate policies. 3129 Bit value translation: 3130 1000 = inhibitPolicyMapping 3131 0100 = requireExplicitPolicy 3132 0010 = inhibitAnyPolicy" 3133 ::= { cCertPathCtrlsEntry 5 } 3135 cCertPathCtrlsNamesPermitted OBJECT-TYPE 3136 SYNTAX OCTET STRING 3137 MAX-ACCESS read-only 3138 STATUS current 3139 DESCRIPTION 3140 "Indicates a subtree of names that are permitted for 3141 certificate path validation. The value of this column 3142 corresponds to the cNameConstraintGenSubtree column in the 3143 cNameConstraintTable. 3145 When this object does not apply for the key material, this 3146 column will not exist." 3147 ::= { cCertPathCtrlsEntry 6 } 3149 cCertPathCtrlsNamesExcluded OBJECT-TYPE 3150 SYNTAX OCTET STRING 3151 MAX-ACCESS read-only 3152 STATUS current 3153 DESCRIPTION 3154 "Indicates a subtree of names that are excluded from 3155 certificate path validation, regardless of information 3156 appearing in the cCertPathCtrlsNamesPermitted subtree. The 3157 value of this column corresponds to the 3158 cNameConstraintGenSubtree column in the 3159 cNameConstraintTable. 3161 When this object does not apply for the key material, this 3162 column will not exist." 3163 ::= { cCertPathCtrlsEntry 7 } 3165 cCertPathCtrlsMaxPathLength OBJECT-TYPE 3166 SYNTAX Unsigned32 3167 MAX-ACCESS read-only 3168 STATUS current 3169 DESCRIPTION 3170 "Optional indication of the maximum number of 3171 non-self-issued intermediate certificates that may follow 3172 this certificate in a valid certification path." 3173 ::= { cCertPathCtrlsEntry 8 } 3175 -- ***************************************************************** 3176 -- CC MIB cCertPolicyTable 3177 -- ***************************************************************** 3179 cCertPolicyTableCount OBJECT-TYPE 3180 SYNTAX Unsigned32 3181 MAX-ACCESS read-only 3182 STATUS current 3183 DESCRIPTION 3184 "The number of rows in the cCertPolicyTable." 3185 ::= { cCertPolicyInfo 1 } 3187 cCertPolicyTableLastChanged OBJECT-TYPE 3188 SYNTAX TimeStamp 3189 MAX-ACCESS read-only 3190 STATUS current 3191 DESCRIPTION 3192 "The last time any entry in the table was modified, created, 3193 or deleted by either SNMP, agent, or other management method 3194 (e.g., via an HMI). Managers can use this object to ensure 3195 that no changes to configuration of this table have happened 3196 since the last time it examined the table. A value of 0 3197 indicates that no entry has been changed since the agent 3198 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 3199 should be used to populate this column." 3200 ::= { cCertPolicyInfo 2 } 3202 cCertPolicyTable OBJECT-TYPE 3203 SYNTAX SEQUENCE OF CCertPolicyEntry 3204 MAX-ACCESS not-accessible 3205 STATUS current 3206 DESCRIPTION 3207 "The table containing certificate policy information to be 3208 provided as input to the certificate path validation 3209 algorithm. For an end entity certificate, this information 3210 indicates under which policy this certificate has been 3211 issued and the purposes for which the certificate may be 3212 used. For a Certification Authority (CA) certificate, this 3213 information limits the set of policies for certification 3214 paths that include this certificate." 3215 ::= { cCertPolicyInfo 3 } 3217 cCertPolicyEntry OBJECT-TYPE 3218 SYNTAX CCertPolicyEntry 3219 MAX-ACCESS not-accessible 3220 STATUS current 3221 DESCRIPTION 3222 "A row containing information about a certificate policy." 3223 INDEX { cCertPolicyInformation, cCertPolicyInformationIndex } 3224 ::= { cCertPolicyTable 1 } 3226 CCertPolicyEntry ::= SEQUENCE { 3227 cCertPolicyInformation OCTET STRING, 3228 cCertPolicyInformationIndex Unsigned32, 3229 cCertPolicyIdentifier OBJECT IDENTIFIER, 3230 cCertPolicyQualifierID INTEGER, 3231 cCertPolicyQualifier OCTET STRING 3232 } 3234 cCertPolicyInformation OBJECT-TYPE 3235 SYNTAX OCTET STRING (SIZE(1..255)) 3236 MAX-ACCESS not-accessible 3237 STATUS current 3238 DESCRIPTION 3239 "Identifies a grouping of policies that are applicable to a 3240 certificate. When used in conjunction with 3241 cCertPolicyInformationIndex, a unique policy and qualifier 3242 set is defined." 3243 ::= { cCertPolicyEntry 1 } 3245 cCertPolicyInformationIndex OBJECT-TYPE 3246 SYNTAX Unsigned32 3247 MAX-ACCESS not-accessible 3248 STATUS current 3249 DESCRIPTION 3250 "A numerical index that is unique for a specific 3251 cCertPolicyInformation value. This index allows multiple 3252 qualifiers to be defined for a particular policy. When used 3253 in conjunction with cCertPolicyInformation, a unique policy 3254 and qualifier set is defined." 3255 ::= { cCertPolicyEntry 2 } 3257 cCertPolicyIdentifier OBJECT-TYPE 3258 SYNTAX OBJECT IDENTIFIER 3259 MAX-ACCESS read-only 3260 STATUS current 3261 DESCRIPTION 3262 "For end entity certificates, this is an identifier for the 3263 policy under which the certificate has been issued. For 3264 Certification Authority (CA) certificates, this is an 3265 identifier for a certification path policy that includes 3266 this certificate." 3267 ::= { cCertPolicyEntry 3 } 3269 cCertPolicyQualifierID OBJECT-TYPE 3270 SYNTAX INTEGER { cpsPointer(0), userNotice(1) } 3271 MAX-ACCESS read-only 3272 STATUS current 3273 DESCRIPTION 3274 "Indicates the type of qualifier per RFC 5280, 3275 Section 4.2.1.4." 3276 ::= { cCertPolicyEntry 4 } 3278 cCertPolicyQualifier OBJECT-TYPE 3279 SYNTAX OCTET STRING 3280 MAX-ACCESS read-only 3281 STATUS current 3282 DESCRIPTION 3283 "Qualifier information with type based on 3284 cCertPolicyQualifierID." 3285 ::= { cCertPolicyEntry 5 } 3287 -- ***************************************************************** 3288 -- CC MIB cPolicyMappingTable 3289 -- ***************************************************************** 3291 cPolicyMappingTableCount OBJECT-TYPE 3292 SYNTAX Unsigned32 3293 MAX-ACCESS read-only 3294 STATUS current 3295 DESCRIPTION 3296 "The number of rows in the cPolicyMappingTable." 3297 ::= { cPolicyMappingInfo 1 } 3299 cPolicyMappingTableLastChanged OBJECT-TYPE 3300 SYNTAX TimeStamp 3301 MAX-ACCESS read-only 3302 STATUS current 3303 DESCRIPTION 3304 "The last time any entry in the table was modified, created, 3305 or deleted by either SNMP, agent, or other management method 3306 (e.g., via an HMI). Managers can use this object to ensure 3307 that no changes to configuration of this table have happened 3308 since the last time it examined the table. A value of 0 3309 indicates that no entry has been changed since the agent 3310 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 3311 should be used to populate this column." 3312 ::= { cPolicyMappingInfo 2 } 3314 cPolicyMappingTable OBJECT-TYPE 3315 SYNTAX SEQUENCE OF CPolicyMappingEntry 3316 MAX-ACCESS not-accessible 3317 STATUS current 3318 DESCRIPTION 3319 "The table listing mappings between policies that a 3320 certificate issuing Certification Authority (CA) considers 3321 as equivalent or comparable to the domain policies of the 3322 subject certificate's CA." 3323 ::= { cPolicyMappingInfo 3 } 3325 cPolicyMappingEntry OBJECT-TYPE 3326 SYNTAX CPolicyMappingEntry 3327 MAX-ACCESS not-accessible 3328 STATUS current 3329 DESCRIPTION 3330 "A row containing a mapping between the domain policy of an 3331 issuing Certification Authority (CA) and an equivalent 3332 domain policy of the subject certificate's CA." 3333 INDEX { cPolicyMappingGroup, cPolicyMappingIndex } 3334 ::= { cPolicyMappingTable 1 } 3336 CPolicyMappingEntry ::= SEQUENCE { 3337 cPolicyMappingGroup OCTET STRING, 3338 cPolicyMappingIndex Unsigned32, 3339 cPolicyMappingSubjectPolicy OBJECT IDENTIFIER, 3340 cPolicyMappingIssuerPolicy OBJECT IDENTIFIER 3342 } 3344 cPolicyMappingGroup OBJECT-TYPE 3345 SYNTAX OCTET STRING (SIZE(1..255)) 3346 MAX-ACCESS not-accessible 3347 STATUS current 3348 DESCRIPTION 3349 "Identifies a grouping of policy mappings that are 3350 applicable to a certificate. When used in conjunction with 3351 cPolicyMappingIndex, a unique policy mapping is defined." 3352 ::= { cPolicyMappingEntry 1 } 3354 cPolicyMappingIndex OBJECT-TYPE 3355 SYNTAX Unsigned32 3356 MAX-ACCESS not-accessible 3357 STATUS current 3358 DESCRIPTION 3359 "A numerical index that is unique for a specific 3360 cPolicyMappingGroup value. When used in conjunction with 3361 cPolicyMappingGroup, a unique policy mapping is defined." 3362 ::= { cPolicyMappingEntry 2 } 3364 cPolicyMappingSubjectPolicy OBJECT-TYPE 3365 SYNTAX OBJECT IDENTIFIER 3366 MAX-ACCESS read-only 3367 STATUS current 3368 DESCRIPTION 3369 "Indicates the subject Certification Authority's domain 3370 policy." 3371 ::= { cPolicyMappingEntry 3 } 3373 cPolicyMappingIssuerPolicy OBJECT-TYPE 3374 SYNTAX OBJECT IDENTIFIER 3375 MAX-ACCESS read-only 3376 STATUS current 3377 DESCRIPTION 3378 "Indicates the issuer domain policy that the issuer 3379 Certification Authority (CA) considers equivalent to the 3380 subject CA domain policy." 3381 ::= { cPolicyMappingEntry 4 } 3383 -- ***************************************************************** 3384 -- CC MIB cNameConstraintTable 3385 -- ***************************************************************** 3387 cNameConstraintTableCount OBJECT-TYPE 3388 SYNTAX Unsigned32 3389 MAX-ACCESS read-only 3390 STATUS current 3391 DESCRIPTION 3392 "The number of rows in the cNameConstraintTable." 3393 ::= { cNameConstraintInfo 1 } 3395 cNameConstraintTableLastChanged OBJECT-TYPE 3396 SYNTAX TimeStamp 3397 MAX-ACCESS read-only 3398 STATUS current 3399 DESCRIPTION 3400 "The last time any entry in the table was modified, created, 3401 or deleted by either SNMP, agent, or other management method 3402 (e.g., via an HMI). Managers can use this object to ensure 3403 that no changes to configuration of this table have happened 3404 since the last time it examined the table. A value of 0 3405 indicates that no entry has been changed since the agent 3406 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 3407 should be used to populate this column." 3408 ::= { cNameConstraintInfo 2 } 3410 cNameConstraintTable OBJECT-TYPE 3411 SYNTAX SEQUENCE OF CNameConstraintEntry 3412 MAX-ACCESS not-accessible 3413 STATUS current 3414 DESCRIPTION 3415 "The table listing designated name spaces within which 3416 subject names in subsequent certificates in a certification 3417 path can be stored." 3418 ::= { cNameConstraintInfo 3 } 3420 cNameConstraintEntry OBJECT-TYPE 3421 SYNTAX CNameConstraintEntry 3422 MAX-ACCESS not-accessible 3423 STATUS current 3424 DESCRIPTION 3425 "A row designating an entity's distinguished name to a name 3426 space." 3427 INDEX { cNameConstraintGenSubtree, 3428 cNameConstraintSubtreeIndex } 3429 ::= { cNameConstraintTable 1 } 3431 CNameConstraintEntry ::= SEQUENCE { 3432 cNameConstraintGenSubtree OCTET STRING, 3433 cNameConstraintSubtreeIndex Unsigned32, 3434 cNameConstraintBaseName SnmpAdminString 3435 } 3437 cNameConstraintGenSubtree OBJECT-TYPE 3438 SYNTAX OCTET STRING (SIZE(1..255)) 3439 MAX-ACCESS not-accessible 3440 STATUS current 3441 DESCRIPTION 3442 "Identifies a permitted or excluded name constraint subtree. 3443 When used with cNameConstraintSubtreeIndex, a unique subject 3444 name constraint entry is defined." 3445 ::= { cNameConstraintEntry 1 } 3447 cNameConstraintSubtreeIndex OBJECT-TYPE 3448 SYNTAX Unsigned32 3449 MAX-ACCESS not-accessible 3450 STATUS current 3451 DESCRIPTION 3452 "A numerical index used to specify a name constraint within 3453 a permitted or excluded name constraint subtree. When used 3454 with a specific value of cNameConstraintGenSubtree, a unique 3455 subject name constraint entry is defined." 3456 ::= { cNameConstraintEntry 2 } 3458 cNameConstraintBaseName OBJECT-TYPE 3459 SYNTAX SnmpAdminString 3460 MAX-ACCESS read-only 3461 STATUS current 3462 DESCRIPTION 3463 "The distinguished name of the subject that is permitted or 3464 excluded." 3465 ::= { cNameConstraintEntry 3 } 3467 -- ***************************************************************** 3468 -- CC MIB cRemoteKeyMaterialTable 3469 -- ***************************************************************** 3471 cRemoteKeyMaterialTableCount OBJECT-TYPE 3472 SYNTAX Unsigned32 3473 MAX-ACCESS read-only 3474 STATUS current 3475 DESCRIPTION 3476 "The number of rows in the cRemoteKeyMaterialTable." 3477 ::= { cRemoteKeyMaterialInfo 1 } 3479 cRemoteKeyMaterialTableLastChanged OBJECT-TYPE 3480 SYNTAX TimeStamp 3481 MAX-ACCESS read-only 3482 STATUS current 3483 DESCRIPTION 3484 "The last time any entry in the table was modified, 3485 created, or deleted by either SNMP, agent, or other 3486 management method (e.g., via an HMI). Managers can use this 3487 object to ensure that no changes to configuration of this 3488 table have happened since the last time it examined the 3489 table. A value of 0 indicates that no entry has been 3490 changed since the agent initialized. The value in 3491 CC-DEVICE-INFO-MIB cSystemUpTime should be used to populate 3492 this column." 3493 ::= { cRemoteKeyMaterialInfo 2 } 3495 cRemoteKeyMaterialTable OBJECT-TYPE 3496 SYNTAX SEQUENCE OF CRemoteKeyMaterialTableEntry 3497 MAX-ACCESS not-accessible 3498 STATUS current 3499 DESCRIPTION 3500 "The table containing remote key material information - 3501 namely, key material used to help establish the secure 3502 connection." 3503 ::= { cRemoteKeyMaterialInfo 3 } 3505 cRemoteKeyMaterialTableEntry OBJECT-TYPE 3506 SYNTAX CRemoteKeyMaterialTableEntry 3507 MAX-ACCESS not-accessible 3508 STATUS current 3509 DESCRIPTION 3510 "A row describing the remote key material information used 3511 to establish the secure connection." 3512 INDEX { cRemoteKeyMaterialID } 3513 ::= { cRemoteKeyMaterialTable 1 } 3515 CRemoteKeyMaterialTableEntry ::= SEQUENCE { 3516 cRemoteKeyMaterialID OCTET STRING, 3517 cRemoteKeyMatFriendlyName SnmpAdminString, 3518 cRemoteKeyMatSerialNumber OCTET STRING, 3519 cRemoteKeyMaterialKeyType OCTET STRING, 3520 cRemoteKeyMatExpirationDate DateAndTime, 3521 cRemoteKeyMatClassification BITS 3522 } 3524 cRemoteKeyMaterialID OBJECT-TYPE 3525 SYNTAX OCTET STRING (SIZE(1..255)) 3526 MAX-ACCESS not-accessible 3527 STATUS current 3528 DESCRIPTION 3529 "Represents a unique identifier assigned to this key 3530 material. This would typically be an identifier inherent to 3531 the key material, such as a serial number or other form of 3532 identifier derived from a tag or other key wrapper. This 3533 object differs from cRemoteKeyMatFriendlyName which is a 3534 user-defined ID." 3535 ::= { cRemoteKeyMaterialTableEntry 1 } 3537 cRemoteKeyMatFriendlyName OBJECT-TYPE 3538 SYNTAX SnmpAdminString 3539 MAX-ACCESS read-write 3540 STATUS current 3541 DESCRIPTION 3542 "A human readable label of the key for easier reference. It 3543 is used only for helpful or informational purposes." 3544 ::= { cRemoteKeyMaterialTableEntry 2 } 3546 cRemoteKeyMatSerialNumber OBJECT-TYPE 3547 SYNTAX OCTET STRING 3548 MAX-ACCESS read-only 3549 STATUS current 3550 DESCRIPTION 3551 "The unique positive integer assigned to the remote key 3552 material. Note, this information may not be available in 3553 some key material types." 3554 ::= { cRemoteKeyMaterialTableEntry 3 } 3556 cRemoteKeyMaterialKeyType OBJECT-TYPE 3557 SYNTAX OCTET STRING 3558 MAX-ACCESS read-only 3559 STATUS current 3560 DESCRIPTION 3561 "This column describes the type of remote key material. 3563 Note, this is a free form OCTET STRING column. 3564 Implementations are expected to utilize definition of 3565 string values that apply to their specific nomenclature 3566 supported. If no such nomenclature exists, this column 3567 should not be populated or be set to an empty string 3568 (i.e., '')." 3569 ::= { cRemoteKeyMaterialTableEntry 4 } 3571 cRemoteKeyMatExpirationDate OBJECT-TYPE 3572 SYNTAX DateAndTime 3573 MAX-ACCESS read-only 3574 STATUS current 3575 DESCRIPTION 3576 "The expiration date of the key." 3577 ::= { cRemoteKeyMaterialTableEntry 5 } 3579 cRemoteKeyMatClassification OBJECT-TYPE 3580 SYNTAX BITS { unclassified(0), restricted(1), 3581 confidential(2), secret(3), topSecret(4) } 3583 MAX-ACCESS read-only 3584 STATUS current 3585 DESCRIPTION 3586 "The classification of the key. 3587 Bit value translation: 3588 1000 0000 = unclassified 3589 0100 0000 = restricted 3590 0010 0000 = confidential 3591 0001 0000 = secret 3592 0000 1000 = topSecret 3594 This column does not exist for devices that do not have 3595 the concept of classification." 3596 ::= { cRemoteKeyMaterialTableEntry 6 } 3598 -- ***************************************************************** 3599 -- Module Conformance Information 3600 -- ***************************************************************** 3602 cKeyManagementCompliances OBJECT IDENTIFIER 3603 ::= { cKeyManagementConformance 1} 3605 cKeyManagementGroups OBJECT IDENTIFIER 3606 ::= { cKeyManagementConformance 2} 3608 cKeyManSymKeyCompliance MODULE-COMPLIANCE 3609 STATUS current 3610 DESCRIPTION 3611 "Compliance levels for symmetric key information." 3612 MODULE 3613 MANDATORY-GROUPS { cKeyManSymKeyGroup, cKeyManRemoteKeyGroup } 3615 GROUP cKeyManSymKeyNotifyScalars 3616 DESCRIPTION 3617 "This symmetric key notification scalar group is optional 3618 for implementation." 3620 GROUP cKeyManSymKeyNotifyGroup 3621 DESCRIPTION 3622 "This notification group is optional for implementation." 3623 ::= { cKeyManagementCompliances 1 } 3625 cKeyManAsymKeyCompliance MODULE-COMPLIANCE 3626 STATUS current 3627 DESCRIPTION 3628 "Compliance levels for asymmetric key information." 3629 MODULE 3630 MANDATORY-GROUPS { cKeyManAsymKeyGroup, cKeyManRemoteKeyGroup } 3631 GROUP cKeyManCertSubAltNameGroup 3632 DESCRIPTION 3633 "Certificate Subject Alternative Name group is optional for 3634 implementation." 3636 GROUP cKeyManCertPathCtrlsGroup 3637 DESCRIPTION 3638 "Certificate Path Controls group is optional for 3639 implementation." 3641 GROUP cKeyManCertPolicyGroup 3642 DESCRIPTION 3643 "Certificate Policy group is optional for implementation." 3645 GROUP cKeyManPolicyMappingGroup 3646 DESCRIPTION 3647 "Policy Mapping group is optional for implementation." 3649 GROUP cKeyManNameConstraintGroup 3650 DESCRIPTION 3651 "Name Constraint group is optional for implementation." 3653 GROUP cKeyManTrustAnchorGroup 3654 DESCRIPTION 3655 "Trust Anchor group is optional for implementation." 3657 GROUP cKeyManAsymKeyNotifyScalars 3658 DESCRIPTION 3659 "This asymmetric key notification scalar group is optional 3660 for implementation." 3662 GROUP cKeyManAsymKeyNotifyGroup 3663 DESCRIPTION 3664 "This notification group is optional for implementation." 3666 GROUP cKeyManTrustAnchorNotifyGroup 3667 DESCRIPTION 3668 "This notification group is optional for implementation." 3670 OBJECT cCertPathCtrlsCertificate 3671 MIN-ACCESS not-accessible 3672 DESCRIPTION 3673 "Implementation of this object is optional." 3675 OBJECT cCertPathCtrlsPolicyFlags 3676 MIN-ACCESS not-accessible 3677 DESCRIPTION 3678 "Implementation of this object is optional." 3680 OBJECT cCertPathCtrlsMaxPathLength 3681 MIN-ACCESS not-accessible 3682 DESCRIPTION 3683 "Implementation of this object is optional." 3684 ::= { cKeyManagementCompliances 2 } 3686 cKeyManTrustAnchorCompliance MODULE-COMPLIANCE 3687 STATUS current 3688 DESCRIPTION 3689 "Compliance levels for trust anchor information." 3690 MODULE 3691 MANDATORY-GROUPS { cKeyManTrustAnchorGroup } 3693 GROUP cKeyManCertPathCtrlsGroup 3694 DESCRIPTION 3695 "Certificate Path Controls group is optional for 3696 implementation." 3698 GROUP cKeyManCertPolicyGroup 3699 DESCRIPTION 3700 "Certificate Policy group is optional for implementation." 3702 GROUP cKeyManPolicyMappingGroup 3703 DESCRIPTION 3704 "Policy Mapping group is optional for implementation." 3706 GROUP cKeyManNameConstraintGroup 3707 DESCRIPTION 3708 "Name Constraint group is optional for implementation." 3710 GROUP cKeyManTrustAnchorNotifyGroup 3711 DESCRIPTION 3712 "This notification group is optional for implementation." 3714 OBJECT cCertPathCtrlsCertificate 3715 MIN-ACCESS not-accessible 3716 DESCRIPTION 3717 "Implementation of this object is optional." 3719 OBJECT cCertPathCtrlsPolicyFlags 3720 MIN-ACCESS not-accessible 3721 DESCRIPTION 3722 "Implementation of this object is optional." 3724 OBJECT cCertPathCtrlsMaxPathLength 3725 MIN-ACCESS not-accessible 3726 DESCRIPTION 3727 "Implementation of this object is optional." 3729 ::= { cKeyManagementCompliances 3 } 3731 cKeyManCKLCompliance MODULE-COMPLIANCE 3732 STATUS current 3733 DESCRIPTION 3734 "Compliance levels for CKL information." 3735 MODULE 3736 MANDATORY-GROUPS { cKeyManCKLGroup } 3738 GROUP cKeyManCKLNotifyGroup 3739 DESCRIPTION 3740 "This notification group is optional for implementation." 3741 ::= { cKeyManagementCompliances 4 } 3743 cKeyManCDMStoreCompliance MODULE-COMPLIANCE 3744 STATUS current 3745 DESCRIPTION 3746 "Compliance levels for CDM Store information." 3747 MODULE 3748 MANDATORY-GROUPS { cKeyManCDMStoreGroup } 3750 GROUP cKeyManCDMStoreNotifyGroup 3751 DESCRIPTION 3752 "This notification group is optional for implementation." 3753 ::= { cKeyManagementCompliances 5 } 3755 cKeyManSymKeyGroup OBJECT-GROUP 3756 OBJECTS { 3757 cZeroizeAllKeys, 3758 cZeroizeSymmetricKeyTable, 3759 cSymmetricKeyTableCount, 3760 cSymmetricKeyTableLastChanged, 3761 cSymKeyUsage, 3762 cSymKeyID, 3763 cSymKeyIssuer, 3764 cSymKeyEffectiveDate, 3765 cSymKeyExpirationDate, 3766 cSymKeyExpiryWarning, 3767 cSymKeyNumberOfTransactions, 3768 cSymKeyFriendlyName, 3769 cSymKeyClassification, 3770 cSymKeySource, 3771 cSymKeyRowStatus 3772 } 3773 STATUS current 3774 DESCRIPTION 3775 "This group is composed of objects related to symmetric key 3776 information." 3778 ::= { cKeyManagementGroups 1 } 3780 cKeyManAsymKeyGroup OBJECT-GROUP 3781 OBJECTS { 3782 cZeroizeAllKeys, 3783 cZeroizeAsymKeyTable, 3784 cAsymKeyTableCount, 3785 cAsymKeyTableLastChanged, 3786 cAsymKeyFingerprint, 3787 cAsymKeyFriendlyName, 3788 cAsymKeySerialNumber, 3789 cAsymKeyIssuer, 3790 cAsymKeySignatureAlgorithm, 3791 cAsymKeyPublicKeyAlgorithm, 3792 cAsymKeyEffectiveDate, 3793 cAsymKeyExpirationDate, 3794 cAsymKeyExpiryWarning, 3795 cAsymKeySubject, 3796 cAsymKeySubjectType, 3797 cAsymKeyUsage, 3798 cAsymKeyClassification, 3799 cAsymKeySource, 3800 cAsymKeyRowStatus, 3801 cAsymKeyVersion, 3802 cAsymKeyRekey, 3803 cAsymKeyType, 3804 cAsymKeyAutoRekeyEnable 3805 } 3806 STATUS current 3807 DESCRIPTION 3808 "This group is composed of objects related to asymmetric key 3809 information." 3810 ::= { cKeyManagementGroups 2 } 3812 cKeyManCertSubAltNameGroup OBJECT-GROUP 3813 OBJECTS { 3814 cAsymKeySubjectAltName, 3815 cCertSubAltNameTableCount, 3816 cCertSubAltNameTableLastChanged, 3817 cCertSubAltNameType, 3818 cCertSubAltNameValue1, 3819 cCertSubAltNameValue2, 3820 cCertSubAltNameRowStatus 3821 } 3822 STATUS current 3823 DESCRIPTION 3824 "This group is composed of objects related to certificate 3825 subject alternative name information." 3827 ::= { cKeyManagementGroups 3 } 3829 cKeyManCertPathCtrlsGroup OBJECT-GROUP 3830 OBJECTS { 3831 cCertPathCtrlsTableCount, 3832 cCertPathCtrlsTableLastChanged, 3833 cCertPathCtrlsCertificate, 3834 cCertPathCtrlsPolicyFlags, 3835 cCertPathCtrlsMaxPathLength 3836 } 3837 STATUS current 3838 DESCRIPTION 3839 "This group is composed of objects related to certificate 3840 path controls information." 3841 ::= { cKeyManagementGroups 4 } 3843 cKeyManCertPolicyGroup OBJECT-GROUP 3844 OBJECTS { 3845 cCertPathCtrlsCertPolicies, 3846 cCertPolicyTableCount, 3847 cCertPolicyTableLastChanged, 3848 cCertPolicyIdentifier, 3849 cCertPolicyQualifierID, 3850 cCertPolicyQualifier 3851 } 3852 STATUS current 3853 DESCRIPTION 3854 "This group is composed of objects related to certificate 3855 policy information." 3856 ::= { cKeyManagementGroups 5 } 3858 cKeyManPolicyMappingGroup OBJECT-GROUP 3859 OBJECTS { 3860 cCertPathCtrlsPolicyMappings, 3861 cPolicyMappingTableCount, 3862 cPolicyMappingTableLastChanged, 3863 cPolicyMappingSubjectPolicy, 3864 cPolicyMappingIssuerPolicy 3865 } 3866 STATUS current 3867 DESCRIPTION 3868 "This group is composed of objects related to policy mapping 3869 information." 3870 ::= { cKeyManagementGroups 6 } 3872 cKeyManNameConstraintGroup OBJECT-GROUP 3873 OBJECTS { 3874 cCertPathCtrlsNamesPermitted, 3875 cCertPathCtrlsNamesExcluded, 3876 cNameConstraintTableCount, 3877 cNameConstraintTableLastChanged, 3878 cNameConstraintBaseName 3879 } 3880 STATUS current 3881 DESCRIPTION 3882 "This group is composed of objects related to name 3883 constraint information." 3884 ::= { cKeyManagementGroups 7 } 3886 cKeyManTrustAnchorGroup OBJECT-GROUP 3887 OBJECTS { 3888 cZeroizeAllKeys, 3889 cZeroizeTrustAnchorTable, 3890 cTrustAnchorTableCount, 3891 cTrustAnchorTableLastChanged, 3892 cTrustAnchorFingerprint, 3893 cTrustAnchorFormatType, 3894 cTrustAnchorName, 3895 cTrustAnchorUsageType, 3896 cTrustAnchorKeyIdentifier, 3897 cTrustAnchorPublicKeyAlgorithm, 3898 cTrustAnchorContingencyAvail, 3899 cTrustAnchorRowStatus, 3900 cTrustAnchorVersion 3901 } 3902 STATUS current 3903 DESCRIPTION 3904 "This group is composed of objects related to trust anchor 3905 information." 3906 ::= { cKeyManagementGroups 8 } 3908 cKeyManCKLGroup OBJECT-GROUP 3909 OBJECTS { 3910 cCKLTableCount, 3911 cCKLLastChanged, 3912 cCKLIndex, 3913 cCKLIssuer, 3914 cCKLSerialNumber, 3915 cCKLIssueDate, 3916 cCKLNextUpdate, 3917 cCKLRowStatus, 3918 cCKLVersion, 3919 cCKLLastUpdate 3920 } 3921 STATUS current 3922 DESCRIPTION 3923 "This group is composed of objects related to compromised 3924 key list information." 3925 ::= { cKeyManagementGroups 9 } 3927 cKeyManCDMStoreGroup OBJECT-GROUP 3928 OBJECTS { 3929 cZeroizeAllKeys, 3930 cZeroizeCDMStoreTable, 3931 cCDMStoreTableCount, 3932 cCDMStoreTableLastChanged, 3933 cCDMStoreIndex, 3934 cCDMStoreType, 3935 cCDMStoreSource, 3936 cCDMStoreID, 3937 cCDMStoreFriendlyName, 3938 cCDMStoreControl, 3939 cCDMStoreRowStatus 3940 } 3941 STATUS current 3942 DESCRIPTION 3943 "This group is composed of objects related to Crypto 3944 Device Material store information." 3945 ::= { cKeyManagementGroups 10 } 3947 cKeyManSymKeyNotifyScalars OBJECT-GROUP 3948 OBJECTS { 3949 cKeyMaterialTableOID, 3950 cKeyMaterialFingerprint, 3951 cSymKeyGlobalExpiryWarning 3952 } 3953 STATUS current 3954 DESCRIPTION 3955 "This group is composed of objects related to symmetric key 3956 notifications." 3957 ::= { cKeyManagementGroups 11 } 3959 cKeyManAsymKeyNotifyScalars OBJECT-GROUP 3960 OBJECTS { 3961 cKeyMaterialTableOID, 3962 cKeyMaterialFingerprint, 3963 cAsymKeyGlobalExpiryWarning 3964 } 3965 STATUS current 3966 DESCRIPTION 3967 "This group is composed of objects related to asymmetric key 3968 notifications." 3969 ::= { cKeyManagementGroups 12 } 3971 cKeyManSymKeyNotifyGroup NOTIFICATION-GROUP 3972 NOTIFICATIONS { 3973 cKeyMaterialLoadSuccess, 3974 cKeyMaterialLoadFail, 3975 cKeyMaterialExpiring, 3976 cKeyMaterialExpired, 3977 cKeyMaterialExpirationChanged, 3978 cKeyMaterialZeroized 3979 } 3980 STATUS current 3981 DESCRIPTION 3982 "This group is composed of notifications related to 3983 symmetric key information." 3984 ::= { cKeyManagementGroups 13 } 3986 cKeyManAsymKeyNotifyGroup NOTIFICATION-GROUP 3987 NOTIFICATIONS { 3988 cKeyMaterialLoadSuccess, 3989 cKeyMaterialLoadFail, 3990 cKeyMaterialExpiring, 3991 cKeyMaterialExpired, 3992 cKeyMaterialExpirationChanged, 3993 cKeyMaterialZeroized 3994 } 3995 STATUS current 3996 DESCRIPTION 3997 "This group is composed of notifications related to 3998 asymmetric key information." 3999 ::= { cKeyManagementGroups 14 } 4001 cKeyManTrustAnchorNotifyGroup NOTIFICATION-GROUP 4002 NOTIFICATIONS { 4003 cTrustAnchorAdded, 4004 cTrustAnchorUpdated, 4005 cTrustAnchorRemoved 4006 } 4007 STATUS current 4008 DESCRIPTION 4009 "This group is composed of notifications related to trust 4010 anchor information." 4011 ::= { cKeyManagementGroups 15 } 4013 cKeyManCKLNotifyGroup NOTIFICATION-GROUP 4014 NOTIFICATIONS { 4015 cCKLLoadSuccess, 4016 cCKLLoadFail 4017 } 4018 STATUS current 4019 DESCRIPTION 4020 "This group is composed of notifications related to 4021 compromised key list information." 4022 ::= { cKeyManagementGroups 16 } 4024 cKeyManCDMStoreNotifyGroup NOTIFICATION-GROUP 4025 NOTIFICATIONS { 4026 cCDMAdded, 4027 cCDMDeleted 4028 } 4029 STATUS current 4030 DESCRIPTION 4031 "This group is composed of notifications related to Crypto 4032 Device Material store information." 4033 ::= { cKeyManagementGroups 17 } 4035 cKeyManRemoteKeyGroup OBJECT-GROUP 4036 OBJECTS { 4037 cRemoteKeyMaterialTableCount, 4038 cRemoteKeyMaterialTableLastChanged, 4039 cRemoteKeyMatFriendlyName, 4040 cRemoteKeyMatSerialNumber, 4041 cRemoteKeyMaterialKeyType, 4042 cRemoteKeyMatExpirationDate, 4043 cRemoteKeyMatClassification 4044 } 4045 STATUS current 4046 DESCRIPTION 4047 "This group is composed of objects related to remote key 4048 information." 4049 ::= { cKeyManagementGroups 18 } 4051 END 4053 6.5. Key Transfer Pull 4055 This MIB module makes reference to the following documents: 4056 [RFC2578], [RFC2579], [RFC2580], and [RFC3411]. 4058 CC-KEY-TRANSFER-PULL-MIB DEFINITIONS ::= BEGIN 4060 IMPORTS 4061 ccKeyTransferPull 4062 FROM CC-FEATURE-HIERARCHY-MIB -- FROM Sec 6.2 4063 MODULE-COMPLIANCE, OBJECT-GROUP, 4064 NOTIFICATION-GROUP 4065 FROM SNMPv2-CONF -- FROM RFC 2580 4066 OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE, 4067 MODULE-IDENTITY 4068 FROM SNMPv2-SMI -- FROM RFC 2578 4069 SnmpAdminString 4070 FROM SNMP-FRAMEWORK-MIB -- FROM RFC 3411 4071 RowStatus, TimeStamp 4072 FROM SNMPv2-TC; -- FROM RFC 2579 4074 ccKeyTransferPullMIB MODULE-IDENTITY 4075 LAST-UPDATED "201609302154Z" 4076 ORGANIZATION "CCMIB CCB" 4077 CONTACT-INFO 4078 "CC MIB Configuration Control Board 4079 Email: CCMIB.CCB@us.af.mil" 4080 DESCRIPTION 4081 "This MIB defines the CC MIB Key Transfer Pull objects. 4083 Copyright (c) 2019 IETF Trust and the persons 4084 identified as authors of the code. All rights reserved. 4086 Redistribution and use in source and binary forms, with 4087 or without modification, is permitted pursuant to, and 4088 subject to the license terms contained in, the Simplified 4089 BSD License set forth in Section 4.c of the IETF Trust's 4090 Legal Provisions Relating to IETF Documents 4091 (http://trustee.ietf.org/license-info). 4093 This version of this MIB module is part of RFC xxxx; 4094 see the RFC itself for full legal notices." 4095 -- RFC Ed.: RFC-editor please fill in xxxx. 4096 REVISION "201609302154Z" 4097 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 4098 -- RFC Ed.: RFC-editor please fill in xxxx. 4099 ::= { ccKeyTransferPull 1 } 4101 -- ***************************************************************** 4102 -- Key Transfer Pull Information Segments 4103 -- ***************************************************************** 4105 cKeyTransferPullConformance OBJECT IDENTIFIER 4106 ::= { ccKeyTransferPullMIB 1 } 4107 cKeyTransferPullScalars OBJECT IDENTIFIER 4108 ::= { ccKeyTransferPullMIB 2 } 4109 cKeyTransferPullNotify OBJECT IDENTIFIER 4110 ::= { ccKeyTransferPullMIB 3 } 4111 cCDMServerInfo OBJECT IDENTIFIER 4112 ::= { ccKeyTransferPullMIB 4 } 4113 cCDMDeliveryInfo OBJECT IDENTIFIER 4114 ::= { ccKeyTransferPullMIB 5 } 4116 -- ***************************************************************** 4117 -- Key Transfer Pull Scalars 4118 -- ***************************************************************** 4120 cCDMServerRetryDelay OBJECT-TYPE 4121 SYNTAX Unsigned32 4122 MAX-ACCESS read-write 4123 STATUS current 4124 DESCRIPTION 4125 "The amount of time to wait after a download attempt to the 4126 cryptographic device material (CDM) server fails before 4127 attempting to retry the operation. Note, this scalar applies 4128 to the download of any type of item from the CDM server 4129 (e.g., CDMs, CDMLs)." 4130 ::= { cKeyTransferPullScalars 1 } 4132 cCDMServerRetryMaxAttempts OBJECT-TYPE 4133 SYNTAX Unsigned32 4134 MAX-ACCESS read-write 4135 STATUS current 4136 DESCRIPTION 4137 "The amount of retries attempted before the download attempt 4138 to the cryptographic device material (CDM) server is 4139 considered a failure. Note, this scalar applies to the 4140 download of any type of item from the CDM server (e.g., 4141 CDMs, CDMLs)." 4142 ::= { cKeyTransferPullScalars 2 } 4144 cCDMPullRetrievalPriorities OBJECT-TYPE 4145 SYNTAX Unsigned32 4146 MAX-ACCESS read-write 4147 STATUS current 4148 DESCRIPTION 4149 "An indication of which cryptographic device materials 4150 (CDMs) to retrieve based on this value and a configured 4151 cCDMDeliveryPriority in a cCDMDeliveryTable entry. This 4152 value identifies an upper bound. A value of '5' for example, 4153 implies that only cCDMDeliveryTable entries with a 4154 cCDMDeliveryPriority value of '5' or less can be acted upon 4155 (i.e., retrieved). 4157 Different types of ECUs may have different values for this 4158 scalar. Bandwidth-limited ECUs, for example, may configure 4159 lower values for only retrieving high-priority CDMs. 4161 A value of 0, also a default value for this scalar, 4162 indicates that all cCDMDeliveryTable entries can be acted 4163 upon regardless of the configured cCDMDeliveryPriority 4164 value." 4165 DEFVAL {0} 4166 ::= { cKeyTransferPullScalars 3 } 4168 cCDMLDeliveryRequest OBJECT-TYPE 4169 SYNTAX INTEGER { readyForDownload(1), downloadAndParse(2), 4170 discard(3) } 4171 MAX-ACCESS read-write 4172 STATUS current 4173 DESCRIPTION 4174 "This scalar controls the server's CDML download process - 4175 server information is stored in the cCDMServerTable. When 4176 read, it will return 'readyForDownload' if the last action 4177 succeeded. If the last action is in progress or failed, it 4178 will return the last requested action. 4180 The values which may be set depend on the current value of 4181 this object and the cCDMLDeliveryStatus object. 4183 In order to initiate a new download, this object must 4184 contain the value 'readyForDownload', and the 4185 cCDMLDeliveryStatus must contain the value 'complete'. At 4186 which point, setting this object to to 'downloadAndParse' 4187 initiates the CDML download process. Note, the 4188 cCDMLDeliveryStatus should transition to 'inProgress' as 4189 the device begins the CDML download process from the 4190 server(s) and URI(s) listed in the cCDMLServerTable (as 4191 ordered by the cCDMLServerPriority index). 4193 If the CDML download fails, the next highest priority URI 4194 will be tried, and so on. 4196 While a CDML download is in progress, or if the CDML 4197 download fails for all possible servers and URIs (indicated 4198 by a cCDMLDeliveryStatus value of 'downloadFailed'), this 4199 object will return an inconsistentValue error for any new 4200 value except 'discard' (which will cancel the current 4201 download). 4203 If the CDML download succeeded, the cCDMLDeliveryStatus 4204 value remains inProgress and the device attempts to parse 4205 the download immediately. During the parsing of the CDML, 4206 all new values will return inconsistentValue error (i.e., 4207 the parse process can not be aborted). If the parse fails, 4208 the cCDMLDeliveryStatus will transition to 'parseFailed', 4209 and this object must be set to 'discard' before a new CDML 4210 download is attempted." 4211 ::= { cKeyTransferPullScalars 4 } 4213 cCDMLDeliveryStatus OBJECT-TYPE 4214 SYNTAX INTEGER { complete(1), inProgress(2), 4215 downloadFailed(3), 4216 parseFailed(4) } 4217 MAX-ACCESS read-only 4218 STATUS current 4219 DESCRIPTION 4220 "This indicates the current state of a CDML download. 4222 'complete' indicates that the last requested 4223 cCDMLDeliveryRequest action was successful. 4225 'inProgress' indicates that a CDML download or CDML parse is 4226 underway. 4228 'downloadFailed' indicates that the last attempted CDML 4229 download failed. 4231 'parseFailed' indicates that the last attempted CDML parse 4232 failed. 4234 The relationship between this object and 4235 cCDMLDeliveryRequest is detailed in the following table. The 4236 table indicates values of cCDMLDeliveryRequest that are 4237 allowed depending on the current value of this object. 4239 cCDMLDeliveryRequest! cCDMLDeliveryStatus 4240 --------------------+-----------+----------+--------------+------------ 4241 ! ! complete !inProgress!downloadFailed!parseFailed! 4242 --------------------+-----------+----------+--------------+------------ 4243 ! readyForDownload ! allowed ! error ! error ! error ! 4244 --------------------+-----------+----------+--------------+------------ 4245 ! downloadAndParse ! allowed ! error ! error ! error ! 4246 --------------------+-----------+----------+--------------+------------ 4247 ! discard ! error ! allowed ! allowed ! allowed ! 4248 --------------------+-----------+----------+--------------+------------ 4250 As described cCDMLDeliveryRequest description, an 4251 inconsistentValue error is returned." 4252 DEFVAL { complete } 4253 ::= { cKeyTransferPullScalars 5 } 4255 -- ***************************************************************** 4256 -- Key Transfer Pull Notifications 4257 -- ***************************************************************** 4259 cCDMLPullReceiveSuccess NOTIFICATION-TYPE 4260 OBJECTS { cCDMServerURI } 4261 STATUS current 4262 DESCRIPTION 4263 "An attempt to receive a cryptographic device material 4264 list (CDML) has succeeded. The CDM server URI is provided 4265 with this notification." 4266 ::= { cKeyTransferPullNotify 1 } 4268 cCDMLPullReceiveFailed NOTIFICATION-TYPE 4269 OBJECTS { 4270 cCDMServerURI, 4271 cCDMLDeliveryStatus 4272 } 4273 STATUS current 4274 DESCRIPTION 4275 "An attempt to receive a cryptographic device material 4276 list (CDML) has failed. The CDM server URI and CDML Delivery 4277 Status are provided with this notification. Note, the 4278 expected values for the CDML Delivery Status are: 4279 'downloadFailed' and 'parseFailed'." 4280 ::= { cKeyTransferPullNotify 2 } 4282 cCDMPullReceiveSuccess NOTIFICATION-TYPE 4283 OBJECTS { 4284 cCDMType, 4285 cCDMURI 4286 } 4287 STATUS current 4288 DESCRIPTION 4289 "An attempt to receive a cryptographic device material (CDM) 4290 has succeeded. The CDM Type and CDM URI are provided with 4291 this notification." 4292 ::= { cKeyTransferPullNotify 3 } 4294 cCDMPullReceiveFailed NOTIFICATION-TYPE 4295 OBJECTS { 4296 cCDMType, 4297 cCDMURI 4298 } 4299 STATUS current 4300 DESCRIPTION 4301 "An attempt to receive a cryptographic device material (CDM) 4302 has failed. The CDM Type and CDM URI are provided with this 4303 notification." 4304 ::= { cKeyTransferPullNotify 4 } 4306 -- ***************************************************************** 4307 -- CC MIB cCDMServerTable 4308 -- ***************************************************************** 4310 cCDMServerTableCount OBJECT-TYPE 4311 SYNTAX Unsigned32 4312 MAX-ACCESS read-only 4313 STATUS current 4314 DESCRIPTION 4315 "The number of rows in the cCDMServerTable." 4316 ::= { cCDMServerInfo 1 } 4318 cCDMServerTableLastChanged OBJECT-TYPE 4319 SYNTAX TimeStamp 4320 MAX-ACCESS read-only 4321 STATUS current 4322 DESCRIPTION 4323 "The last time any entry in the table was modified, created, 4324 or deleted by either SNMP, agent, or other management method 4325 (e.g., via an HMI). Managers can use this object to ensure 4326 that no changes to configuration of this table have happened 4327 since the last time it examined the table. A value of 0 4328 indicates that no entry has been changed since the agent 4329 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 4330 should be used to populate this column." 4331 ::= { cCDMServerInfo 2 } 4333 cCDMServerTable OBJECT-TYPE 4334 SYNTAX SEQUENCE OF CCDMServerEntry 4335 MAX-ACCESS not-accessible 4336 STATUS current 4337 DESCRIPTION 4338 "The table containing a list of servers that will be queried 4339 for available cryptographic device materials (CDMs), such as 4340 keys and firmware packages. This table is also used to 4341 obtain the cryptographic device material list (CDML), which 4342 is a list detailing available CDMs and their associated 4343 location for obtainment." 4344 ::= { cCDMServerInfo 3 } 4346 cCDMServerEntry OBJECT-TYPE 4347 SYNTAX CCDMServerEntry 4348 MAX-ACCESS not-accessible 4349 STATUS current 4350 DESCRIPTION 4351 "A row containing information about a server that has 4352 available CDMLs/CDMs for download." 4353 INDEX { cCDMServerPriority } 4354 ::= { cCDMServerTable 1 } 4356 CCDMServerEntry ::= SEQUENCE { 4357 cCDMServerPriority Unsigned32, 4358 cCDMServerURI OCTET STRING, 4359 cCDMServerAdditionalInfo SnmpAdminString, 4360 cCDMServerRowStatus RowStatus 4361 } 4363 cCDMServerPriority OBJECT-TYPE 4364 SYNTAX Unsigned32 4365 MAX-ACCESS not-accessible 4366 STATUS current 4367 DESCRIPTION 4368 "A unique numeric index that identifies a server that has 4369 available CDMLs/CDMs for download. This index also provides 4370 server prioritization functionality - lower values have a 4371 higher priority. For example, the server with the lowest 4372 value will be the first server for CDML/CDM downloads. In 4373 the event of failure, the next lowest value server will be 4374 tried, and so on. 4376 This column is the sole index to the cCDMServerTable." 4377 ::= { cCDMServerEntry 1 } 4379 cCDMServerURI OBJECT-TYPE 4380 SYNTAX OCTET STRING (SIZE(1..255)) 4381 MAX-ACCESS read-create 4382 STATUS current 4383 DESCRIPTION 4384 "The location of the server that has available CDMLs/CDMs 4385 for download. The value in this column is represented as a 4386 URI. 4388 Note, download of a CDML will typically result in the 4389 population of new CDM entries in the cCDMDeliveryTable." 4390 ::= { cCDMServerEntry 2 } 4392 cCDMServerAdditionalInfo OBJECT-TYPE 4393 SYNTAX SnmpAdminString 4394 MAX-ACCESS read-create 4395 STATUS current 4396 DESCRIPTION 4397 "Additional information about the CDM server. This 4398 information is manually configured by the manager both at or 4399 after row creation." 4400 ::= { cCDMServerEntry 3 } 4402 cCDMServerRowStatus OBJECT-TYPE 4403 SYNTAX RowStatus 4404 MAX-ACCESS read-create 4405 STATUS current 4406 DESCRIPTION 4407 "The status of the row, by which new entries may be created 4408 or old entries deleted from this table. 4410 Entries created within this table may not become active 4411 unless all read-create columns in this column have valid 4412 values, as detailed by each individual column's description. 4414 At a minimum, implementations must support createAndGo, 4415 active, and destroy management functions. Support for 4416 createAndWait, notInService, and notReady management 4417 functions is optional." 4418 ::= { cCDMServerEntry 4 } 4420 -- ***************************************************************** 4421 -- CC MIB cCDMDeliveryTable 4422 -- ***************************************************************** 4424 cCDMDeliveryTableCount OBJECT-TYPE 4425 SYNTAX Unsigned32 4426 MAX-ACCESS read-only 4427 STATUS current 4428 DESCRIPTION 4429 "The number of rows in the cCDMDeliveryTable." 4430 ::= { cCDMDeliveryInfo 1 } 4432 cCDMDeliveryTableLastChanged OBJECT-TYPE 4433 SYNTAX TimeStamp 4434 MAX-ACCESS read-only 4435 STATUS current 4436 DESCRIPTION 4437 "The last time any entry in the table was modified, created, 4438 or deleted by either SNMP, agent, or other management method 4439 (e.g., via an HMI). Managers can use this object to ensure 4440 that no changes to configuration of this table have happened 4441 since the last time it examined the table. A value of 0 4442 indicates that no entry has been changed since the agent 4443 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 4444 should be used to populate this column." 4445 ::= { cCDMDeliveryInfo 2 } 4447 cCDMDeliveryTable OBJECT-TYPE 4448 SYNTAX SEQUENCE OF CCDMDeliveryEntry 4449 MAX-ACCESS not-accessible 4450 STATUS current 4451 DESCRIPTION 4452 "The table storing information about cryptographic device 4453 materials (CDMs) that are ready/available for retrieval. 4454 Entries in this table are typically automatically configured 4455 by the device after a server query. Entries can also be 4456 manually configured by a manager if the location of the CDM 4457 is predetermined." 4458 ::= { cCDMDeliveryInfo 3 } 4460 cCDMDeliveryEntry OBJECT-TYPE 4461 SYNTAX CCDMDeliveryEntry 4462 MAX-ACCESS not-accessible 4463 STATUS current 4464 DESCRIPTION 4465 "A row containing information about a specific cryptographic 4466 device material (CDM) available for download." 4467 INDEX { cCDMType, cCDMURI } 4468 ::= { cCDMDeliveryTable 1 } 4470 CCDMDeliveryEntry ::= SEQUENCE { 4471 cCDMType INTEGER, 4472 cCDMURI OCTET STRING, 4473 cCDMPackageSize Unsigned32, 4474 cCDMAdditionalInfo SnmpAdminString, 4475 cCDMLastDownloadDate OCTET STRING, 4476 cCDMDeliveryPriority Unsigned32, 4477 cCDMDeliveryRequest INTEGER, 4478 cCDMDeliveryStatus INTEGER, 4479 cCDMDeliveryRowStatus RowStatus 4480 } 4482 cCDMType OBJECT-TYPE 4483 SYNTAX INTEGER { notification(1), symmetricKey(2), 4484 asymmetricKey(3), certificate(4), 4485 cklOrCrl(5), firmware(6) } 4486 MAX-ACCESS read-only 4487 STATUS current 4488 DESCRIPTION 4489 "The type of the cryptographic device material (CDM) that 4490 can be retrieved from a CDM server: 4492 [notification] = CDM is a notification providing 4493 status/information for a particular 4494 (other) CDM 4495 [symmetricKey] = CDM is a symmetric key 4496 [asymmetricKey] = CDM is a non-certificate asymmetric key 4497 [certificate] = CDM is a certificate 4498 [cklOrCrl] = CDM is a compromised key list or 4499 certificate revocation list 4501 [firmware] = CDM is a firmware package" 4502 ::= { cCDMDeliveryEntry 1 } 4504 cCDMURI OBJECT-TYPE 4505 SYNTAX OCTET STRING (SIZE(1..255)) 4506 MAX-ACCESS read-only 4507 STATUS current 4508 DESCRIPTION 4509 "The location of the cryptographic device material (CDM), 4510 represented in a URI format. Because of its type, the 4511 associated URI of the CDM Server can easily be derived. 4513 This column is typically populated by an agent upon querying 4514 a CDM Server (e.g., downloading and parsing a cryptographic 4515 device material list (CDML) from a CDM Server (entry in the 4516 cCDMServerTable)). However, a manager can also configure an 4517 entry in this table with predetermined knowledge of the CDM 4518 location." 4519 ::= { cCDMDeliveryEntry 2 } 4521 cCDMPackageSize OBJECT-TYPE 4522 SYNTAX Unsigned32 4523 UNITS "bytes" 4524 MAX-ACCESS read-only 4525 STATUS current 4526 DESCRIPTION 4527 "The package size, in bytes, of the cryptographic device 4528 material (CDM). This information is retrieved from a 4529 cryptographic device material list (CDML) or a server's 4530 product availability response following a query. This column 4531 does not apply to notifications found in CDMLs." 4532 ::= { cCDMDeliveryEntry 3 } 4534 cCDMAdditionalInfo OBJECT-TYPE 4535 SYNTAX SnmpAdminString 4536 MAX-ACCESS read-create 4537 STATUS current 4538 DESCRIPTION 4539 "Additional information about the cryptographic device 4540 material (CDM). This information can be retrieved from the 4541 downloaded cryptographic device material list (CDML) or 4542 manually configured by the manager both at or after row 4543 creation." 4544 ::= { cCDMDeliveryEntry 4 } 4546 cCDMLastDownloadDate OBJECT-TYPE 4547 SYNTAX OCTET STRING (SIZE(14)) 4548 MAX-ACCESS read-only 4549 STATUS current 4550 DESCRIPTION 4551 "This is a 14 character field that will be populated with 4552 the following values depending on the state of the download 4553 and the CDM type. 4555 1. The date and time (expressed as Generalized Time) when 4556 the device last successfully downloaded the CDM from the 4557 CDM Server. The format follows: 'yyyymmddhhmmss' where 4558 'yyyy' - year 4559 'mm' - month (first 'mm's from left to right) 4560 'dd' - day 4561 'hh' - hour 4562 'mm' - minutes (second 'mm's from left to right) 4563 'ss' - seconds 4565 2. All zero characters for the following cases. 4566 a. No indication that device has successfully downloaded 4567 the CDM. 4568 b. The cCDMType is a notification." 4569 ::= { cCDMDeliveryEntry 5 } 4571 cCDMDeliveryPriority OBJECT-TYPE 4572 SYNTAX Unsigned32 4573 MAX-ACCESS read-create 4574 STATUS current 4575 DESCRIPTION 4576 "A configurable priority value on the cryptographic device 4577 material (CDM). This column is a means to allow certain key 4578 products to be downloaded before others. Lower values have a 4579 higher priority (e.g., a value of 1 will be processed before 4580 a value of 2)." 4581 ::= { cCDMDeliveryEntry 6 } 4583 cCDMDeliveryRequest OBJECT-TYPE 4584 SYNTAX INTEGER { downloadAndInstall(1), downloadAndStore(2), 4585 discard(3) } 4586 MAX-ACCESS read-create 4587 STATUS current 4588 DESCRIPTION 4589 "This object signals the local device to perform actions on 4590 the available cryptographic device materials (CDMs) from a 4591 CDM server. The following types of actions are supported: 4593 [downloadAndInstall] = Initiates a download of a CDM. After 4594 a successful download, the CDM will be installed for local 4595 consumption and an entry is to be configured in the 4596 appropriate MIB table based on cCDMType: 4598 cCDMType | MIB Table Destination 4599 ------------------------------------- 4600 (1) notification | N/A 4601 (2) symmetricKey | cSymmetricKeyTable 4602 (3) asymmetricKey | cAsymKeyTable 4603 (4) certificate | cAsymKeyTable 4604 (5) cklOrCrl | cCKLTable 4605 (6) firmware | cFirmwareInformationTable 4607 [downloadAndStore] = Initiates a download of the CDM. After 4608 a successful download, an entry is created in the 4609 cCDMStoreTable to store the CDM. 4611 [discard] = Stops the current CDM delivery request and 4612 discards the CDM if potentially downloaded; this reverts the 4613 current value of the cCDMDeliveryStatus to 'complete'. If 4614 entries are created in the aforementioned tables for the 4615 install and store operations, these newly configured entries 4616 will be removed. 4618 The enumeration value of 'downloadAndStore' does not apply 4619 when cCDMType is set to 'notification'. 'downloadAndInstall' 4620 is used for a cCDMType of 'notification'. 4622 If this column is configured to any value except 'discard' 4623 while the value of cCDMDeliveryStatus is any value except 4624 'complete', the SNMP set operation must result in an 4625 inconsistentValue exception. The same applies if 'discard' 4626 is configured while the value cCDMDeliveryStatus is 4627 'complete'." 4628 ::= { cCDMDeliveryEntry 7 } 4630 cCDMDeliveryStatus OBJECT-TYPE 4631 SYNTAX INTEGER { complete(1), inProgress(2), 4632 downloadFailed(3), installFailed(4), 4633 storeFailed(5) } 4634 MAX-ACCESS read-only 4635 STATUS current 4636 DESCRIPTION 4637 "The status of the cryptographic device material (CDM) 4638 delivery operation. The following status values are 4639 supported: 4641 [complete] = The default state where the local device is 4642 ready to start a delivery request for the CDM. Between 4643 requests this state can only be reached after successful 4644 operations or if cCDMDeliveryRequest is set to 'discard' 4645 during an operation. 4647 [inProgress] = This state is reached when the device is 4648 either currently performing a download of the CDM or 4649 configuring appropriate MIB tables conveying installation or 4650 storage of key material. 4652 [downloadFailed] = This state is reached after a failure 4653 occurs during a download of a CDM when cCDMDeliveryRequest 4654 was configured to either 'downloadAndStore' or 4655 'downloadAndInstall'. 4657 [installFailed] = This state is reached after a failure 4658 occurs during the install of the downloaded CDM when 4659 cCDMDeliveryRequest was configured to 'downloadAndInstall'. 4661 [storeFailed] = This state is reached after a failure 4662 occurs during the store of the downloaded CDM when 4663 cCDMDeliveryRequest was configured to 'downloadAndStore'." 4664 ::= { cCDMDeliveryEntry 8 } 4666 cCDMDeliveryRowStatus OBJECT-TYPE 4667 SYNTAX RowStatus 4668 MAX-ACCESS read-create 4669 STATUS current 4670 DESCRIPTION 4671 "The status of the row, by which new entries may be created 4672 or old entries deleted from this table. 4674 Entries created within this table may not become active 4675 unless all read-create columns in this column have valid 4676 values, as detailed by each individual column's description. 4678 At a minimum, implementations must support createAndGo, 4679 active, and destroy management functions. Support for 4680 createAndWait, notInService, and notReady management 4681 functions is optional." 4682 ::= { cCDMDeliveryEntry 9 } 4684 -- ***************************************************************** 4685 -- Module Conformance Information 4686 -- ***************************************************************** 4688 cKeyTransferPullCompliances OBJECT IDENTIFIER 4689 ::= { cKeyTransferPullConformance 1} 4691 cKeyTransferPullGroups OBJECT IDENTIFIER 4692 ::= { cKeyTransferPullConformance 2} 4694 cKeyTransferPullCompliance MODULE-COMPLIANCE 4695 STATUS current 4696 DESCRIPTION 4697 "Compliance levels for key transfer pull information." 4698 MODULE 4699 MANDATORY-GROUPS { 4700 cKeyTransferPullServerGroup, 4701 cKeyTransferPullDeliveryGroup 4702 } 4704 GROUP cKeyTransferPullDeliveryNotifyGroup 4705 DESCRIPTION 4706 "This notification group is optional for implementation." 4708 OBJECT cCDMDeliveryRequest 4709 SYNTAX INTEGER { downloadAndInstall(1), discard(3) } 4710 DESCRIPTION 4711 "Implementation of this enumeration value(s) is mandatory - 4712 enumeration values not listed here are optional." 4714 OBJECT cCDMDeliveryStatus 4715 SYNTAX INTEGER { complete(1), inProgress(2), downloadFailed(3), 4716 installFailed(4) } 4717 DESCRIPTION 4718 "Implementation of this enumeration value(s) is mandatory - 4719 enumeration values not listed here are optional." 4720 ::= { cKeyTransferPullCompliances 1 } 4722 cKeyTransferPullServerGroup OBJECT-GROUP 4723 OBJECTS { 4724 cCDMServerRetryDelay, 4725 cCDMServerRetryMaxAttempts, 4726 cCDMServerTableCount, 4727 cCDMServerTableLastChanged, 4728 cCDMServerURI, 4729 cCDMServerAdditionalInfo, 4730 cCDMServerRowStatus 4731 } 4732 STATUS current 4733 DESCRIPTION 4734 "This group is composed of objects related to server 4735 information." 4736 ::= { cKeyTransferPullGroups 1 } 4738 cKeyTransferPullDeliveryGroup OBJECT-GROUP 4739 OBJECTS { 4740 cCDMPullRetrievalPriorities, 4741 cCDMLDeliveryRequest, 4742 cCDMLDeliveryStatus, 4743 cCDMDeliveryTableCount, 4744 cCDMDeliveryTableLastChanged, 4745 cCDMDeliveryTableLastChanged, 4746 cCDMType, 4747 cCDMURI, 4748 cCDMPackageSize, 4749 cCDMAdditionalInfo, 4750 cCDMLastDownloadDate, 4751 cCDMDeliveryPriority, 4752 cCDMDeliveryRequest, 4753 cCDMDeliveryStatus, 4754 cCDMDeliveryRowStatus 4755 } 4756 STATUS current 4757 DESCRIPTION 4758 "This group is composed of objects related to delivery 4759 information." 4760 ::= { cKeyTransferPullGroups 2 } 4762 cKeyTransferPullDeliveryNotifyGroup NOTIFICATION-GROUP 4763 NOTIFICATIONS { 4764 cCDMLPullReceiveSuccess, 4765 cCDMLPullReceiveFailed, 4766 cCDMPullReceiveSuccess, 4767 cCDMPullReceiveFailed 4768 } 4769 STATUS current 4770 DESCRIPTION 4771 "This group is composed of notifications related to delivery 4772 information." 4773 ::= { cKeyTransferPullGroups 3 } 4775 END 4777 6.6. Key Transfer Push 4779 This MIB module makes reference to following documents: [RFC2578], 4780 [RFC2579], [RFC2580], and [RFC3411]. 4782 CC-KEY-TRANSFER-PUSH-MIB DEFINITIONS ::= BEGIN 4784 IMPORTS 4785 ccKeyTransferPush 4786 FROM CC-FEATURE-HIERARCHY-MIB -- FROM Sec 6.2 4787 OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE, 4788 MODULE-IDENTITY 4789 FROM SNMPv2-SMI -- FROM RFC 2578 4790 SnmpAdminString 4791 FROM SNMP-FRAMEWORK-MIB -- FROM RFC 3411 4792 RowPointer, RowStatus, DateAndTime, 4793 TimeStamp 4794 FROM SNMPv2-TC -- FROM RFC 2579 4795 MODULE-COMPLIANCE, OBJECT-GROUP, 4796 NOTIFICATION-GROUP 4797 FROM SNMPv2-CONF; -- FROM RFC 2580 4799 ccKeyTransferPushMIB MODULE-IDENTITY 4800 LAST-UPDATED "201609302154Z" 4801 ORGANIZATION "CCMIB CCB" 4802 CONTACT-INFO 4803 "CC MIB Configuration Control Board 4804 Email: CCMIB.CCB@us.af.mil" 4805 DESCRIPTION 4806 "This MIB defines the CC MIB Key Transfer Push object. 4808 Copyright (c) 2019 IETF Trust and the persons 4809 identified as authors of the code. All rights reserved. 4811 Redistribution and use in source and binary forms, with 4812 or without modification, is permitted pursuant to, and 4813 subject to the license terms contained in, the Simplified 4814 BSD License set forth in Section 4.c of the IETF Trust's 4815 Legal Provisions Relating to IETF Documents 4816 (http://trustee.ietf.org/license-info). 4818 This version of this MIB module is part of RFC xxxx; 4819 see the RFC itself for full legal notices." 4820 -- RFC Ed.: RFC-editor please fill in xxxx. 4821 REVISION "201609302154Z" 4822 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 4823 -- RFC Ed.: RFC-editor please fill in xxxx. 4824 ::= { ccKeyTransferPush 1 } 4826 -- ***************************************************************** 4827 -- Key Transfer Push Information Segments 4828 -- ***************************************************************** 4830 cCDMPushDestInfo OBJECT IDENTIFIER 4831 ::= { ccKeyTransferPushMIB 1 } 4832 cCDMTransferPkgInfo OBJECT IDENTIFIER 4833 ::= { ccKeyTransferPushMIB 2 } 4834 cCDMPushSrcInfo OBJECT IDENTIFIER 4835 ::= { ccKeyTransferPushMIB 3 } 4836 cKeyTransferPushScalars OBJECT IDENTIFIER 4837 ::= { ccKeyTransferPushMIB 4 } 4838 cKeyTransferPushNotify OBJECT IDENTIFIER 4839 ::= { ccKeyTransferPushMIB 5 } 4840 cKeyTransferPushConformance OBJECT IDENTIFIER 4841 ::= { ccKeyTransferPushMIB 6 } 4843 -- ***************************************************************** 4844 -- Key Transfer Push Scalars 4845 -- ***************************************************************** 4847 cCDMTransferDelay OBJECT-TYPE 4848 SYNTAX Unsigned32 4849 MAX-ACCESS read-write 4850 STATUS current 4851 DESCRIPTION 4852 "The number of seconds to wait after a Cryptographic Device 4853 Material (CDM) transfer attempt initiated by the sender 4854 fails before attempting to retry the operation." 4855 ::= { cKeyTransferPushScalars 1 } 4857 cCDMTransferMaxAttempts OBJECT-TYPE 4858 SYNTAX Unsigned32 4859 MAX-ACCESS read-write 4860 STATUS current 4861 DESCRIPTION 4862 "The amount of retries attempted before giving up on a 4863 device due to consecutive Cryptographic Device Material 4864 (CDM) transfer failures." 4865 ::= { cKeyTransferPushScalars 2 } 4867 -- ***************************************************************** 4868 -- Key Transfer Push Notifications 4869 -- ***************************************************************** 4871 cCDMPushSendSuccess NOTIFICATION-TYPE 4872 OBJECTS { 4873 cCDMPushDestAddressLocationType, 4874 cCDMPushDestAddressLocation, 4875 cCDMPushDestTransferType, 4876 cCDMPushDestPackageSelection 4877 } 4878 STATUS current 4879 DESCRIPTION 4880 "An attempt to send CDM, identified by CDM push transfer 4881 information (cCDMPushDestTable row data), has succeeded." 4882 ::= { cKeyTransferPushNotify 1 } 4884 cCDMPushReceiveSuccess NOTIFICATION-TYPE 4885 OBJECTS { 4886 cCDMPushSrcAddrLocationType, 4887 cCDMPushSrcAddrLocation, 4888 cCDMPushSrcTransferType 4889 } 4890 STATUS current 4891 DESCRIPTION 4892 "An attempt to receive key material, identified by CDM push 4893 transfer information (cCDMPushSrcTable row data), has 4894 succeeded." 4895 ::= { cKeyTransferPushNotify 2 } 4897 cCDMPushReceiveFail NOTIFICATION-TYPE 4898 OBJECTS { 4899 cCDMPushSrcAddrLocationType, 4900 cCDMPushSrcAddrLocation, 4901 cCDMPushSrcTransferType 4902 } 4903 STATUS current 4904 DESCRIPTION 4905 "An attempt to receive key material via a Push operation, 4906 identified by the Sender Address and Transfer Type has 4907 failed." 4908 ::= { cKeyTransferPushNotify 3 } 4910 cCDMPushSendFail NOTIFICATION-TYPE 4911 OBJECTS { 4912 cCDMPushDestAddressLocationType, 4913 cCDMPushDestAddressLocation, 4914 cCDMPushDestTransferType, 4915 cCDMPushDestPackageSelection 4916 } 4917 STATUS current 4918 DESCRIPTION 4919 "An attempt to send key material, identified by the 4920 Recipient Address and Transfer Type, has failed." 4921 ::= { cKeyTransferPushNotify 4 } 4923 -- ***************************************************************** 4924 -- CC MIB cCDMPushDestTable 4925 -- ***************************************************************** 4927 cCDMPushDestTableCount OBJECT-TYPE 4928 SYNTAX Unsigned32 4929 MAX-ACCESS read-only 4930 STATUS current 4931 DESCRIPTION 4932 "The number of rows in the cCDMPushDestTable." 4933 ::= { cCDMPushDestInfo 1 } 4935 cCDMPushDestTableLastChanged OBJECT-TYPE 4936 SYNTAX TimeStamp 4937 MAX-ACCESS read-only 4938 STATUS current 4939 DESCRIPTION 4940 "The last time any entry in the table was modified, created, 4941 or deleted by either SNMP, agent, or other management method 4942 (e.g., via an HMI). Managers can use this object to ensure 4943 that no changes to configuration of this table have happened 4944 since the last time it examined the table. A value of 0 4945 indicates that no entry has been changed since the agent 4946 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 4947 should be used to populate this column." 4948 ::= { cCDMPushDestInfo 2 } 4950 cCDMPushDestTable OBJECT-TYPE 4951 SYNTAX SEQUENCE OF CCDMPushDestEntry 4952 MAX-ACCESS not-accessible 4953 STATUS current 4954 DESCRIPTION 4955 "The table that provides the necessary information a sender 4956 needs to initiate a Cryptographic Device Material (CDM) send 4957 to a receiving device." 4958 ::= { cCDMPushDestInfo 3 } 4960 cCDMPushDestEntry OBJECT-TYPE 4961 SYNTAX CCDMPushDestEntry 4962 MAX-ACCESS not-accessible 4963 STATUS current 4964 DESCRIPTION 4965 "A row containing information for a Cryptographic Device 4966 Material (CDM) transfer to a receiving device." 4967 INDEX { cCDMPushDestIndex } 4968 ::= { cCDMPushDestTable 1 } 4970 CCDMPushDestEntry ::= SEQUENCE { 4971 cCDMPushDestIndex Unsigned32, 4972 cCDMPushDestTransferType SnmpAdminString, 4973 cCDMPushDestAddressLocationType INTEGER, 4974 cCDMPushDestAddressLocation OCTET STRING, 4975 cCDMPushDestTransferTime DateAndTime, 4976 cCDMPushDestPackageSelection SnmpAdminString, 4977 cCDMPushDestRowStatus RowStatus 4978 } 4980 cCDMPushDestIndex OBJECT-TYPE 4981 SYNTAX Unsigned32 4982 MAX-ACCESS not-accessible 4983 STATUS current 4984 DESCRIPTION 4985 "A numeric index that identifies a unique location in this 4986 table." 4987 ::= { cCDMPushDestEntry 1 } 4989 cCDMPushDestTransferType OBJECT-TYPE 4990 SYNTAX SnmpAdminString (SIZE(1..32)) 4991 MAX-ACCESS read-create 4992 STATUS current 4993 DESCRIPTION 4994 "The transfer mechanism or protocol used by the sender to 4995 execute the Cryptographic Device Material (CDM) transfer." 4996 ::= { cCDMPushDestEntry 2 } 4998 cCDMPushDestAddressLocationType OBJECT-TYPE 4999 SYNTAX INTEGER { ipv4(1), ipv6(2), uri(3), other(4) } 5000 MAX-ACCESS read-create 5001 STATUS current 5002 DESCRIPTION 5003 "Enumeration indicating the type of address location." 5004 ::= { cCDMPushDestEntry 3 } 5006 cCDMPushDestAddressLocation OBJECT-TYPE 5007 SYNTAX OCTET STRING 5008 MAX-ACCESS read-create 5009 STATUS current 5010 DESCRIPTION 5011 "Location of the receiver. The syntax allows a URI or an IP 5012 address to be configured." 5013 ::= { cCDMPushDestEntry 4 } 5015 cCDMPushDestTransferTime OBJECT-TYPE 5016 SYNTAX DateAndTime 5017 MAX-ACCESS read-create 5018 STATUS current 5019 DESCRIPTION 5020 "A valid date and time value populated in this object will 5021 automatically initiate the transfer at the value specified. 5023 To initiate an immediate transfer the following 5024 configuration is used: '0' for the year field, '1' for the 5025 month field, '1' for the day field, '-' for the direction 5026 from UTC field, and '0' for all other fields. This 5027 configuration is displayed as '0-1-1,00:00:00.0,-0:0'. Note 5028 that if the timezone fields are not used then the displayed 5029 value is as follows: '0-1-1,00:00:00.0'. The timezone 5030 fields are the direction from UTC, hours from UTC, and 5031 minutes from UTC." 5032 ::= { cCDMPushDestEntry 5 } 5034 cCDMPushDestPackageSelection OBJECT-TYPE 5035 SYNTAX SnmpAdminString 5036 MAX-ACCESS read-create 5037 STATUS current 5038 DESCRIPTION 5039 "A reference string that points to the key material(s) to 5040 transfer. This column may reference one entry (e.g., an 5041 entry in the cCDMStoreTable) or multiple entries (e.g., 5042 multiple entries in the cCDMTransferPkgTable). This object 5043 defines all the items in the package that will be sent." 5044 ::= { cCDMPushDestEntry 6 } 5046 cCDMPushDestRowStatus OBJECT-TYPE 5047 SYNTAX RowStatus 5048 MAX-ACCESS read-create 5049 STATUS current 5050 DESCRIPTION 5051 "The status of the row, by which new entries may be created 5052 or old entries deleted from this table. 5054 Entries created within this table may not become active 5055 unless all read-create columns in this column have valid 5056 values, as detailed by each individual column's description. 5058 At a minimum, implementations must support createAndGo, 5059 active, and destroy management functions. Support for 5060 createAndWait, notInService, and notReady management 5061 functions is optional." 5062 ::= { cCDMPushDestEntry 7 } 5064 -- ***************************************************************** 5065 -- CC MIB cCDMTransferPkgTable 5066 -- ***************************************************************** 5068 cCDMTransferPkgTableCount OBJECT-TYPE 5069 SYNTAX Unsigned32 5070 MAX-ACCESS read-only 5071 STATUS current 5072 DESCRIPTION 5073 "The number of rows in the cCDMTransferPkgTable." 5074 ::= { cCDMTransferPkgInfo 1 } 5076 cCDMTransferPkgTableLastChanged OBJECT-TYPE 5077 SYNTAX TimeStamp 5078 MAX-ACCESS read-only 5079 STATUS current 5080 DESCRIPTION 5081 "The last time any entry in the table was modified, created, 5082 or deleted by either SNMP, agent, or other management method 5083 (e.g., via an HMI). Managers can use this object to ensure 5084 that no changes to configuration of this table have happened 5085 since the last time it examined the table. A value of 0 5086 indicates that no entry has been changed since the agent 5087 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 5088 should be used to populate this column." 5089 ::= { cCDMTransferPkgInfo 2 } 5091 cCDMTransferPkgTable OBJECT-TYPE 5092 SYNTAX SEQUENCE OF CCDMTransferPkgEntry 5093 MAX-ACCESS not-accessible 5094 STATUS current 5095 DESCRIPTION 5096 "The table for configuring single or multiple Cryptographic 5097 Device Material (CDM) in a package that can be transferred 5098 on a send operation. Entries in this table are referenced by 5099 the cCDMPushDestPackageSelection column." 5100 ::= { cCDMTransferPkgInfo 3 } 5102 cCDMTransferPkgEntry OBJECT-TYPE 5103 SYNTAX CCDMTransferPkgEntry 5104 MAX-ACCESS not-accessible 5105 STATUS current 5106 DESCRIPTION 5107 "A row containing information about a package used on a send 5108 operation." 5109 INDEX { cCDMTransferPkgLabel, cCDMTransferPkgIndex } 5110 ::= { cCDMTransferPkgTable 1 } 5112 CCDMTransferPkgEntry ::= SEQUENCE { 5113 cCDMTransferPkgLabel SnmpAdminString, 5114 cCDMTransferPkgIndex Unsigned32, 5115 cCDMTransferPkgLocatorRowPtr RowPointer, 5116 cCDMTransferPkgRowStatus RowStatus 5117 } 5119 cCDMTransferPkgLabel OBJECT-TYPE 5120 SYNTAX SnmpAdminString 5121 MAX-ACCESS not-accessible 5122 STATUS current 5123 DESCRIPTION 5124 "An administrative name that identifies a package within 5125 this table. cCDMTransferPkgLabel and cCDMTransferPkgIndex 5126 serve as indexes of this table." 5128 ::= { cCDMTransferPkgEntry 1 } 5130 cCDMTransferPkgIndex OBJECT-TYPE 5131 SYNTAX Unsigned32 5132 MAX-ACCESS not-accessible 5133 STATUS current 5134 DESCRIPTION 5135 "An administrative way of creating a unique row within this 5136 table. This value shows the position of a given item within 5137 this package designated by cCDMTransferPkgLabel. 5138 cCDMTransferPkgLabel and cCDMTransferPkgIndex serve as 5139 indexes of this table." 5140 ::= { cCDMTransferPkgEntry 2 } 5142 cCDMTransferPkgLocatorRowPtr OBJECT-TYPE 5143 SYNTAX RowPointer 5144 MAX-ACCESS read-create 5145 STATUS current 5146 DESCRIPTION 5147 "A RowPointer that points to a unique entry in the table 5148 containing the necessary Cryptographic Device Material (CDM) 5149 for transfer. For example, referencing a key in the 5150 cSymmetricKeyTable, the value in this column contains the 5151 pointer to the appropriate row in the cSymmetricKeyTable." 5152 ::= { cCDMTransferPkgEntry 3 } 5154 cCDMTransferPkgRowStatus OBJECT-TYPE 5155 SYNTAX RowStatus 5156 MAX-ACCESS read-create 5157 STATUS current 5158 DESCRIPTION 5159 "The status of the row, by which new entries may be created 5160 or old entries deleted from this table. 5162 Entries created within this table may not become active 5163 unless all read-create columns in this column have valid 5164 values, as detailed by each individual column's description. 5166 At a minimum, implementations must support createAndGo, 5167 active, and destroy management functions. Support for 5168 createAndWait, notInService, and notReady management 5169 functions is optional." 5170 ::= { cCDMTransferPkgEntry 4 } 5172 -- ***************************************************************** 5173 -- CC MIB cCDMPushSrcTable 5174 -- ***************************************************************** 5175 cCDMPushSrcTableCount OBJECT-TYPE 5176 SYNTAX Unsigned32 5177 MAX-ACCESS read-only 5178 STATUS current 5179 DESCRIPTION 5180 "The number of rows in the cCDMPushSrcTable." 5181 ::= { cCDMPushSrcInfo 1 } 5183 cCDMPushSrcTableLastChanged OBJECT-TYPE 5184 SYNTAX TimeStamp 5185 MAX-ACCESS read-only 5186 STATUS current 5187 DESCRIPTION 5188 "The last time any entry in the table was modified, created, 5189 or deleted by either SNMP, agent, or other management method 5190 (e.g., via an HMI). Managers can use this object to ensure 5191 that no changes to configuration of this table have happened 5192 since the last time it examined the table. A value of 0 5193 indicates that no entry has been changed since the agent 5194 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 5195 should be used to populate this column." 5196 ::= { cCDMPushSrcInfo 2 } 5198 cCDMPushSrcTable OBJECT-TYPE 5199 SYNTAX SEQUENCE OF CCDMPushSrcEntry 5200 MAX-ACCESS not-accessible 5201 STATUS current 5202 DESCRIPTION 5203 "This table provides the list of authorized senders that 5204 this receiving device will accept Cryptographic Device 5205 Material (CDM) transfers from. Servers for the 5206 cCDMServerTable are not listed in this table since this 5207 table is specific for the Push Model." 5208 ::= { cCDMPushSrcInfo 3 } 5210 cCDMPushSrcEntry OBJECT-TYPE 5211 SYNTAX CCDMPushSrcEntry 5212 MAX-ACCESS not-accessible 5213 STATUS current 5214 DESCRIPTION 5215 "A row containing information about an authorized sender 5216 that this receiving device will accept." 5217 INDEX { cCDMPushSrcSenderName, cCDMPushSrcTransferType } 5218 ::= { cCDMPushSrcTable 1 } 5220 CCDMPushSrcEntry ::= SEQUENCE { 5221 cCDMPushSrcSenderName SnmpAdminString, 5222 cCDMPushSrcTransferType SnmpAdminString, 5223 cCDMPushSrcAddrLocationType INTEGER, 5224 cCDMPushSrcAddrLocation OCTET STRING, 5225 cCDMPushSrcRowStatus RowStatus 5226 } 5228 cCDMPushSrcSenderName OBJECT-TYPE 5229 SYNTAX SnmpAdminString 5230 MAX-ACCESS not-accessible 5231 STATUS current 5232 DESCRIPTION 5233 "An administrative string for an authorized sender. 5234 cCDMPushSrcSenderName and cCDMPushSrcTransferType serve as 5235 indexes of this table." 5236 ::= { cCDMPushSrcEntry 1 } 5238 cCDMPushSrcTransferType OBJECT-TYPE 5239 SYNTAX SnmpAdminString (SIZE(1..32)) 5240 MAX-ACCESS read-create 5241 STATUS current 5242 DESCRIPTION 5243 "Analogous to cCDMPushDestTransferType. The transfer 5244 mechanism or protocol used by the receiver to receive the 5245 Cryptographic Device Material (CDM) transfer. 5247 cCDMPushSrcSenderName and cCDMPushSrcTransferType serve as 5248 indexes of this table." 5249 ::= { cCDMPushSrcEntry 2 } 5251 cCDMPushSrcAddrLocationType OBJECT-TYPE 5252 SYNTAX INTEGER { ipv4(1), ipv6(2), uri(3), other(4) } 5253 MAX-ACCESS read-create 5254 STATUS current 5255 DESCRIPTION 5256 "Enumeration indicating the type of address location 5257 (values: ipv4, ipv6 or uri)." 5258 ::= { cCDMPushSrcEntry 3 } 5260 cCDMPushSrcAddrLocation OBJECT-TYPE 5261 SYNTAX OCTET STRING 5262 MAX-ACCESS read-create 5263 STATUS current 5264 DESCRIPTION 5265 "Location of the authorized sender." 5266 ::= { cCDMPushSrcEntry 4 } 5268 cCDMPushSrcRowStatus OBJECT-TYPE 5269 SYNTAX RowStatus 5270 MAX-ACCESS read-create 5271 STATUS current 5272 DESCRIPTION 5273 "The status of the row, by which new entries may be created 5274 or old entries deleted from this table. 5276 Entries created within this table may not become active 5277 unless all read-create columns in this column have valid 5278 values, as detailed by each individual column's description. 5280 At a minimum, implementations must support createAndGo, 5281 active, and destroy management functions. Support for 5282 createAndWait, notInService, and notReady management 5283 functions is optional." 5284 ::= { cCDMPushSrcEntry 5 } 5286 -- ***************************************************************** 5287 -- Module Conformance Information 5288 -- ***************************************************************** 5290 cKeyTransferPushCompliances OBJECT IDENTIFIER 5291 ::= { cKeyTransferPushConformance 1} 5293 cKeyTransferPushGroups OBJECT IDENTIFIER 5294 ::= { cKeyTransferPushConformance 2} 5296 cKeyTransferPushSenderCompliance MODULE-COMPLIANCE 5297 STATUS current 5298 DESCRIPTION 5299 "Compliance levels for sender information." 5300 MODULE 5301 MANDATORY-GROUPS { cKeyTransferPushSenderGroup } 5303 GROUP cKeyTransferPushSenderNotifyGroup 5304 DESCRIPTION 5305 "This notification group is optional for implementation." 5307 OBJECT cCDMTransferDelay 5308 MIN-ACCESS not-accessible 5309 DESCRIPTION 5310 "Implementation of this object is optional." 5312 OBJECT cCDMTransferMaxAttempts 5313 MIN-ACCESS not-accessible 5314 DESCRIPTION 5315 "Implementation of this object is optional." 5316 ::= { cKeyTransferPushCompliances 1 } 5318 cKeyTransferPushReceiverCompliance MODULE-COMPLIANCE 5319 STATUS current 5320 DESCRIPTION 5321 "Compliance levels for receiver information." 5322 MODULE 5323 MANDATORY-GROUPS { cKeyTransferPushReceiverGroup } 5325 GROUP cKeyTransferPushReceiverNotifyGroup 5326 DESCRIPTION 5327 "This notification group is optional for implementation." 5328 ::= { cKeyTransferPushCompliances 2 } 5330 cKeyTransferPushSenderGroup OBJECT-GROUP 5331 OBJECTS { 5332 cCDMTransferDelay, 5333 cCDMTransferMaxAttempts, 5334 cCDMPushDestTableCount, 5335 cCDMPushDestTableLastChanged, 5336 cCDMPushDestTransferType, 5337 cCDMPushDestAddressLocationType, 5338 cCDMPushDestAddressLocation, 5339 cCDMPushDestTransferTime, 5340 cCDMPushDestPackageSelection, 5341 cCDMPushDestRowStatus, 5342 cCDMTransferPkgTableCount, 5343 cCDMTransferPkgTableLastChanged, 5344 cCDMTransferPkgLocatorRowPtr, 5345 cCDMTransferPkgRowStatus 5346 } 5347 STATUS current 5348 DESCRIPTION 5349 "This group is composed of objects related to sender 5350 information." 5351 ::= { cKeyTransferPushGroups 1 } 5353 cKeyTransferPushReceiverGroup OBJECT-GROUP 5354 OBJECTS { 5355 cCDMPushSrcTableCount, 5356 cCDMPushSrcTableLastChanged, 5357 cCDMPushSrcTransferType, 5358 cCDMPushSrcAddrLocationType, 5359 cCDMPushSrcAddrLocation, 5360 cCDMPushSrcRowStatus 5361 } 5362 STATUS current 5363 DESCRIPTION 5364 "This group is composed of objects related to receiver 5365 information." 5366 ::= { cKeyTransferPushGroups 2 } 5368 cKeyTransferPushSenderNotifyGroup NOTIFICATION-GROUP 5369 NOTIFICATIONS { 5370 cCDMPushSendSuccess, 5371 cCDMPushSendFail 5372 } 5373 STATUS current 5374 DESCRIPTION 5375 "This group is composed of notifications related to sender 5376 information." 5377 ::= { cKeyTransferPushGroups 3 } 5379 cKeyTransferPushReceiverNotifyGroup NOTIFICATION-GROUP 5380 NOTIFICATIONS { 5381 cCDMPushReceiveSuccess, 5382 cCDMPushReceiveFail 5383 } 5384 STATUS current 5385 DESCRIPTION 5386 "This group is composed of notifications related to receiver 5387 information." 5388 ::= { cKeyTransferPushGroups 4 } 5390 END 5392 6.7. Security Policy Information 5394 This module makes reference to: Section 6.2, [RFC2578], [RFC2579], 5395 [RFC2580], and {RFC3411}}. 5397 CC-SECURE-POLICY-INFO-MIB DEFINITIONS ::= BEGIN 5399 IMPORTS 5400 ccSecurePolicyInfo 5401 FROM CC-FEATURE-HIERARCHY-MIB -- FROM Sec 6.2 5402 OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE, 5403 MODULE-IDENTITY 5404 FROM SNMPv2-SMI -- FROM RFC 2578 5405 MODULE-COMPLIANCE, OBJECT-GROUP, 5406 NOTIFICATION-GROUP 5407 FROM SNMPv2-CONF -- FROM RFC 2580 5408 SnmpAdminString 5409 FROM SNMP-FRAMEWORK-MIB -- FROM RFC 3411 5410 RowStatus, TimeStamp 5411 FROM SNMPv2-TC; -- FROM RFC 2579 5413 ccSecurePolicyInfoMIB MODULE-IDENTITY 5414 LAST-UPDATED "201609302154Z" 5415 ORGANIZATION "CCMIB CCB" 5416 CONTACT-INFO 5417 "CC MIB Configuration Control Board 5418 Email: CCMIB.CCB@us.af.mil" 5419 DESCRIPTION 5420 "This MIB defines the CC MIB Secure Policy Information 5421 objects. 5423 Copyright (c) 2019 IETF Trust and the persons 5424 identified as authors of the code. All rights reserved. 5426 Redistribution and use in source and binary forms, with 5427 or without modification, is permitted pursuant to, and 5428 subject to the license terms contained in, the Simplified 5429 BSD License set forth in Section 4.c of the IETF Trust's 5430 Legal Provisions Relating to IETF Documents 5431 (http://trustee.ietf.org/license-info). 5433 This version of this MIB module is part of RFC xxxx; 5434 see the RFC itself for full legal notices." 5435 -- RFC Ed.: RFC-editor please fill in xxxx. 5436 REVISION "201609302154Z" 5437 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 5438 -- RFC Ed.: RFC-editor please fill in xxxx. 5439 ::= { ccSecurePolicyInfo 1 } 5441 -- ***************************************************************** 5442 -- Secure Policy Info Information Segments 5443 -- ***************************************************************** 5445 cSecurePolicyConformance OBJECT IDENTIFIER 5446 ::= { ccSecurePolicyInfoMIB 1 } 5447 cSecPolicyRuleInfo OBJECT IDENTIFIER 5448 ::= { ccSecurePolicyInfoMIB 2 } 5449 cSecurePolicyInfoScalars OBJECT IDENTIFIER 5450 ::= { ccSecurePolicyInfoMIB 3 } 5451 cSecurePolicyInfoNotify OBJECT IDENTIFIER 5452 ::= { ccSecurePolicyInfoMIB 4 } 5454 -- ***************************************************************** 5455 -- Secure Policy Info Scalars 5456 -- ***************************************************************** 5458 -- ***************************************************************** 5459 -- Secure Policy Info Notifications 5460 -- ***************************************************************** 5462 cSecPolicyChanged NOTIFICATION-TYPE 5463 OBJECTS { 5464 cSecPolicyRulePriorityID, 5465 cSecPolicyRuleDescription 5466 } 5467 STATUS current 5468 DESCRIPTION 5469 "A notification indicating that an existent Security Policy 5470 entry in the cSecPolicyRuleTable in has changed." 5471 ::= { cSecurePolicyInfoNotify 1 } 5473 -- ***************************************************************** 5474 -- CC MIB cSecPolicyRuleTable 5475 -- ***************************************************************** 5477 cSecPolicyRuleTableCount OBJECT-TYPE 5478 SYNTAX Unsigned32 5479 MAX-ACCESS read-only 5480 STATUS current 5481 DESCRIPTION 5482 "The number of rows in the cSecPolicyRuleTable." 5483 ::= { cSecPolicyRuleInfo 1 } 5485 cSecPolicyRuleTableLastChanged OBJECT-TYPE 5486 SYNTAX TimeStamp 5487 MAX-ACCESS read-only 5488 STATUS current 5489 DESCRIPTION 5490 "The last time any entry in the table was modified, created, 5491 or deleted by either SNMP, agent, or other management method 5492 (e.g., via an HMI). Managers can use this object to ensure 5493 that no changes to configuration of this table have happened 5494 since the last time it examined the table. A value of 0 5495 indicates that no entry has been changed since the agent 5496 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 5497 should be used to populate this column." 5498 ::= { cSecPolicyRuleInfo 2 } 5500 cSecPolicyRuleTable OBJECT-TYPE 5501 SYNTAX SEQUENCE OF CSecPolicyRuleEntry 5502 MAX-ACCESS not-accessible 5503 STATUS current 5504 DESCRIPTION 5505 "The cSecPolicyRuleTable stores the Security Policy Rules 5506 that are compared against inbound and outbound data traffic 5507 flow. These Security Policy Rules define the actions (e.g., 5508 protect, bypass, discard) on how the data traffic flow 5509 should be treated." 5510 ::= { cSecPolicyRuleInfo 3 } 5512 cSecPolicyRuleEntry OBJECT-TYPE 5513 SYNTAX CSecPolicyRuleEntry 5514 MAX-ACCESS not-accessible 5515 STATUS current 5516 DESCRIPTION 5517 "A row containing general information about a Security 5518 Policy rule." 5519 INDEX { cSecPolicyRulePriorityID } 5520 ::= { cSecPolicyRuleTable 1 } 5522 CSecPolicyRuleEntry ::= SEQUENCE { 5523 cSecPolicyRulePriorityID Unsigned32, 5524 cSecPolicyRuleDescription OCTET STRING, 5525 cSecPolicyRuleType INTEGER, 5526 cSecPolicyRuleFilterReference SnmpAdminString, 5527 cSecPolicyRuleAction INTEGER, 5528 cSecPolicyRuleRowStatus RowStatus 5529 } 5531 cSecPolicyRulePriorityID OBJECT-TYPE 5532 SYNTAX Unsigned32 5533 MAX-ACCESS read-only 5534 STATUS current 5535 DESCRIPTION 5536 "Local unique index that identifies the priority at which 5537 this Security Policy rule is applied. Lower values have a 5538 higher priority (e.g., a value of 1 will be processed before 5539 a value of 2). This column is the primary index to the 5540 cSecPolicyRuleTable." 5541 ::= { cSecPolicyRuleEntry 1 } 5543 cSecPolicyRuleDescription OBJECT-TYPE 5544 SYNTAX OCTET STRING 5545 MAX-ACCESS read-create 5546 STATUS current 5547 DESCRIPTION 5548 "An administrative string describing the Security Policy 5549 rule. Note, this is a free form OCTET STRING that provides 5550 the user a store for any form of description/documentation 5551 for the given entry." 5552 ::= { cSecPolicyRuleEntry 2 } 5554 cSecPolicyRuleType OBJECT-TYPE 5555 SYNTAX INTEGER { ipsec(1), tls(2), macsec(3) } 5556 MAX-ACCESS read-create 5557 STATUS current 5558 DESCRIPTION 5559 "Optional column that defines the related protocol type of 5560 the Security Policy rule. Depending on this column's set 5561 value, entries will vary in respect to which other 5562 columns/tables (if at all) must be populated to fully 5563 configure the Security Policy rule." 5564 ::= { cSecPolicyRuleEntry 3 } 5566 cSecPolicyRuleFilterReference OBJECT-TYPE 5567 SYNTAX SnmpAdminString 5568 MAX-ACCESS read-create 5569 STATUS current 5570 DESCRIPTION 5571 "A string that references the associated filter for the 5572 Security Policy rule. Data traffic flow (inbound/outbound) 5573 comparison against the associated filter provide the basis 5574 in which a Security Policy rule is applied to the given data 5575 traffic flow." 5576 ::= { cSecPolicyRuleEntry 4 } 5578 cSecPolicyRuleAction OBJECT-TYPE 5579 SYNTAX INTEGER { protect(1), bypass(10), discard(20), 5580 discardInbound(21), discardOutbound(22) } 5581 MAX-ACCESS read-create 5582 STATUS current 5583 DESCRIPTION 5584 "This object indicates what action the ECU should take on 5585 matching a data traffic flow against a filter (as defined by 5586 cSecPolicyRuleFilterReference). The value of this column can 5587 take one of four enumeration values. 5589 [1] protect: The 'protect' enumeration value indicates that 5590 the data traffic flow should be protected by a Secure 5591 Connection with attributes defined by the associated filter 5592 (cSecPolicyRuleFilterReference). 5594 [10] bypass: The 'bypass' enumeration value indicates that 5595 the data traffic flow should be bypassed with no 5596 cryptographic protection/services provided. 5598 [20] discard: The 'discard enumeration value indicates that 5599 the data traffic flow, agnostic of their direction, should 5600 be discarded. 5602 [21] discardInbound: The 'discardInbound' enumeration value 5603 indicates that an inbound data traffic flow should be 5604 discarded. 5606 [22] discardOutbound: The 'discardOutbound' enumeration 5607 value indicates that an outbound data traffic flow should be 5608 discarded. 5610 Implementations that do not support the 'discardInbound' and 5611 'discardOutbound' enumeration values should return a 5612 wrongValue exception during a SET to the 5613 cSecPolicyRuleAction object. 5615 A valid enumeration value must be specified in order for 5616 cSecPolicyRuleRowStatus to be 'active'." 5617 ::= { cSecPolicyRuleEntry 5 } 5619 cSecPolicyRuleRowStatus OBJECT-TYPE 5620 SYNTAX RowStatus 5621 MAX-ACCESS read-create 5622 STATUS current 5623 DESCRIPTION 5624 "The status of the row, by which new entries may be created, 5625 or old entries deleted from this table. 5627 Entries created within this table may not become active 5628 unless all read-create columns in this table have valid 5629 values, as detailed by each individual column's description. 5631 At a minimum, implementations must support createAndGo and 5632 destroy management functions. Support for createAndWait, 5633 active, notInService, and notReady management functions is 5634 optional." 5635 ::= { cSecPolicyRuleEntry 6 } 5637 -- ***************************************************************** 5638 -- Module Conformance Information 5639 -- ***************************************************************** 5641 cSecurePolicyCompliances OBJECT IDENTIFIER 5642 ::= { cSecurePolicyConformance 1 } 5644 cSecurePolicyGroups OBJECT IDENTIFIER 5645 ::= { cSecurePolicyConformance 2 } 5647 cSecurePolicyCompliance MODULE-COMPLIANCE 5648 STATUS current 5649 DESCRIPTION 5650 "Compliance levels for secure policy information." 5651 MODULE 5652 MANDATORY-GROUPS { cSecurePolicyGroup } 5654 GROUP cSecurePolicyNotifyGroup 5655 DESCRIPTION 5656 "This notification group is optional for implementation." 5657 ::= { cSecurePolicyCompliances 1 } 5659 cSecurePolicyGroup OBJECT-GROUP 5660 OBJECTS { 5661 cSecPolicyRuleTableCount, 5662 cSecPolicyRuleTableLastChanged, 5663 cSecPolicyRulePriorityID, 5664 cSecPolicyRuleDescription, 5665 cSecPolicyRuleType, 5666 cSecPolicyRuleFilterReference, 5667 cSecPolicyRuleAction, 5668 cSecPolicyRuleRowStatus 5669 } 5670 STATUS current 5671 DESCRIPTION 5672 "This group is composed of objects related to secure policy 5673 information." 5674 ::= { cSecurePolicyGroups 1 } 5676 cSecurePolicyNotifyGroup NOTIFICATION-GROUP 5677 NOTIFICATIONS { 5678 cSecPolicyChanged 5679 } 5680 STATUS current 5681 DESCRIPTION 5682 "This group is composed of notifications related to secure 5683 policy information." 5684 ::= { cSecurePolicyGroups 2 } 5686 END 5688 6.8. Secure Connection Information 5690 This module makes reference to: Section 6.2, [RFC2578], [RFC2579], 5691 [RFC2580], [RFC3411], and [RFC4303]. 5693 CC-SECURE-CONNECTION-INFO-MIB DEFINITIONS ::= BEGIN 5695 IMPORTS 5696 ccSecureConnectionInfo 5697 FROM CC-FEATURE-HIERARCHY-MIB -- FROM Sec 6.2 5698 OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE, 5699 MODULE-IDENTITY 5700 FROM SNMPv2-SMI -- FROM RFC 2578 5701 MODULE-COMPLIANCE, OBJECT-GROUP, 5702 NOTIFICATION-GROUP 5703 FROM SNMPv2-CONF -- FROM RFC 2580 5705 RowStatus, DateAndTime, TimeStamp 5706 FROM SNMPv2-TC; -- FROM RFC 2579 5708 ccSecureConnectionInfoMIB MODULE-IDENTITY 5709 LAST-UPDATED "201609302154Z" 5710 ORGANIZATION "CCMIB CCB" 5711 CONTACT-INFO 5712 "CC MIB Configuration Control Board 5713 Email: CCMIB.CCB@us.af.mil" 5714 DESCRIPTION 5715 "This MIB defines the CC MIB Secure Connection Information 5716 objects. 5718 Copyright (c) 2019 IETF Trust and the persons 5719 identified as authors of the code. All rights reserved. 5721 Redistribution and use in source and binary forms, with 5722 or without modification, is permitted pursuant to, and 5723 subject to the license terms contained in, the Simplified 5724 BSD License set forth in Section 4.c of the IETF Trust's 5725 Legal Provisions Relating to IETF Documents 5726 (http://trustee.ietf.org/license-info). 5728 This version of this MIB module is part of RFC xxxx; 5729 see the RFC itself for full legal notices." 5730 -- RFC Ed.: RFC-editor please fill in xxxx. 5731 REVISION "201609302154Z" 5732 DESCRIPTION "CC MIB 1.0.5 FINAL. Published as RFC xxxx." 5733 -- RFC Ed.: RFC-editor please fill in xxxx. 5734 ::= { ccSecureConnectionInfo 1 } 5736 -- ***************************************************************** 5737 -- Secure Connection Info Information Segments 5738 -- ***************************************************************** 5740 cSecureConnectionConformance OBJECT IDENTIFIER 5741 ::= { ccSecureConnectionInfoMIB 1 } 5742 cSecureConnectionInfo OBJECT IDENTIFIER 5743 ::= { ccSecureConnectionInfoMIB 2 } 5744 cSecureConnectionInfoScalars OBJECT IDENTIFIER 5745 ::= { ccSecureConnectionInfoMIB 3 } 5746 cSecureConnectionInfoNotify OBJECT IDENTIFIER 5747 ::= { ccSecureConnectionInfoMIB 4 } 5749 -- ***************************************************************** 5750 -- Secure Connection Info Scalars 5751 -- ***************************************************************** 5752 -- ***************************************************************** 5753 -- Secure Connection Info Notifications 5754 -- ***************************************************************** 5756 cSecConnectionEstablished NOTIFICATION-TYPE 5757 OBJECTS { cSecConTableID } 5758 STATUS current 5759 DESCRIPTION 5760 "A notification indicating that a new Secure Connection was 5761 successfully established." 5762 ::= { cSecureConnectionInfoNotify 1 } 5764 cSecConnectionDeleted NOTIFICATION-TYPE 5765 OBJECTS { cSecConTableID } 5766 STATUS current 5767 DESCRIPTION 5768 "A notification indicating that an existent Secure 5769 Connection was successfully deleted." 5770 ::= { cSecureConnectionInfoNotify 2 } 5772 -- ***************************************************************** 5773 -- CC MIB cSecConTable 5774 -- ***************************************************************** 5776 cSecConTableCount OBJECT-TYPE 5777 SYNTAX Unsigned32 5778 MAX-ACCESS read-only 5779 STATUS current 5780 DESCRIPTION 5781 "The number of rows in the cSecConTable." 5782 ::= { cSecureConnectionInfo 1 } 5784 cSecConTableLastChanged OBJECT-TYPE 5785 SYNTAX TimeStamp 5786 MAX-ACCESS read-only 5787 STATUS current 5788 DESCRIPTION 5789 "The last time any entry in the table was modified, created, 5790 or deleted by either SNMP, agent, or other management method 5791 (e.g., via an HMI). Managers can use this object to ensure 5792 that no changes to configuration of this table have happened 5793 since the last time it examined the table. A value of 0 5794 indicates that no entry has been changed since the agent 5795 initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime 5796 should be used to populate this column." 5797 ::= { cSecureConnectionInfo 2 } 5799 cSecConTable OBJECT-TYPE 5800 SYNTAX SEQUENCE OF CSecConEntry 5801 MAX-ACCESS not-accessible 5802 STATUS current 5803 DESCRIPTION 5804 "The cSecConTable stores general Secure Connection 5805 (active/inactive) information associated with the ECU. This 5806 table provides the base/common information for Secure 5807 Connections." 5808 ::= { cSecureConnectionInfo 3 } 5810 cSecConEntry OBJECT-TYPE 5811 SYNTAX CSecConEntry 5812 MAX-ACCESS not-accessible 5813 STATUS current 5814 DESCRIPTION 5815 "A row containing general information about an 5816 active/inactive Secure Connection." 5817 INDEX { cSecConTableID } 5818 ::= { cSecConTable 1 } 5820 CSecConEntry ::= SEQUENCE { 5821 cSecConTableID Unsigned32, 5822 cSecConType OCTET STRING, 5823 cSecConDataPlaneID OCTET STRING, 5824 cSecConDirection INTEGER, 5825 cSecConKeyReference OCTET STRING, 5826 cSecConCryptographicSuite OCTET STRING, 5827 cSecConEstablishmentTime DateAndTime, 5828 cSecConStatus OCTET STRING, 5829 cSecConRowStatus RowStatus, 5830 cSecConRemoteKeyReference OCTET STRING 5831 } 5833 cSecConTableID OBJECT-TYPE 5834 SYNTAX Unsigned32 5835 MAX-ACCESS read-only 5836 STATUS current 5837 DESCRIPTION 5838 "Local unique index that identifies a Secure Connection. 5839 This column is the primary index to the cSecConTable." 5840 ::= { cSecConEntry 1 } 5842 cSecConType OBJECT-TYPE 5843 SYNTAX OCTET STRING 5844 MAX-ACCESS read-create 5845 STATUS current 5846 DESCRIPTION 5847 "Optional column that defines the related protocol type of 5848 the Secure Connection. Depending on this column's populated 5849 value, entries will vary in respect to which other 5850 columns/tables (if at all) are applicable to the Secure 5851 Connection. Example of values for this column are: 'ipsec' 5852 for Internet Protocol Security secure connections and 'tls' 5853 for Transport Layer Security/Secure Socket Layer secure 5854 connections." 5855 ::= { cSecConEntry 2 } 5857 cSecConDataPlaneID OBJECT-TYPE 5858 SYNTAX OCTET STRING 5859 MAX-ACCESS read-create 5860 STATUS current 5861 DESCRIPTION 5862 "The unique identifier associated with the Secure 5863 Connection, based on the Secure Connection protocol. 5865 Note, this is a free form OCTET STRING column where 5866 meaningful values/format are defined per Secure Connection 5867 protocol type basis. For instance, in an IPsec context 5868 (i.e., cSecConType value is set to 'ipsec'), this column 5869 would store the Security Parameter Index (SPI) for a given 5870 Encapsulating Security Payload Version 3 Security 5871 Association (RFC 4303 - Section 2.1.)." 5872 ::= { cSecConEntry 3 } 5874 cSecConDirection OBJECT-TYPE 5875 SYNTAX INTEGER { inbound(1), outbound(2), 5876 bidirectional(3) } 5877 MAX-ACCESS read-create 5878 STATUS current 5879 DESCRIPTION 5880 "The data plane traffic flow direction for the Secure 5881 Connection. 5883 [1] inbound: data plane traffic flow is incoming on the 5884 Secure Connection. 5886 [2] outbound: data plane traffic flow is outgoing on the 5887 Secure Connection. 5889 [3] bidirectional: data plane traffic flow is incoming and 5890 outgoing on the Secure Connection." 5891 ::= { cSecConEntry 4 } 5893 cSecConKeyReference OBJECT-TYPE 5894 SYNTAX OCTET STRING (SIZE(0..255)) 5895 MAX-ACCESS read-create 5896 STATUS current 5897 DESCRIPTION 5898 "Administrative string that references key material 5899 associated with the Secure Connection. This column 5900 references an entry (via table index value) in a key-related 5901 table in the CC-KEY-MANAGEMENT-MIB. 5903 If there is no appropriate value to populate with, this 5904 column would be populated with an empty string, ''." 5905 ::= { cSecConEntry 5 } 5907 cSecConCryptographicSuite OBJECT-TYPE 5908 SYNTAX OCTET STRING 5909 MAX-ACCESS read-create 5910 STATUS current 5911 DESCRIPTION 5912 "The set of cryptographic attributes (e.g. Encryption 5913 Algorithm, Integrity Algorithm) respective to the Secure 5914 Connection. Note, this is a free form OCTET STRING column, 5915 meaning implementations may utilize a standardized 5916 definition of string values that describe a set of 5917 cryptographic suites or use a proprietary definition of 5918 string values for supported cryptographic suites." 5919 ::= { cSecConEntry 6 } 5921 cSecConEstablishmentTime OBJECT-TYPE 5922 SYNTAX DateAndTime 5923 MAX-ACCESS read-create 5924 STATUS current 5925 DESCRIPTION 5926 "The local date and time when the Secure Connection was or 5927 will be established. The value in this column may be 5928 manually set to a date and time prior to the effective date 5929 of the key material (if associated) as referenced by the 5930 cSecConKeyReference column. If this column value is not 5931 manually configured with a date and time then the value will 5932 be automatically populated with the current cSystemDate 5933 value in respect to when the cSecConRowStatus column is 5934 first set to Active. 5936 Note, implementations may treat this column as an alpha date 5937 for the Secure Connection, and thus ascertain other Secure 5938 Connection-related values based on this time." 5939 ::= { cSecConEntry 7 } 5941 cSecConStatus OBJECT-TYPE 5942 SYNTAX OCTET STRING 5943 MAX-ACCESS read-create 5944 STATUS current 5945 DESCRIPTION 5946 "Column that provides the current status of the Secure 5947 Connection. Note, this is a free form OCTET STRING column 5948 where meaningful values are defined per Secure Connection 5949 protocol type basis (i.e., as defined by the cSecConType 5950 value) or per implementation basis. 5952 If there is no appropriate value to populate with, this 5953 column would be populated with an empty string, ''." 5954 ::= { cSecConEntry 8 } 5956 cSecConRowStatus OBJECT-TYPE 5957 SYNTAX RowStatus 5958 MAX-ACCESS read-create 5959 STATUS current 5960 DESCRIPTION 5961 "The status of the row, by which new entries may be created, 5962 or old entries deleted from this table. 5964 Entries created within this table may not become active 5965 unless all read-create columns in this table have valid 5966 values, as detailed by each individual column's description. 5968 The set of RowStatus enumerations that must be supported is 5969 dependent on the type of secure connection. At a minimum, 5970 implementations must support createAndGo and destroy if the 5971 secure connection can be created and destroyed by the 5972 manager. Implementations must support active and 5973 notInService if the secure connection can be 5974 enabled/disabled by the manager." 5975 ::= { cSecConEntry 9 } 5977 cSecConRemoteKeyReference OBJECT-TYPE 5978 SYNTAX OCTET STRING (SIZE(0..255)) 5979 MAX-ACCESS read-create 5980 STATUS current 5981 DESCRIPTION 5982 "Administrative string that references remote key material 5983 associated with the Secure Connection (i.e., the remote key 5984 material used by the peer to establish the Secure 5985 Connection. This column references an entry (via table index 5986 value) in cRemoteKeyMaterialTable (CC-KEY-MANAGEMENT-MIB). 5988 If there is no appropriate value to populate with, this 5989 column would be populated with an empty string, ''" 5990 ::= {cSecConEntry 10} 5992 -- ***************************************************************** 5993 -- Module Conformance Information 5994 -- ***************************************************************** 5996 cSecureConnectionCompliances OBJECT IDENTIFIER 5997 ::= { cSecureConnectionConformance 1} 5999 cSecureConnectionGroups OBJECT IDENTIFIER 6000 ::= { cSecureConnectionConformance 2} 6002 cSecureConnectionCompliance MODULE-COMPLIANCE 6003 STATUS current 6004 DESCRIPTION 6005 "Compliance levels for secure connection information." 6006 MODULE 6007 MANDATORY-GROUPS { cSecureConnectionGroup } 6009 GROUP cSecureConnectionNotifyGroup 6010 DESCRIPTION 6011 "This notification group is optional for implementation." 6013 OBJECT cSecConType 6014 MIN-ACCESS not-accessible 6015 DESCRIPTION 6016 "Implementation of this object is optional." 6017 ::= { cSecureConnectionCompliances 1 } 6019 cSecureConnectionGroup OBJECT-GROUP 6020 OBJECTS { 6021 cSecConTableCount, 6022 cSecConTableLastChanged, 6023 cSecConTableID, 6024 cSecConType, 6025 cSecConDataPlaneID, 6026 cSecConDirection, 6027 cSecConKeyReference, 6028 cSecConCryptographicSuite, 6029 cSecConEstablishmentTime, 6030 cSecConStatus, 6031 cSecConRowStatus, 6032 cSecConRemoteKeyReference 6033 } 6034 STATUS current 6035 DESCRIPTION 6036 "This group is composed of objects related to secure 6037 connection information." 6038 ::= { cSecureConnectionGroups 1 } 6040 cSecureConnectionNotifyGroup NOTIFICATION-GROUP 6041 NOTIFICATIONS { 6042 cSecConnectionEstablished, 6043 cSecConnectionDeleted 6044 } 6045 STATUS current 6046 DESCRIPTION 6047 "This group is composed of notifications related to secure 6048 connection information." 6049 ::= { cSecureConnectionGroups 2 } 6051 END 6053 7. IANA Considerations 6055 This document makes no requests of IANA. All of the object 6056 identifiers used in the document are defined in the IANA Private 6057 Enterprise Number (PEN) ccmib arc (34493). 6059 8. Security Considerations 6061 The CCMIB modules contain some read-only objects that may be deemed 6062 sensitive. Appropriate security procedures that are related to SNMP 6063 in general but are not specific to this MIB module need to be 6064 implemented by concerned operators. 6066 There are a number of management objects defined in this MIB module 6067 with a MAX-ACCESS clause of read-write and/or read-create. Such 6068 objects may be considered sensitive or vulnerable in some network 6069 environments. The support for SET operations in a non-secure 6070 environment without proper protection opens devices to attack. The 6071 following tables and objects are sensitive/vulnerable because 6072 unauthorized modification would allow an attacker to elevate or 6073 degrade a device's capabilities: 6075 o From the Device Information MIB: cSystemDate, 6076 cSystemInitialLoadParameters, cSecurityLevel, cResetDevice, 6077 cSanitizeDevice, cRenderInoperable, cDeviceComponentOpStatus, 6078 cDeviceComponentDescription, cBatteryLowThreshold, 6079 cFirmwareRunning, and cFirmwareRowStatus, 6081 o From the Key Management Information MIB: cZeroizeAllKeys, 6082 cZeroizeSymmetricKeyTable, cZeroizeAsymKeyTable, 6083 cZeroizeTrustAnchorTable, cZeroizeCDMStoreTable, 6084 cKeyMaterialTableOID, cSymKeyGlobalExpiryWarning, 6085 cAsymKeyGlobalExpiryWarning, cGenerateKeyType, cGenerateKey, 6086 cSymKeyUsage, cSymKeyID, cSymKeyIssuer, cSymKeyEffectiveDate, 6087 cSymKeyExpirationDate, cSymKeyExpiryWarning, 6088 cSymKeyNumberOfTransactions, cSymKeyFriendlyName, cSymKeySource, 6089 cSymKeyRowStatus, AsymKeyFriendlyName, cAsymKeyEffectiveDate, 6090 cAsymKeyExpiryWarning, cAsymKeySubjectAltName, cAsymKeyUsage, 6091 cAsymKeySource, cAsymKeyRowStatus, cAsymKeyRekey, 6092 cAsymKeyAutoRekeyEnable, cTrustAnchorRowStatus, cCKLRowStatus, 6093 cCDMStoreID, cCDMStoreFriendlyName, cCDMStoreControl, 6094 cCDMStoreRowStatus, cCertSubAltNameRowStatus, and 6095 cRemoteKeyMatFriendlyName. 6097 o From the Key Transfer Pull MIB: cCDMServerRetryDelay, 6098 cCDMServerRetryMaxAttempts, cCDMPullRetrievalPriorities, 6099 cCDMLDeliveryRequest, cCDMServerURI, cCDMServerAdditionalInfo, 6100 cCDMServerRowStatus, cCDMAdditionalInfo, cCDMDeliveryPriority, 6101 cCDMDeliveryRequest, and cCDMDeliveryRowStatus. 6103 o From the Key Transfer Push MIB: cCDMTransferDelay, 6104 cCDMTransferMaxAttempts, cCDMPushDestTransferType, 6105 cCDMPushDestAddressLocationType, cCDMPushDestAddressLocation, 6106 cCDMPushDestTransferTime, cCDMPushDestPackageSelection, 6107 cCDMPushDestRowStatus, cCDMTransferPkgLocatorRowPtr, 6108 cCDMTransferPkgRowStatus, cCDMPushSrcTransferType, 6109 cCDMPushSrcAddrLocationType, cCDMPushSrcAddrLocation, and 6110 cCDMPushSrcRowStatus. 6112 o From the Security Policy Information MIB: 6113 cSecPolicyRuleDescription, cSecPolicyRuleType, 6114 cSecPolicyRuleFilterReference, cSecPolicyRuleAction, and 6115 cSecPolicyRuleRowStatus. 6117 o From the Security Connection Information MIB: cSecConType, 6118 cSecConDataPlaneID, cSecConDirection, cSecConKeyReference, 6119 cSecConCryptographicSuite, cSecConEstablishmentTime, 6120 cSecConStatus, cSecConRowStatus, and cSecConRemoteKeyReference. 6122 Some of the readable objects in this MIB module (i.e., objects with a 6123 MAX-ACCESS other than not-accessible) may be considered sensitive or 6124 vulnerable in some network environments. It is thus important to 6125 control even GET and/or NOTIFY access to these objects and possibly 6126 to even encrypt the values of these objects when sending them over 6127 the network via SNMP. The following tables and objects are 6128 sensitive/vulnerable because unauthorized access would disclose 6129 device configuration information: 6131 o From the Device Information MIB: cSystemUpTime, 6132 cElectronicSerialNumber, cLastChanged, cVendorName, 6133 cModelIdentifier, cHardwareVersionNumber, 6134 cDeviceComponentVersTableCount, 6135 cDeviceComponentVersTableLastChanged, cDeviceComponentName, 6136 DeviceComponentVersion, cBatteryInfoTableCount, 6137 cBatteryInfoTableLastChanged, cBatteryType, cBatteryOpStatus, 6138 cFirmwareInformationTableCount, 6139 cFirmwareInformationTableLastChanged, cFirmwareName, 6140 cFirmwareVersion, and cFirmwareSource. 6142 o From the Key Management Information MIB: cKeyMaterialFingerprint, 6143 cSymmetricKeyTableCount, cSymmetricKeyTableLastChanged, 6144 cAsymKeyTableCount, cAsymKeyTableLastChanged, cAsymKeyFingerprint, 6145 cAsymKeySerialNumber, cAsymKeyIssuer, cAsymKeySignatureAlgorithm, 6146 cAsymKeyPublicKeyAlgorithm, cAsymKeyExpirationDate, 6147 cAsymKeySubject, cAsymKeySubjectType, cAsymKeyClassification, 6148 cAsymKeyVersion, cAsymKeyType, cTrustAnchorTableCount, 6149 cTrustAnchorTableLastChanged, cTrustAnchorFingerprint, 6150 cTrustAnchorFormatType, cTrustAnchorName, cTrustAnchorUsageType, 6151 cTrustAnchorKeyIdentifier, cTrustAnchorPublicKeyAlgorithm, 6152 cTrustAnchorContingencyAvail, cTrustAnchorVersion, cCKLTableCount, 6153 cCKLLastChanged, cCKLIndex, cCKLIssuer, cCKLSerialNumber, 6154 cCKLIssueDate, cCKLNextUpdate, cCKLVersion, cCKLLastUpdate, 6155 cCDMStoreTableCount, cCDMStoreTableLastChanged, cCDMStoreIndex, 6156 cCDMStoreType, cCDMStoreSource, cCertSubAltNameTableCount, 6157 cCertSubAltNameTableLastChanged, cCertSubAltNameType, 6158 cCertSubAltNameValue1, cCertSubAltNameValue2, 6159 cCertPathCtrlsTableCount, cCertPathCtrlsTableLastChanged, 6160 cCertPathCtrlsCertificate, cCertPathCtrlsCertPolicies, 6161 cCertPathCtrlsPolicyMappings, cCertPathCtrlsPolicyFlags, 6162 cCertPathCtrlsNamesPermitted, CertPathCtrlsNamesExcluded, 6163 cCertPathCtrlsMaxPathLength, cCertPolicyTableCount, 6164 cCertPolicyTableLastChanged, cCertPolicyIdentifier, 6165 cCertPolicyQualifierID, cCertPolicyQualifier, 6166 cPolicyMappingTableCount, cPolicyMappingTableLastChanged, 6167 cPolicyMappingSubjectPolicy, cPolicyMappingIssuerPolicy, 6168 cNameConstraintTableCount, cNameConstraintTableLastChanged, 6169 cNameConstraintBaseName, cRemoteKeyMaterialTableCount, 6170 cRemoteKeyMaterialTableLastChanged, cRemoteKeyMatSerialNumber, 6171 cRemoteKeyMaterialKeyType, cRemoteKeyMatExpirationDate, and 6172 cRemoteKeyMatClassification. 6174 o From the Key Transfer Pull MIB: cCDMLDeliveryStatus, 6175 cCDMServerTableCount, cCDMServerTableLastChanged, 6176 cCDMDeliveryTableCount, cCDMDeliveryTableLastChanged, cCDMType, 6177 cCDMURI, cCDMPackageSize, cCDMLastDownloadDate, and 6178 cCDMDeliveryStatus. 6180 o From the Key Transfer Push MIB: cCDMPushDestTableCount, 6181 cCDMPushDestTableLastChanged, cCDMTransferPkgTableCount, 6182 cCDMTransferPkgTableLastChanged, cCDMPushSrcTableCount, and 6183 cCDMPushSrcTableLastChanged. 6185 o From the Security Policy Information MIB: 6186 cSecPolicyRuleTableCount, cSecPolicyRuleTableLastChanged, and 6187 cSecPolicyRulePriorityID. 6189 o From the Security Connection Information MIB: cSecConTableCount, 6190 cSecConTableLastChanged, and cSecConTableID. 6192 SNMP versions prior to SNMPv3 did not include adequate security. 6193 Even if the network itself is secure (for example by using IPsec), 6194 there is no control as to who on the secure network is allowed to 6195 access and GET/SET (read/change/create/delete) the objects in this 6196 MIB module. 6198 Implementations SHOULD provide the security features described by the 6199 SNMPv3 framework (see [RFC3410]), and implementations claiming 6200 compliance to the SNMPv3 standard MUST include full support for 6201 authentication and privacy via the User-based Security Model (USM) 6202 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 6203 MAY also provide support for the Transport Security Model (TSM) 6204 [RFC5591] in combination with a secure transport such as SSH 6205 [RFC5592] or TLS/DTLS [RFC6353]. 6207 Further, deployment of SNMP versions prior to SNMPv3 is NOT 6208 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 6209 enable cryptographic security. It is then a customer/operator 6210 responsibility to ensure that the SNMP entity giving access to an 6211 instance of this MIB module is properly configured to give access to 6212 the objects only to those principals (users) that have legitimate 6213 rights to indeed GET or SET (change/create/delete) them. 6215 9. References 6217 9.1. Normative References 6219 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 6220 Requirement Levels", BCP 14, RFC 2119, 6221 DOI 10.17487/RFC2119, March 1997, . 6224 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 6225 Schoenwaelder, Ed., "Structure of Management Information 6226 Version 2 (SMIv2)", STD 58, RFC 2578, 6227 DOI 10.17487/RFC2578, April 1999, . 6230 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 6231 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 6232 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 6233 . 6235 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 6236 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 6237 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 6238 . 6240 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 6241 Architecture for Describing Simple Network Management 6242 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 6243 DOI 10.17487/RFC3411, December 2002, . 6246 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 6247 (USM) for version 3 of the Simple Network Management 6248 Protocol (SNMPv3)", STD 62, RFC 3414, 6249 DOI 10.17487/RFC3414, December 2002, . 6252 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 6253 Advanced Encryption Standard (AES) Cipher Algorithm in the 6254 SNMP User-based Security Model", RFC 3826, 6255 DOI 10.17487/RFC3826, June 2004, . 6258 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 6259 Housley, R., and W. Polk, "Internet X.509 Public Key 6260 Infrastructure Certificate and Certificate Revocation List 6261 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 6262 . 6264 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 6265 for the Simple Network Management Protocol (SNMP)", 6266 STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, 6267 . 6269 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 6270 Shell Transport Model for the Simple Network Management 6271 Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 6272 2009, . 6274 [RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor 6275 Format", RFC 5914, DOI 10.17487/RFC5914, June 2010, 6276 . 6278 [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, 6279 DOI 10.17487/RFC5958, August 2010, . 6282 [RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric 6283 Key Container (PSKC)", RFC 6030, DOI 10.17487/RFC6030, 6284 October 2010, . 6286 [RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax 6287 (CMS) Symmetric Key Package Content Type", RFC 6031, 6288 DOI 10.17487/RFC6031, December 2010, . 6291 [RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax 6292 (CMS) Encrypted Key Package Content Type", RFC 6032, 6293 DOI 10.17487/RFC6032, December 2010, . 6296 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 6297 Model for the Simple Network Management Protocol (SNMP)", 6298 STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, 6299 . 6301 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 6302 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 6303 May 2017, . 6305 9.2. Informative References 6307 [I-D.turner-sodp-profile] 6308 Jenkins, M. and S. Turner, "The SODP (Secure Object 6309 Delivery Protocol) Server Interfaces: NSA's Profile for 6310 Delivery of Certificates, CRLs, and Symmetric Keys to 6311 Clients", draft-turner-sodp-profile-04 (work in progress), 6312 August 2019. 6314 [RFC1213] McCloghrie, K. and M. Rose, "Management Information Base 6315 for Network Management of TCP/IP-based internets: MIB-II", 6316 STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991, 6317 . 6319 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 6320 "Introduction and Applicability Statements for Internet- 6321 Standard Management Framework", RFC 3410, 6322 DOI 10.17487/RFC3410, December 2002, . 6325 [RFC3418] Presuhn, R., Ed., "Management Information Base (MIB) for 6326 the Simple Network Management Protocol (SNMP)", STD 62, 6327 RFC 3418, DOI 10.17487/RFC3418, December 2002, 6328 . 6330 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 6331 RFC 4303, DOI 10.17487/RFC4303, December 2005, 6332 . 6334 [SP800-59] 6335 National Institute of Standards and Technology, U.S. 6336 Department of Commerce, "Guideline for Identifying an 6337 Information System as a National Security System", 6338 NIST NIST Special Publication 800-59, DOI 6339 10.6028/NIST.SP.800-59, August 2003, 6340 . 6343 Appendix A. Contributors 6345 The following people made technical contributions to this 6346 specification: 6348 o Shadi Azoum 6349 Naval Information Warfare Center Pacific 6350 shadi.azoum@navy.mil 6352 o Elliott Jones 6353 Naval Information Warfare Center Pacific 6354 elliott.jones@navy.mil 6356 o Lily Sun 6357 Naval Information Warfare Center Pacific 6358 lily.sun@navy.mil 6360 Authors' Addresses 6362 Jeffrey Sun 6363 Naval Information Warfare Center Pacific 6365 Email: sunjeff@spawar.navy.mil 6367 Mike Irani 6368 Naval Information Warfare Center Pacific 6370 Email: irani@spawar.navy.mil 6371 Tom Nguyen 6372 Naval Information Warfare Center Pacific 6374 Email: tmnguyen@spawar.navy.mil 6376 Ray Purvis 6377 The MITRE Corporation 6379 Email: rpurvis@mitre.org 6381 Sean Turner 6382 sn3rd 6384 Email: sean@sn3rd.com