-- **************************************************************************** -- **************************************************************************** -- Copyright(c) 2004 Mediatrix Telecom, Inc. -- NOTICE: -- This document contains information that is confidential and proprietary -- to Mediatrix Telecom, Inc. -- Mediatrix Telecom, Inc. reserves all rights to this document as well as -- to the Intellectual Property of the document and the technology and -- know-how that it includes and represents. -- This publication cannot be reproduced, neither in whole nor in part in -- any form whatsoever without written prior approval by -- Mediatrix Telecom, Inc. -- Mediatrix Telecom, Inc. reserves the right to revise this publication -- and make changes at any time and without the obligation to notify any -- person and/or entity of such revisions and/or changes. -- **************************************************************************** -- **************************************************************************** MX-CERT-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MxEnableState, MxActivationState, MxIpHostName, MxIpAddress, MxIpPort, MxAdvancedIpPort, MxIpSubnetMask, MxDigitMap FROM MX-TC MxUInt64, MxFloat32, MxIpHostNamePort, MxIpAddr, MxIpAddrPort, MxIpAddrMask, MxUri, MxUrl FROM MX-TC2 mediatrixServices FROM MX-SMI2; certMIB MODULE-IDENTITY LAST-UPDATED "1910210000Z" ORGANIZATION " Mediatrix Telecom, Inc. " CONTACT-INFO " Mediatrix Telecom, Inc. 4229, Garlock Street Sherbrooke (Quebec) Canada Phone: (819) 829-8749 " DESCRIPTION " Certificate Manager The Certificate Manager (Cert) service manages the security certificates used for the authentication of the unit and its peers before establishing a secure connection. " ::= { mediatrixServices 2300 } certMIBObjects OBJECT IDENTIFIER ::= { certMIB 1 } -- **************************************************************************** -- Group:Certificates -- **************************************************************************** certificateInfoGroup OBJECT IDENTIFIER ::= { certMIBObjects 100 } -- *************************************************************************** -- Table:Host Certificates -- *************************************************************************** hostCertificatesInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF HostCertificatesInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Host Certificates This table contains information about each certificate used to certify the host system. " ::= { certificateInfoGroup 100 } hostCertificatesInfoEntry OBJECT-TYPE SYNTAX HostCertificatesInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Host Certificates. " INDEX { hostCertificatesInfoFileName } ::= { hostCertificatesInfoTable 1 } HostCertificatesInfoEntry ::= SEQUENCE { hostCertificatesInfoFileName OCTET STRING, hostCertificatesInfoIssuedTo OCTET STRING, hostCertificatesInfoIssuedBy OCTET STRING, hostCertificatesInfoValidFrom OCTET STRING, hostCertificatesInfoValidTo OCTET STRING, hostCertificatesInfoUsage OCTET STRING, hostCertificatesInfoDelete INTEGER } -- Index:File Name hostCertificatesInfoFileName OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " File Name Certificate file name. " ::= { hostCertificatesInfoEntry 100 } -- Columnar:Issued To hostCertificatesInfoIssuedTo OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Issued To Certificate subject name. This is the common name that must match the host being authenticated. " ::= { hostCertificatesInfoEntry 200 } -- Columnar:Issued By hostCertificatesInfoIssuedBy OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Issued By Certificate issuer name. This is the certificate authority that signed this certificate. " ::= { hostCertificatesInfoEntry 300 } -- Columnar:Valid From hostCertificatesInfoValidFrom OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Valid From Certificate lower bound validity duration range. " ::= { hostCertificatesInfoEntry 400 } -- Columnar:Valid To hostCertificatesInfoValidTo OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Valid To Certificate higher bound validity duration range. " ::= { hostCertificatesInfoEntry 500 } -- Columnar:Usage hostCertificatesInfoUsage OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Usage Identifies in which role or context a certificate can be used by the host it authenticates. * TlsClient: The certificate identifies a TLS client. A host authenticated by this kind of certificate can act as a client in a SIP over TLS connection when mutual authentication is required by the server. * TlsServer: The certificate identifies a TLS server. A host authenticated by this kind of certificate can serve files or web pages using the HTTPS protocol or can act as a server in a SIP over TLS connection. " ::= { hostCertificatesInfoEntry 550 } -- Row command:Delete hostCertificatesInfoDelete OBJECT-TYPE SYNTAX INTEGER { noOp(0), delete(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Delete Removes the certificate from the unit. " DEFVAL { noOp } ::= { hostCertificatesInfoEntry 600 } -- End of table:Host Certificates -- *************************************************************************** -- Table:Others Certificates -- *************************************************************************** othersCertificatesInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF OthersCertificatesInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Others Certificates This table contains information about the trusted root and intermediate certificate authorities to validate remote systems. A certificate file may also concatenate all the certificates of the chain. In that case, the order is important and the file must first begin by the root certificate, followed by ordered intermediate certificates. " ::= { certificateInfoGroup 200 } othersCertificatesInfoEntry OBJECT-TYPE SYNTAX OthersCertificatesInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Others Certificates. " INDEX { othersCertificatesInfoFileName } ::= { othersCertificatesInfoTable 1 } OthersCertificatesInfoEntry ::= SEQUENCE { othersCertificatesInfoFileName OCTET STRING, othersCertificatesInfoIssuedTo OCTET STRING, othersCertificatesInfoIssuedBy OCTET STRING, othersCertificatesInfoValidFrom OCTET STRING, othersCertificatesInfoValidTo OCTET STRING, othersCertificatesInfoUsage OCTET STRING, othersCertificatesInfoCertificateAuthority INTEGER, othersCertificatesInfoDelete INTEGER } -- Index:File Name othersCertificatesInfoFileName OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " File Name Certificate file name. " ::= { othersCertificatesInfoEntry 100 } -- Columnar:Issued To othersCertificatesInfoIssuedTo OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Issued To Certificate subject name. This is the common name that must match the host being authenticated. " ::= { othersCertificatesInfoEntry 200 } -- Columnar:Issued By othersCertificatesInfoIssuedBy OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Issued By Certificate issuer name. This is the certificate authority that signed this certificate. " ::= { othersCertificatesInfoEntry 300 } -- Columnar:Valid From othersCertificatesInfoValidFrom OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Valid From Certificate lower bound validity duration range. " ::= { othersCertificatesInfoEntry 400 } -- Columnar:Valid To othersCertificatesInfoValidTo OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Valid To Certificate higher bound validity duration range. " ::= { othersCertificatesInfoEntry 500 } -- Columnar:Usage othersCertificatesInfoUsage OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Usage Identifies in which role or context a certificate can be used by the host it authenticates. * TlsClient: The certificate identifies a TLS client. A host authenticated by this kind of certificate can act as a client in a SIP over TLS connection when mutual authentication is required by the server. * TlsServer: The certificate identifies a TLS server. A host authenticated by this kind of certificate can serve files or web pages using the HTTPS protocol or can act as a server in a SIP over TLS connection. " ::= { othersCertificatesInfoEntry 550 } -- Columnar:CertificateAuthority othersCertificatesInfoCertificateAuthority OBJECT-TYPE SYNTAX INTEGER { yes(100) , no(200) } MAX-ACCESS read-only STATUS current DESCRIPTION " CertificateAuthority Indicates if the certificate is a CA certificate. * Yes: The certificate is a CA certificate. * No: The certificate is not a CA certificate. " DEFVAL { yes } ::= { othersCertificatesInfoEntry 600 } -- Row command:Delete othersCertificatesInfoDelete OBJECT-TYPE SYNTAX INTEGER { noOp(0), delete(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Delete Removes the certificate from the unit. " DEFVAL { noOp } ::= { othersCertificatesInfoEntry 700 } -- End of table:Others Certificates -- *************************************************************************** -- Table:Host Certificate Association -- *************************************************************************** hostCertificateAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF HostCertificateAssociationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Host Certificate Association This table contains information about which services can use the host certificates. " ::= { certificateInfoGroup 300 } hostCertificateAssociationEntry OBJECT-TYPE SYNTAX HostCertificateAssociationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Host Certificate Association. " INDEX { hostCertificateAssociationFileName } ::= { hostCertificateAssociationTable 1 } HostCertificateAssociationEntry ::= SEQUENCE { hostCertificateAssociationFileName OCTET STRING, hostCertificateAssociationSip MxEnableState, hostCertificateAssociationWeb MxEnableState, hostCertificateAssociationEap MxEnableState, hostCertificateAssociationConf MxEnableState, hostCertificateAssociationFpu MxEnableState, hostCertificateAssociationFile MxEnableState, hostCertificateAssociationCert MxEnableState, hostCertificateAssociationSbc MxEnableState, hostCertificateAssociationCwmp MxEnableState, hostCertificateAssociationNlm MxEnableState } -- Index:File Name hostCertificateAssociationFileName OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " File Name Certificate file name. " ::= { hostCertificateAssociationEntry 100 } -- Columnar:CWMP hostCertificateAssociationCwmp OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " CWMP Specifies if this certificate can be used for Cwmp security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 1000 } -- Columnar:NLM hostCertificateAssociationNlm OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " NLM Specifies if this certificate can be used for Nlm security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 1100 } -- Columnar:SIP hostCertificateAssociationSip OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " SIP Specifies if this certificate can be used for SIP security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 200 } -- Columnar:WEB hostCertificateAssociationWeb OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " WEB Specifies if this certificate can be used for Web security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 300 } -- Columnar:EAP hostCertificateAssociationEap OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " EAP Specifies if this certificate can be used for EAP security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 400 } -- Columnar:CONF hostCertificateAssociationConf OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " CONF Specifies if this certificate can be used for Conf security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 500 } -- Columnar:FPU hostCertificateAssociationFpu OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " FPU Specifies if this certificate can be used for Fpu security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 600 } -- Columnar:FILE hostCertificateAssociationFile OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " FILE Specifies if this certificate can be used for File security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 700 } -- Columnar:CERT hostCertificateAssociationCert OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " CERT Specifies if this certificate can be used for Cert security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 800 } -- Columnar:SBC hostCertificateAssociationSbc OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " SBC Specifies if this certificate can be used for Sbc security. " DEFVAL { enable } ::= { hostCertificateAssociationEntry 900 } -- End of table:Host Certificate Association -- *************************************************************************** -- Table:Certificate Authories -- *************************************************************************** certificateAuthoritiesTable OBJECT-TYPE SYNTAX SEQUENCE OF CertificateAuthoritiesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Certificate Authories This table contains information specific to certificate authority (CA) files. A certificate file may also concatenate all the certificates of the chain. In that case, the order is important and the file must first begin by the root certificate, followed by ordered intermediate certificates. " ::= { certificateInfoGroup 400 } certificateAuthoritiesEntry OBJECT-TYPE SYNTAX CertificateAuthoritiesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Certificate Authories. " INDEX { certificateAuthoritiesFileName } ::= { certificateAuthoritiesTable 1 } CertificateAuthoritiesEntry ::= SEQUENCE { certificateAuthoritiesFileName OCTET STRING, certificateAuthoritiesOverrideIssuedCertificateOcspUrl OCTET STRING } -- Index:File Name certificateAuthoritiesFileName OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " File Name Certificate authority (CA) file name. " ::= { certificateAuthoritiesEntry 100 } -- Columnar:Override Issued Certificate OCSP URL certificateAuthoritiesOverrideIssuedCertificateOcspUrl OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..512) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Override Issued Certificate OCSP URL Defines a specific OCSP URL to use for certificate revocation status of certificates issued by this certificate authority (CA). The URL should follow one of these formats: http://hostname[:port] http://hostname/path/filename.xxx Note: The default empty value means that the OCSP URL present in the certificate to verify will be used for checking its revocation status. " DEFVAL { "" } ::= { certificateAuthoritiesEntry 200 } -- End of table:Certificate Authories -- End of group:Certificates -- **************************************************************************** -- Group:Transfer group -- Configuration relative to file transfers. -- **************************************************************************** transferGroup OBJECT IDENTIFIER ::= { certMIBObjects 500 } -- Scalar:Transfer HTTPS Cipher Suite transferHttpsCipherSuite OBJECT-TYPE SYNTAX INTEGER { cS1(100) , cS2(200) , cS3(300) } MAX-ACCESS read-write STATUS current DESCRIPTION " Transfer HTTPS Cipher Suite Defines the allowed cipher suites for the network security settings when using the HTTPS transfer protocol. When the device initiates an HTTPS connection to a server it will negotiate the cipher suite according to its configuration. * CS1: + TLS_DHE_RSA_WITH_AES_256_CBC_SHA + TLS_DHE_DSS_WITH_AES_256_CBC_SHA + TLS_RSA_WITH_AES_256_CBC_SHA + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA + TLS_RSA_WITH_3DES_EDE_CBC_SHA + TLS_DHE_RSA_WITH_AES_128_CBC_SHA + TLS_DHE_DSS_WITH_AES_128_CBC_SHA + TLS_RSA_WITH_AES_128_CBC_SHA + TLS_RSA_WITH_RC4_128_SHA + TLS_RSA_WITH_RC4_128_MD5 * CS2: + TLS_RSA_WITH_AES_128_CBC_SHA + TLS_RSA_WITH_AES_256_CBC_SHA + TLS_RSA_WITH_3DES_EDE_CBC_SHA + TLS_DHE_RSA_WITH_AES_128_CBC_SHA + TLS_DHE_RSA_WITH_AES_256_CBC_SHA + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA * CS3: + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + TLS_RSA_WITH_AES_256_GCM_SHA384 + TLS_RSA_WITH_AES_256_CBC_SHA256 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + TLS_RSA_WITH_AES_128_GCM_SHA256 + TLS_RSA_WITH_AES_128_CBC_SHA256 " DEFVAL { cS1 } ::= { transferGroup 100 } -- Scalar:TLS Version transferHttpsTlsVersion OBJECT-TYPE SYNTAX INTEGER { sSLv3(100) , tLSv1(200) , tLSv1-1(300) , tLSv1-2 (400) } MAX-ACCESS read-write STATUS current DESCRIPTION " TLS Version Defines the allowed TLS version for the network security settings when using the HTTPS transfer protocol. When the device initiates an HTTPS connection to a server it will negotiate the TLS version according to its configuration. * SSLv3: Allow SSL version 3 and all TLS versions. * TLSv1: Allow TLS versions 1 and up. * TLSv1_1: Allow TLS versions 1.1 and up. * TLSv1_2: Allow TLS versions 1.2 and up. The device will always send its highest supported TLS version in the ClientHello message. The server will select the highest supported TLS version it supports from the ClientHello message. The device will then validate that the selected version is allowed. If the version is not allowed the device will close the connection. " DEFVAL { tLSv1 } ::= { transferGroup 200 } -- End of group:Transfer group -- **************************************************************************** -- Group:Notification Messages Configuration -- **************************************************************************** notificationsGroup OBJECT IDENTIFIER ::= { certMIBObjects 60010 } -- Scalar:Minimal Severity of Notification minSeverity OBJECT-TYPE SYNTAX INTEGER { disable(0) , debug(100) , info(200) , warning(300) , error(400) , critical (500) } MAX-ACCESS read-write STATUS current DESCRIPTION " Minimal Severity of Notification Sets the minimal severity to issue a notification message incoming from this service. * Disable: No notification is issued. * Debug: All notification messages are issued. * Info: Notification messages with a 'Informational' and higher severity are issued. * Warning: Notification messages with a 'Warning' and higher severity are issued. * Error: Notification messages with an 'Error' and higher severity are issued. * Critical: Notification messages with a 'Critical' severity are issued. " DEFVAL { warning } ::= { notificationsGroup 100 } -- End of group:Notification Messages Configuration -- **************************************************************************** -- Group:Configuration Settings -- **************************************************************************** configurationGroup OBJECT IDENTIFIER ::= { certMIBObjects 60020 } -- Scalar:Need Restart needRestartInfo OBJECT-TYPE SYNTAX INTEGER { no(0) , yes(100) } MAX-ACCESS read-only STATUS current DESCRIPTION " Need Restart Indicates if the service needs to be restarted for the configuration to fully take effect. * Yes: Service needs to be restarted. * No: Service does not need to be restarted. Services can be restarted by using the Scm.ServiceCommands.Restart command. " ::= { configurationGroup 100 } -- End of group:Configuration Settings END