ALTEON-ISD-SSL-MIB DEFINITIONS ::= BEGIN

IMPORTS
    NOTIFICATION-TYPE, MODULE-IDENTITY, OBJECT-IDENTITY, OBJECT-TYPE,
    Counter32, Gauge32, Integer32, IpAddress
	FROM SNMPv2-SMI
    TEXTUAL-CONVENTION, DisplayString, DateAndTime, RowStatus, TimeInterval
	FROM SNMPv2-TC
    MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
        FROM SNMPv2-CONF
    sslOffload
	FROM ALTEON-ROOT-MIB
    currentAlarmSeverity, currentAlarmTime, currentAlarmCause,
    isdIP
	FROM ALTEON-ISD-PLATFORM-MIB
    ;

alteonISDSSLModule MODULE-IDENTITY
    LAST-UPDATED "0404231000Z"
    ORGANIZATION "Alteon Web Systems Inc."
    CONTACT-INFO "Contact:  Alteon Support E-mail: support@alteon.com"
    DESCRIPTION	"MIB Module for object and notification definitions for	the iSD SSL Offload."

    REVISION    "0404231000Z"
    DESCRIPTION
        "Updated to support new version of ALTEON-ISD-PLATFORM-MIB."

    REVISION    "0310302000Z"
    DESCRIPTION
	"Added new values for sslServerType for SSL-VPN and WSS."
    REVISION    "0111052000Z"
    DESCRIPTION
	"Added support for HSM modules."
    REVISION    "0102091700Z"
    DESCRIPTION
	"The initial revision of MIB module ALTEON-ISD-SSL-MIB."
    ::= { sslOffload 1 }


---
--- Reserved for LDAP
---
ldap OBJECT IDENTIFIER ::= { sslOffload 389 }

---
--- Reserved for Agent Capabilities
---
alteonSSLCaps OBJECT IDENTIFIER ::= { sslOffload 388 }


--
-- MIB Structure
--

alteonISDSSLMIB OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"Toplevel ID of Alteon ISD MIB."
    ::= { sslOffload 2 }

alteonSSLObjs OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"Object definitions for the Alteon ISD SSL MIB."
    ::= { alteonISDSSLMIB 1 }

sslCerts OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"A collection of objects to configure and monitor the
        SSL certificates in the system."
    ::= { alteonSSLObjs 1 }

sslServers OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"A collection of objects to configure and monitor the
        SSL servers in the system."
    ::= { alteonSSLObjs 2 }

sslPerf OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"A collection of objects to monitor the performance and
        operation of the SSL servers in the system."
    ::= { alteonSSLObjs 3 }

sslEvent OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"A collection of objects for monitoring events in
	the system."
    ::= { alteonSSLObjs 4 }

sslObjs OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"A collection of global objects in the system."
    ::= { alteonSSLObjs 5 }

alteonSSLNotifs OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
	"Notification definitions for the Alteon ISD SSL MIB."
    ::= { alteonISDSSLMIB 2 }


--
-- Textual Conventions
--


--
-- Object definitions
--

-- Global SSL Objects

sslAcceleratorType OBJECT-TYPE
    SYNTAX      INTEGER {
		  nonHsm (1),
		  hsmFips (2),
		  hsmExtended (3)
		}
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Specifies if the SSL cluster is made up of Hardware Security
	Modules (HSM) or not.  Also specifies which mode of HSM cluster
	it is - FIPS level 3 compliant Mode, or Extended Security Mode."
    ::= { sslObjs 1 }


-- Server group

sslServerTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF SslServerEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
	"A table of the virtual SSL servers in the iSD system.  Each
	virtual SSL server receives encrypted traffic from the clients,
	decrypts the traffic and sends it to the real backend servers."
    ::= { sslServers 1 }

sslServerEntry OBJECT-TYPE
    SYNTAX      SslServerEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
	"Currently, all objects are read-only due to security reasons.
	When SNMPv3 is implemented, these objects can be modified."
    INDEX { sslServerIndex }
::= { sslServerTable 1 }

SslServerEntry ::= SEQUENCE {
    sslServerIndex        Integer32 (1..2147483647),
    sslServerName         DisplayString,
    sslServerIp           IpAddress,
    sslServerPort         Integer32 (1..65535),
    sslServerRIp          IpAddress,
    sslServerRPort        Integer32 (1..65535),
    sslServerProtocol     INTEGER,
    sslServerType         INTEGER,
    sslServerProxyMode    INTEGER,
    sslServerCacheSize    Integer32 (0..2147483647),
    sslServerCacheTimeout Integer32 (0..2147483647),
    sslServerStatus       RowStatus
    }

sslServerIndex OBJECT-TYPE
    SYNTAX      Integer32 (1..2147483647)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
	"A unique index for this SSL server."
    ::= { sslServerEntry 1 }

sslServerName OBJECT-TYPE
    SYNTAX      DisplayString
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"A human-readable name of the SSL server."
    ::= { sslServerEntry 2 }

sslServerIp OBJECT-TYPE
    SYNTAX      IpAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"The IP address the SSL server listens to."
    ::= { sslServerEntry 3 }

sslServerPort OBJECT-TYPE
    SYNTAX      Integer32 (1..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"The TCP port the SSL server listens to."
    ::= { sslServerEntry 4 }

sslServerRIp OBJECT-TYPE
    SYNTAX      IpAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Real (backend) server ip address.  If this value is
	0.0.0.0, the SSL server send all packets to the sslServerIp.
	This is useful when the iSD is used in conjuction with an Alteon
	Web Switch, which load balances the traffic to the real servers."
    DEFVAL      { '00000000'H } -- 0.0.0.0
    ::= { sslServerEntry 5 }

sslServerRPort OBJECT-TYPE
    SYNTAX      Integer32 (1..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Real (backend) server port."
    DEFVAL      { 81 }
    ::= { sslServerEntry 6 }

sslServerProtocol OBJECT-TYPE
    SYNTAX      INTEGER {
                    ssl2 (1),
		    ssl3 (2),
		    ssl23 (3),
		    tls1 (4)
	        }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"The SSL protocol the server accepts.
	  ssl2  - SSL v2.0
	  ssl3  - SSL v3.0 and TLS 1.0
	  ssl23 - SSL v2.0, SSL v3.0, and TLS 1.0
	  tls1  - TLS 1.0"
    DEFVAL      { ssl23 }
    ::= { sslServerEntry 7 }

sslServerType OBJECT-TYPE
    SYNTAX      INTEGER {
                    generic (1),
                    http (2),
		    smtp (3),
		    imap (4),
		    pop (5),
		    portal (6),
		    socks (7),
		    http-proxy (8)
	        }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"The virtual server type."
    DEFVAL      { generic }
    ::= { sslServerEntry 8 }

sslServerProxyMode OBJECT-TYPE
    SYNTAX      INTEGER {
                    on (1),
                    off (2)
	        }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Defines if Transparent Proxy Mode is used.  If it is used,
	the source address in packets to the real server is set to
	the source of the client.  Otherwise, the iSD's own ip address
	is used."
    DEFVAL      { off }
    ::= { sslServerEntry 9 }

sslServerCacheSize OBJECT-TYPE
    SYNTAX      Integer32 (0..2147483647)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of entries in the session reuse cache."
    DEFVAL      { 8000 }
    ::= { sslServerEntry 10 }

sslServerCacheTimeout OBJECT-TYPE
    SYNTAX      Integer32 (0..2147483647)
    UNITS       "milliseconds"
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"TTL of the sessions in the session reuse cache."
    DEFVAL      { 300000 } -- 5 minutes
    ::= { sslServerEntry 11 }

sslServerStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"The value of this object has no effect on whether
        other objects in this conceptual row can be modified.

	Currently, row creation / deletion is not supported."
    ::= { sslServerEntry 12 }


-- Performance group

sslServerStatTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF SslServerStatEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
	"A table with statistics objects for the ssl servers. The
	data is aggregated over all iSDs; i.e. each counter is
	the sum of the counter on each server instance (one on
	each iSD).

	Note that if an iSD fails, the counters in this table might
	have discontinuities.  Thus, a manager should restart polling
	if a alteonISDDown alarm is generated."
    ::= { sslPerf 1 }

sslServerStatEntry OBJECT-TYPE
    SYNTAX      SslServerStatEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
	""
    INDEX { sslServerIndex }
::= { sslServerStatTable 1 }

SslServerStatEntry ::= SEQUENCE {
    sslActiveSessions      Gauge32,
    sslTps                 Gauge32,
    sslReqs                Counter32,
    sslAccepts             Counter32,
    sslRenegotiates        Counter32,
    sslHandshakeGoods      Counter32,
    sslCacheHits           Counter32,
    sslCacheMisses         Counter32,
    sslCacheFulls          Counter32,
    sslCacheTimeouts       Counter32,
    sslRevocations         Counter32,
    sslHttpCipherRewrites  Counter32,
    sslConnectFailures     Counter32
    }

sslActiveSessions OBJECT-TYPE
    SYNTAX      Gauge32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of currently active SSL sessions."
    ::= { sslServerStatEntry 1 }

sslTps OBJECT-TYPE
    SYNTAX      Gauge32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of SSL transaction per second."
    ::= { sslServerStatEntry 2 }

sslReqs OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of completed SSL requests."
    ::= { sslServerStatEntry 3 }

sslAccepts OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of SSL accept attempts.  An SSL accept attempt initiates
	an SSL handshake."
    ::= { sslServerStatEntry 4 }

sslRenegotiates OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of requested SSL renegotiations.  An SSL renegotiations
	initiates an SSL handshake."
    ::= { sslServerStatEntry 5 }

sslHandshakeGoods OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of successfully completed SSL handshakes.

	By subtracting sslHandshakeGoods from the sum of sslAccepts
	and sslRenegotiates, you get the number of failed SSL handshakes."
    ::= { sslServerStatEntry 6 }

sslCacheHits OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of cache hits in the session reuse cache."
    ::= { sslServerStatEntry 7 }

sslCacheMisses OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of cache misses in the session reuse cache."
    ::= { sslServerStatEntry 8 }

sslCacheFulls OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of times that the oldest cache entry was automatically
	removed due to new sessions inserted into the cache."
    ::= { sslServerStatEntry 9 }

sslCacheTimeouts OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of reuse attempts on timeouted sessions which were still
	in the cache."
    ::= { sslServerStatEntry 10 }

sslRevocations OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of connections which are rejected due to revoced client
	certificates."
    ::= { sslServerStatEntry 11 }

sslHttpCipherRewrites OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of HTTP rewrites due to weak ciphers."
    ::= { sslServerStatEntry 12 }

sslConnectFailures OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
	"Number of failed connect attempts to the backend servers
	initiated by the iSD."
    ::= { sslServerStatEntry 13 }


-- Event group

sslHsmBoard OBJECT-TYPE
    SYNTAX      Integer32 (0..3)
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "This object specifies which HSM board in an iSD an event or alarm
        is generated for."
    ::= { sslEvent 1 }

--
-- Notification definitions
--

-- Event notifications

-- Alarm notifications

alteonISDSSLHwFail NOTIFICATION-TYPE
    OBJECTS     { currentAlarmSeverity,
		  currentAlarmTime,
		  currentAlarmCause,
		  isdIP
                }
    STATUS      current
    DESCRIPTION
        "This alarm is set when an iSD detects that the SSL accelerator
	hardware fails.  The iSD will continue to handle traffic, but with
        severly degraded performance."
    ::= { alteonSSLNotifs 1 }

alteonISDSSLHsmNotLoggedIn NOTIFICATION-TYPE
    OBJECTS     { currentAlarmSeverity,
		  currentAlarmTime,
		  currentAlarmCause,
		  isdIP,
		  sslHsmBoard
                }
    STATUS      current
    DESCRIPTION
        "This alarm is set when an iSD detects that the USER is not logged
	in to a HSM board on the iSD.  USER must be logged in for the iSD
	to process SSL traffic."
    ::= { alteonSSLNotifs 2 }

alteonISDSSLHsmTamperedWith NOTIFICATION-TYPE
    OBJECTS     { currentAlarmSeverity,
		  currentAlarmTime,
		  currentAlarmCause,
                  isdIP,
		  sslHsmBoard
		}
    STATUS      current
    DESCRIPTION
        "This alarm is set when an HSM board detects that it has been
	tampered with.  All private keys on the board are zeroized by the
	HSM board.  This means that the iSD must be re-initialized, i.e.
	joined again to the cluster.

	The alarm must be cleared manually by loggin as 'admin' using the CLI,
	and follow the instructions."
    ::= { alteonSSLNotifs 3 }


--
-- Conformance information
--

sslMIBConformance  OBJECT IDENTIFIER ::= { alteonISDSSLModule 2 }

sslMIBCompliances  OBJECT IDENTIFIER ::= { sslMIBConformance 1 }
sslMIBGroups       OBJECT IDENTIFIER ::= { sslMIBConformance 2 }

-- Compliance statements
sslBasicCompliance MODULE-COMPLIANCE
    STATUS  current
    DESCRIPTION
	"The compliance statement for SNMP entities which
	implement this MIB module."
    MODULE  -- this module
    MANDATORY-GROUPS { sslBasicGroup,
                       sslServerGroup,
		       sslEventGroup }

    GROUP   sslServerStatGroup
    DESCRIPTION
	"sslServerStatGroup is optional."

    GROUP   sslHsmGroup
    DESCRIPTION
	"sslHsmGroup is mandatory for devices with HSM card support."

    GROUP   sslHsmEventGroup
    DESCRIPTION
	"sslHsmEventGroup is mandatory for devices with HSM card support."

    ::= { sslMIBCompliances 1 }

sslBasicGroup OBJECT-GROUP
    OBJECTS { sslAcceleratorType }
    STATUS  current
    DESCRIPTION
	"A collection of objects providing basic instrumentation
	of an SSL accelerator."
    ::= { sslMIBGroups  1 }

sslServerGroup OBJECT-GROUP
    OBJECTS { sslServerIndex,
              sslServerName,
	      sslServerIp,
	      sslServerPort,
	      sslServerRIp,
	      sslServerRPort,
	      sslServerProtocol,
	      sslServerType,
	      sslServerProxyMode,
	      sslServerCacheSize,
	      sslServerCacheTimeout,
	      sslServerStatus }
    STATUS  current
    DESCRIPTION
	"A collection of objects providing instrumentation of SSL servers."
    ::= { sslMIBGroups  2 }

sslServerStatGroup OBJECT-GROUP
    OBJECTS { sslActiveSessions,
              sslTps,
	      sslReqs,
	      sslAccepts,
	      sslRenegotiates,
	      sslHandshakeGoods,
	      sslCacheHits,
	      sslCacheMisses,
	      sslCacheFulls,
	      sslCacheTimeouts,
	      sslRevocations,
	      sslHttpCipherRewrites,
	      sslConnectFailures }
    STATUS  current
    DESCRIPTION
	"A collection of objects providing statistics of SSL servers."
    ::= { sslMIBGroups  3 }

sslHsmGroup OBJECT-GROUP
    OBJECTS { sslHsmBoard }
    STATUS  current
    DESCRIPTION
	"Basic object for devices with HSM cards."
    ::= { sslMIBGroups  4 }

sslEventGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                alteonISDSSLHwFail }
        STATUS current
        DESCRIPTION
                "Event notifications."
        ::= { sslMIBGroups 5 }

sslHsmEventGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                alteonISDSSLHsmTamperedWith,
		alteonISDSSLHsmNotLoggedIn }
        STATUS current
        DESCRIPTION
                "Event notifications."
        ::= { sslMIBGroups 6 }

END
