<CODE BEGINS> file "SNMP-TLS-TM-MIB"SNMP-TLS-TM-MIB DEFINITIONS ::= BEGINIMPORTS    MODULE-IDENTITY, OBJECT-TYPE,    OBJECT-IDENTITY, mib-2, snmpDomains,    Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE      FROM SNMPv2-SMI            -- RFC 2578 or any update thereof    TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType,    AutonomousType      FROM SNMPv2-TC             -- RFC 2579 or any update thereof    MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP      FROM SNMPv2-CONF           -- RFC 2580 or any update thereof    SnmpAdminString      FROM SNMP-FRAMEWORK-MIB    -- RFC 3411 or any update thereof    snmpTargetParamsName, snmpTargetAddrName      FROM SNMP-TARGET-MIB       -- RFC 3413 or any update thereof    ;snmpTlstmMIB MODULE-IDENTITY    LAST-UPDATED "202311080000Z"    ORGANIZATION "Operations and Management Area Working Group                  <mailto:opsawg@ietf.org>"    CONTACT-INFO            "Author: Kenneth Vaughn                     <mailto:kvaughn@trevilon.com>"    DESCRIPTION       "This is the MIB module for the TLS Transport Model        (TLSTM).        Copyright (c) 2023 IETF Trust and the persons identified        as authors of the code.  All rights reserved.        Redistribution and use in source and binary forms,        with or without modification, is permitted pursuant        to, and subject to the license terms contained in,        the Revised BSD License set forth in Section 4.c        of the IETF Trust's Legal Provisions Relating to IETF        Documents (https://trustee.ietf.org/license-info).        The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',        'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',        'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document        are to be interpreted as described in BCP 14 (RFC 2119)        (RFC 8174) when, and only when, they appear in all        capitals, as shown here."        REVISION    "202311080000Z"        DESCRIPTION           "This version of this MIB module is part of            RFC 9456; see the RFC itself for full legal            notices.  This version does the following:               1) Updates the definition of SnmpTLSFingerprint                  to clarify the registry used for the one-octet                  hash algorithm identifier.               2) Capitalizes key words in conformance with                  BCP 14.               3) Replaces 'may not' with 'MUST NOT' to clarify                  intent in several locations.               4) Replaces 'may not' with a clarification within                  the definition of SnmpTLSAddress.               5) Applies cosmetic grammar improvements and                  reformatting causing whitespace changes."       REVISION     "201107190000Z"       DESCRIPTION          "This version of this MIB module is part of           RFC 6353; see the RFC itself for full legal           notices.  The only change was to introduce           new wording to reflect required changes for           Internationalized Domain Names for Applications           (IDNA) addresses in the SnmpTLSAddress textual           convention (TC)."       REVISION     "201005070000Z"       DESCRIPTION          "This version of this MIB module is part of           RFC 5953; see the RFC itself for full legal           notices."    ::= { mib-2 198 }-- ************************************************-- subtrees of the SNMP-TLS-TM-MIB-- ************************************************snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 }snmpTlstmIdentities    OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 }snmpTlstmObjects       OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 }snmpTlstmConformance   OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 }snmpTlstmHashAlgorithms OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "A node used to register hashing algorithm identifiers        recorded in the IANA 'SNMP-TLSTM HashAlgorithms' registry."    ::= { snmpTlstmMIB 4 }-- ************************************************-- snmpTlstmObjects - Objects-- ************************************************snmpTLSTCPDomain OBJECT-IDENTITY    STATUS      current    DESCRIPTION       "The OBJECT IDENTIFIER representing the TDomain for the        SNMP over TLS via TCP transport domain.  The        corresponding transport address is of type SnmpTLSAddress.        The securityName prefix to be associated with the        snmpTLSTCPDomain is 'tls'.  This prefix MAY be used by        security models or other components to identify which secure        transport infrastructure authenticated a securityName."    REFERENCE      "TDomain, as defined in RFC 2579: Textual Conventions       for SMIv2"    ::= { snmpDomains 8 }snmpDTLSUDPDomain OBJECT-IDENTITY    STATUS      current    DESCRIPTION       "The OBJECT IDENTIFIER representing the TDomain for the        SNMP over DTLS via UDP transport domain.  The        corresponding transport address is of type SnmpTLSAddress.        The securityName prefix to be associated with the        snmpDTLSUDPDomain is 'dtls'.  This prefix MAY be used by        security models or other components to identify which secure        transport infrastructure authenticated a securityName."    REFERENCE      "TDomain, as defined in RFC 2579: Textual Conventions       for SMIv2"    ::= { snmpDomains 9 }SnmpTLSAddress ::= TEXTUAL-CONVENTION    DISPLAY-HINT "1a"    STATUS       current    DESCRIPTION       "Represents an IPv4 address, an IPv6 address, or an        ASCII-encoded host name and port number.        An IPv4 address MUST be in dotted decimal format followed        by a colon ':' (ASCII character 0x3A) and a decimal        port number in ASCII.        An IPv6 address MUST be a colon-separated format (as        described in RFC 5952), surrounded by square brackets        ('[', ASCII character 0x5B, and ']', ASCII character        0x5D), followed by a colon ':' (ASCII character 0x3A)        and a decimal port number in ASCII.        A host name MUST be in ASCII (as per RFC 1123);        internationalized host names MUST be encoded as A-labels as        specified in RFC 5890.  The host name is followed by a        colon ':' (ASCII character 0x3A) and a decimal port        number in ASCII.  The name SHOULD be fully qualified        whenever possible.        Values of this textual convention are not guaranteed to be        directly usable as transport-layer addressing information,        potentially requiring additional processing, such as        run-time resolution.  As such, applications that write        them MUST be prepared for handling errors if such values        are not supported or cannot be resolved (if resolution        occurs at the time of the management operation).        The DESCRIPTION clause of TransportAddress objects that        may have SnmpTLSAddress values MUST fully describe how        (and when) such names are to be resolved to IP addresses        and vice versa.        This textual convention SHOULD NOT be used directly in        object definitions, since it restricts addresses to a        specific format.  However, if it is used, it MAY be used        either on its own or in conjunction with        TransportAddressType or TransportDomain as a pair.        When this textual convention is used as a syntax of an        index object, there may be issues with the limit of 128        sub-identifiers specified in SMIv2 (STD 58).  It is        RECOMMENDED that all MIB documents using this textual        convention make explicit any limitations on index        component lengths that management software MUST observe.        This MAY be done by either 1) including SIZE constraints        on the index components or 2) specifying applicable        constraints in the conceptual row's DESCRIPTION clause or        in the surrounding documentation."    REFERENCE      "RFC 1123: Requirements for Internet Hosts - Application and                 Support       RFC 5890: Internationalized Domain Names for Applications                 (IDNA): Definitions and Document Framework       RFC 5952: A Recommendation for IPv6 Address Text                 Representation"    SYNTAX       OCTET STRING (SIZE (1..255))SnmpTLSFingerprint ::= TEXTUAL-CONVENTION    DISPLAY-HINT "1x:1x"    STATUS       current    DESCRIPTION       "A fingerprint value that can be used to uniquely reference        other data of potentially arbitrary length.        An SnmpTLSFingerprint value is composed of a one-octet        hashing algorithm identifier followed by the fingerprint        value.  The one-octet identifier value encoded is taken        from the IANA 'SNMP-TLSTM HashAlgorithms' registry.  The        remaining octets of the SnmpTLSFingerprint value are        filled using the results of the hashing algorithm.        Historically, the one-octet hashing algorithm identifier        was based on the IANA 'TLS HashAlgorithm' registry        (RFC 5246); however, this registry is no longer in use for        TLS 1.3 and above and is not expected to have any new        registrations added to it.  To allow the fingerprint        algorithm to support additional hashing algorithms that        might be used by later versions of (D)TLS, the octet value        encoded is now taken from the IANA        'SNMP-TLSTM HashAlgorithms' registry.  The initial values        within this registry are identical to the values in the        'TLS HashAlgorithm' registry but can be extended to        support new hashing algorithms as needed.        This textual convention allows for a zero-length (blank)        SnmpTLSFingerprint value for use in tables where the        fingerprint value MAY be optional.  MIB definitions or        implementations MAY refuse to accept a zero-length value        as appropriate."    REFERENCE      "RFC 5246: The Transport Layer Security (TLS) Protocol                 Version 1.2       https://www.iana.org/assignments/smi-numbers/"    SYNTAX OCTET STRING (SIZE (0..255))-- Identities for use in the snmpTlstmCertToTSNTablesnmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER ::=                              { snmpTlstmIdentities 1 }snmpTlstmCertSpecified OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "Directly specifies the tmSecurityName to be used for this        certificate.  The value of the tmSecurityName to use is        specified in the 'snmpTlstmCertToTSNData' column.  The        'snmpTlstmCertToTSNData' column MUST contain a        non-zero-length SnmpAdminString-compliant value, or the        mapping described in this row MUST be considered a        failure."    ::= { snmpTlstmCertToTSNMIdentities 1 }snmpTlstmCertSANRFC822Name OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "Maps a subjectAltName's rfc822Name to a tmSecurityName.        The local-part of the rfc822Name is passed unaltered, but        the domain of the name MUST be passed in lowercase.        This mapping results in a 1:1 correspondence between        equivalent subjectAltName rfc822Name values and        tmSecurityName values, except that the domain of the        name MUST be passed in lowercase.        Example rfc822Name field:  FooBar@Example.COM is mapped to        tmSecurityName: FooBar@example.com."    ::= { snmpTlstmCertToTSNMIdentities 2 }snmpTlstmCertSANDNSName OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "Maps a subjectAltName's dNSName to a tmSecurityName after        first converting it to all lowercase (RFC 5280 does not        specify converting to lowercase, so this involves an extra        step).  This mapping results in a 1:1 correspondence        between subjectAltName dNSName values and the        tmSecurityName values."    REFERENCE      "RFC 5280: Internet X.509 Public Key Infrastructure                 Certificate and Certificate Revocation                 List (CRL) Profile"    ::= { snmpTlstmCertToTSNMIdentities 3 }snmpTlstmCertSANIpAddress OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "Maps a subjectAltName's iPAddress to a tmSecurityName by        transforming the binary-encoded address as follows:           1) For IPv4, the value is converted into a              decimal-dotted quad address (e.g., '192.0.2.1').           2) For IPv6 addresses, the value is converted into a              32-character all-lowercase hexadecimal string              without any colon separators.        This mapping results in a 1:1 correspondence between        subjectAltName iPAddress values and the tmSecurityName        values.        The resulting length of an encoded IPv6 address is the        maximum length supported by the View-based Access Control        Model (VACM).  Using an IPv6 address while the value of        snmpTsmConfigurationUsePrefix is 'true' (see the        SNMP-TSM-MIB, as defined in RFC 5591) will result in        securityName lengths that exceed what the VACM can handle."       REFERENCE         "RFC 5591: Transport Security Model for the Simple Network                    Management Protocol (SNMP)"    ::= { snmpTlstmCertToTSNMIdentities 4 }snmpTlstmCertSANAny OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "Maps any of the following fields using the corresponding        mapping algorithms:        |------------+----------------------------|        | Type       | Algorithm                  |        |------------+----------------------------|        | rfc822Name | snmpTlstmCertSANRFC822Name |        | dNSName    | snmpTlstmCertSANDNSName    |        | iPAddress  | snmpTlstmCertSANIpAddress  |        |------------+----------------------------|        The first subjectAltName value contained in the certificate        that matches any of the above types MUST be used when        deriving the tmSecurityName.  The mapping algorithm        specified in the 'Algorithm' column of the corresponding        row MUST be used to derive the tmSecurityName.        This mapping results in a 1:1 correspondence between        subjectAltName values and tmSecurityName values.  The        three sub-mapping algorithms produced by this combined        algorithm cannot produce conflicting results between        themselves."    ::= { snmpTlstmCertToTSNMIdentities 5 }snmpTlstmCertCommonName OBJECT-IDENTITY    STATUS        current    DESCRIPTION       "Maps a certificate's CommonName to a tmSecurityName after        converting it to a UTF-8 encoding.  The usage of        CommonNames is deprecated, and users are encouraged to use        subjectAltName mapping methods instead.  This mapping        results in a 1:1 correspondence between certificate        CommonName values and tmSecurityName values."    ::= { snmpTlstmCertToTSNMIdentities 6 }-- The snmpTlstmSession GroupsnmpTlstmSession         OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 }snmpTlstmSessionOpens  OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times an openSession() request has been        executed as a (D)TLS client, regardless of whether it        succeeded or failed."    ::= { snmpTlstmSession 1 }snmpTlstmSessionClientCloses  OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times a closeSession() request has been        executed as a (D)TLS client, regardless of whether it        succeeded or failed."    ::= { snmpTlstmSession 2 }snmpTlstmSessionOpenErrors  OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times an openSession() request failed to        open a session as a (D)TLS client, for any reason."    ::= { snmpTlstmSession 3 }snmpTlstmSessionAccepts  OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times a (D)TLS server has accepted a new        connection from a client and has received at least one        SNMP message through it."    ::= { snmpTlstmSession 4 }snmpTlstmSessionServerCloses  OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times a closeSession() request has been        executed as a (D)TLS server, regardless of whether it        succeeded or failed."    ::= { snmpTlstmSession 5 }snmpTlstmSessionNoSessions  OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times an outgoing message was dropped        because the session associated with the passed        tmStateReference was no longer (or never) available."    ::= { snmpTlstmSession 6 }snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times an incoming session was not        established on a (D)TLS server because the presented        client certificate was invalid.  Reasons for invalidation        include, but are not limited to, cryptographic validation        failures or lack of a suitable mapping row in the        snmpTlstmCertToTSNTable."    ::= { snmpTlstmSession 7 }snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times an outgoing session was not        established on a (D)TLS client because the server        certificate presented by an SNMP over (D)TLS server was        invalid because no configured fingerprint or Certification        Authority (CA) was acceptable to validate it.  This may        result because there was no entry in the        snmpTlstmAddrTable or because no path to a known CA could        be found."    ::= { snmpTlstmSession 8 }snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of times an outgoing session was not        established on a (D)TLS client because the server        certificate presented by an SNMP over (D)TLS server could        not be validated even if the fingerprint or expected        validation path was known.  That is, a cryptographic        validation error occurred during certificate validation        processing.        Reasons for invalidation include, but are not limited to,        cryptographic validation failures."    ::= { snmpTlstmSession 9 }snmpTlstmSessionInvalidCaches OBJECT-TYPE    SYNTAX       Counter32    MAX-ACCESS   read-only    STATUS       current    DESCRIPTION       "The number of outgoing messages dropped because the        tmStateReference referred to an invalid cache."    ::= { snmpTlstmSession 10 }-- Configuration ObjectssnmpTlstmConfig          OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 }-- Certificate mappingsnmpTlstmCertificateMapping OBJECT IDENTIFIER ::=                            { snmpTlstmConfig 1 }snmpTlstmCertToTSNCount OBJECT-TYPE    SYNTAX      Gauge32    MAX-ACCESS  read-only    STATUS      current    DESCRIPTION       "A count of the number of entries in the        snmpTlstmCertToTSNTable."    ::= { snmpTlstmCertificateMapping 1 }snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE    SYNTAX      TimeStamp    MAX-ACCESS  read-only    STATUS      current    DESCRIPTION       "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable        was last modified through any means, or 0 if it has not        been modified since the command responder was started."    ::= { snmpTlstmCertificateMapping 2 }snmpTlstmCertToTSNTable OBJECT-TYPE    SYNTAX      SEQUENCE OF SnmpTlstmCertToTSNEntry    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "This table is used by a (D)TLS server to map the (D)TLS        client's presented X.509 certificate to a tmSecurityName.        On an incoming (D)TLS/SNMP connection, the client's        presented certificate either MUST be validated based on an        established trust anchor or MUST directly match a        fingerprint in this table.  This table does not provide        any mechanisms for configuring the trust anchors; the        transfer of any needed trusted certificates for path        validation is expected to occur through an out-of-band        transfer.        Once the certificate has been found acceptable (either via        path validation or by directly matching a fingerprint in        this table), this table is consulted to determine the        appropriate tmSecurityName to identify with the remote        connection.  This is done by considering each active row        from this table in prioritized order according to its        snmpTlstmCertToTSNID value.  Each row's        snmpTlstmCertToTSNFingerprint value determines whether the        row is a match for the incoming connection:           1) If the row's snmpTlstmCertToTSNFingerprint value              identifies the presented certificate, then consider              the row as a successful match.           2) If the row's snmpTlstmCertToTSNFingerprint value              identifies a locally held copy of a trusted CA              certificate and that CA certificate was used to              validate the path to the presented certificate, then              consider the row as a successful match.        Once a matching row has been found, the        snmpTlstmCertToTSNMapType value can be used to determine        how the tmSecurityName to associate with the session        should be determined.  See the 'snmpTlstmCertToTSNMapType'        column's DESCRIPTION clause for details on determining the        tmSecurityName value.  If it is impossible to determine a        tmSecurityName from the row's data combined with the data        presented in the certificate, then additional rows MUST be        searched to look for another potential match.  If a        resulting tmSecurityName mapped from a given row is not        compatible with the needed requirements of a        tmSecurityName (e.g., the VACM imposes a 32-octet-maximum        length and the certificate-derived securityName could be        longer), then it MUST be considered an invalid match and        additional rows MUST be searched to look for another        potential match.        If no matching and valid row can be found, the connection        MUST be closed and SNMP messages MUST NOT be accepted over        it.        Missing values of snmpTlstmCertToTSNID are acceptable, and        implementations SHOULD continue to the        next-highest-numbered row.  It is RECOMMENDED that        administrators skip index values to leave room for the        insertion of future rows (for example, use values of 10        and 20 when creating initial rows).        Users are encouraged to make use of certificates with        subjectAltName fields that can be used as tmSecurityNames.        This allows all child certificates of a single root CA        certificate to include a subjectAltName that maps directly        to a tmSecurityName via a 1:1 transformation.  However,        this table is flexible, to allow for situations where        existing deployed certificate infrastructures do not provide        adequate subjectAltName values for use as tmSecurityNames.        Certificates MAY also be mapped to tmSecurityNames using        the CommonName portion of the Subject field.  However, the        usage of the CommonName field is deprecated, and thus this        usage is NOT RECOMMENDED.  Direct mapping from each        individual certificate fingerprint to a tmSecurityName is        also possible but requires one entry in the table per        tmSecurityName and requires more management operations to        completely configure a device."    ::= { snmpTlstmCertificateMapping 3 }snmpTlstmCertToTSNEntry OBJECT-TYPE    SYNTAX      SnmpTlstmCertToTSNEntry    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "A row in the snmpTlstmCertToTSNTable that specifies a        mapping for an incoming (D)TLS certificate to a        tmSecurityName to use for a connection."    INDEX   { snmpTlstmCertToTSNID }    ::= { snmpTlstmCertToTSNTable 1 }SnmpTlstmCertToTSNEntry ::= SEQUENCE {    snmpTlstmCertToTSNID           Unsigned32,    snmpTlstmCertToTSNFingerprint  SnmpTLSFingerprint,    snmpTlstmCertToTSNMapType      AutonomousType,    snmpTlstmCertToTSNData         OCTET STRING,    snmpTlstmCertToTSNStorageType  StorageType,    snmpTlstmCertToTSNRowStatus    RowStatus}snmpTlstmCertToTSNID OBJECT-TYPE    SYNTAX      Unsigned32 (1..4294967295)    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "A unique, prioritized index for the given entry.  Lower        numbers indicate a higher priority."    ::= { snmpTlstmCertToTSNEntry 1 }snmpTlstmCertToTSNFingerprint OBJECT-TYPE    SYNTAX      SnmpTLSFingerprint (SIZE (1..255))    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "A cryptographic hash of an X.509 certificate.  The results        of a successful matching fingerprint to either the trusted        CA in the certificate validation path or the certificate        itself is dictated by the 'snmpTlstmCertToTSNMapType'        column."    ::= { snmpTlstmCertToTSNEntry 2 }snmpTlstmCertToTSNMapType OBJECT-TYPE    SYNTAX      AutonomousType    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "Specifies the mapping type for deriving a tmSecurityName        from a certificate.  Details for mapping of a particular        type SHALL be specified in the DESCRIPTION clause of the        OBJECT-IDENTITY that describes the mapping.  If a mapping        succeeds, it will return a tmSecurityName for use by the        TLSTM and processing will stop.        If the resulting mapped value is not compatible with the        needed requirements of a tmSecurityName (e.g., the VACM        imposes a 32-octet-maximum length and the        certificate-derived securityName could be longer), then        future rows MUST be searched for additional        snmpTlstmCertToTSNFingerprint matches to look for a        mapping that succeeds.        Suitable values for assigning to this object that are        defined within the SNMP-TLS-TM-MIB can be found in the        snmpTlstmCertToTSNMIdentities portion of the MIB tree."    DEFVAL { snmpTlstmCertSpecified }    ::= { snmpTlstmCertToTSNEntry 3 }snmpTlstmCertToTSNData OBJECT-TYPE    SYNTAX      OCTET STRING (SIZE (0..1024))    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "Auxiliary data used as optional configuration information        for a given mapping specified by the        'snmpTlstmCertToTSNMapType' column.  Only some mapping        systems will make use of this column.  The value in this        column MUST be ignored for any mapping type that does not        require that data be present in this column."    DEFVAL { "" }    ::= { snmpTlstmCertToTSNEntry 4 }snmpTlstmCertToTSNStorageType OBJECT-TYPE    SYNTAX       StorageType    MAX-ACCESS   read-create    STATUS       current    DESCRIPTION       "The storage type for this conceptual row.  Conceptual rows        having the value 'permanent' need not allow write-access        to any columnar objects in the row."    DEFVAL      { nonVolatile }    ::= { snmpTlstmCertToTSNEntry 5 }snmpTlstmCertToTSNRowStatus OBJECT-TYPE    SYNTAX      RowStatus    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "The status of this conceptual row.  This object MAY be        used to create or remove rows from this table.        To create a row in this table, an administrator MUST set        this object to either createAndGo(4) or createAndWait(5).        Until instances of all corresponding columns are        appropriately configured, the value of the corresponding        instance of the 'snmpTlstmParamsRowStatus' column is        notReady(3).        In particular, a newly created row cannot be made active        until the corresponding 'snmpTlstmCertToTSNFingerprint',        'snmpTlstmCertToTSNMapType', and 'snmpTlstmCertToTSNData'        columns have been set.        The following objects MUST NOT be modified while the        value of this object is active(1):           - snmpTlstmCertToTSNFingerprint           - snmpTlstmCertToTSNMapType           - snmpTlstmCertToTSNData        An attempt to set these objects while the value of        snmpTlstmParamsRowStatus is active(1) will result in        an inconsistentValue error."    ::= { snmpTlstmCertToTSNEntry 6 }-- Maps tmSecurityNames to certificates for use by the-- SNMP-TARGET-MIBsnmpTlstmParamsCount OBJECT-TYPE    SYNTAX      Gauge32    MAX-ACCESS  read-only    STATUS      current    DESCRIPTION       "A count of the number of entries in the        snmpTlstmParamsTable."    ::= { snmpTlstmCertificateMapping 4 }snmpTlstmParamsTableLastChanged OBJECT-TYPE    SYNTAX      TimeStamp    MAX-ACCESS  read-only    STATUS      current    DESCRIPTION       "The value of sysUpTime.0 when the snmpTlstmParamsTable        was last modified through any means, or 0 if it has not        been modified since the command responder was started."    ::= { snmpTlstmCertificateMapping 5 }snmpTlstmParamsTable OBJECT-TYPE    SYNTAX      SEQUENCE OF SnmpTlstmParamsEntry    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "This table is used by a (D)TLS client when a (D)TLS        connection is being set up using an entry in the        SNMP-TARGET-MIB.  It extends the SNMP-TARGET-MIB's        snmpTargetParamsTable with a fingerprint of a certificate        to use when establishing such a (D)TLS connection."    ::= { snmpTlstmCertificateMapping 6 }snmpTlstmParamsEntry OBJECT-TYPE    SYNTAX      SnmpTlstmParamsEntry    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "A conceptual row containing a fingerprint hash of a        locally held certificate for a given        snmpTargetParamsEntry.  The values in this row SHOULD be        ignored if the connection that needs to be established, as        indicated by the SNMP-TARGET-MIB infrastructure, is not a        certificate-based and (D)TLS-based connection.  The        connection SHOULD NOT be established if the certificate        fingerprint stored in this entry does not point to a valid        locally held certificate or if it points to an unusable        certificate (such as might happen when the certificate's        expiration date has been reached)."    INDEX    { IMPLIED snmpTargetParamsName }    ::= { snmpTlstmParamsTable 1 }SnmpTlstmParamsEntry ::= SEQUENCE {    snmpTlstmParamsClientFingerprint SnmpTLSFingerprint,    snmpTlstmParamsStorageType       StorageType,    snmpTlstmParamsRowStatus         RowStatus}snmpTlstmParamsClientFingerprint OBJECT-TYPE    SYNTAX      SnmpTLSFingerprint    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "This object stores the hash of the public portion of a        locally held X.509 certificate.  The X.509 certificate,        its public key, and the corresponding private key will be        used when initiating a (D)TLS connection as a (D)TLS        client."    ::= { snmpTlstmParamsEntry 1 }snmpTlstmParamsStorageType OBJECT-TYPE    SYNTAX       StorageType    MAX-ACCESS   read-create    STATUS       current    DESCRIPTION       "The storage type for this conceptual row.  Conceptual rows        having the value 'permanent' need not allow write-access        to any columnar objects in the row."    DEFVAL      { nonVolatile }    ::= { snmpTlstmParamsEntry 2 }snmpTlstmParamsRowStatus OBJECT-TYPE    SYNTAX      RowStatus    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "The status of this conceptual row.  This object MAY be        used to create or remove rows from this table.        To create a row in this table, an administrator MUST set        this object to either createAndGo(4) or createAndWait(5).        Until instances of all corresponding columns are        appropriately configured, the value of the corresponding        instance of the 'snmpTlstmParamsRowStatus' column is        notReady(3).        In particular, a newly created row cannot be made active        until the corresponding 'snmpTlstmParamsClientFingerprint'        column has been set.        The snmpTlstmParamsClientFingerprint object MUST NOT be        modified while the value of this object is active(1).        An attempt to set these objects while the value of        snmpTlstmParamsRowStatus is active(1) will result in        an inconsistentValue error."    ::= { snmpTlstmParamsEntry 3 }snmpTlstmAddrCount OBJECT-TYPE    SYNTAX      Gauge32    MAX-ACCESS  read-only    STATUS      current    DESCRIPTION       "A count of the number of entries in the        snmpTlstmAddrTable."    ::= { snmpTlstmCertificateMapping 7 }snmpTlstmAddrTableLastChanged OBJECT-TYPE    SYNTAX      TimeStamp    MAX-ACCESS  read-only    STATUS      current    DESCRIPTION       "The value of sysUpTime.0 when the snmpTlstmAddrTable        was last modified through any means, or 0 if it has not        been modified since the command responder was started."    ::= { snmpTlstmCertificateMapping 8 }snmpTlstmAddrTable OBJECT-TYPE    SYNTAX      SEQUENCE OF SnmpTlstmAddrEntry    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "This table is used by a (D)TLS client when a (D)TLS        connection is being set up using an entry in the        SNMP-TARGET-MIB.  It extends the SNMP-TARGET-MIB's        snmpTargetAddrTable so that the client can verify that the        correct server has been reached.  This verification can        use either 1) a certificate fingerprint or 2) an        identity authenticated via certification path validation.        If there is an active row in this table corresponding to        the entry in the SNMP-TARGET-MIB that was used to        establish the connection and the row's        'snmpTlstmAddrServerFingerprint' column has a non-empty        value, then the server's presented certificate is compared        with the snmpTlstmAddrServerFingerprint value (and the        'snmpTlstmAddrServerIdentity' column is ignored).  If the        fingerprint matches, the verification has succeeded.  If        the fingerprint does not match, then the connection MUST        be closed.        If the server's presented certificate has passed        certification path validation (RFC 5280) to a configured        trust anchor and an active row exists with a zero-length        snmpTlstmAddrServerFingerprint value, then the        'snmpTlstmAddrServerIdentity' column contains the expected        host name.  This expected host name is then compared        against the server's certificate as follows:           - Implementations MUST support matching the expected             host name against a dNSName in the subjectAltName             extension field and MAY support checking the name             against the CommonName portion of the subject             distinguished name.           - The '*' (ASCII 0x2A) wildcard character is allowed in             the dNSName of the subjectAltName extension (and in             CommonName, if used to store the host name), but             only as the leftmost (least significant) DNS label             in that value.  This wildcard matches any leftmost             DNS label in the server name.  That is, the subject             *.example.com matches the server names a.example.com             and b.example.com but does not match example.com or             a.b.example.com.  Implementations MUST support             wildcards in certificates as specified above but MAY             provide a configuration option to disable them.           - If the locally configured name is an             internationalized domain name, conforming             implementations MUST convert it to the ASCII             Compatible Encoding (ACE) format for performing             comparisons, as specified in Section 7 of RFC 5280.        If the expected host name fails these conditions, then the        connection MUST be closed.        If there is no row in this table corresponding to the        entry in the SNMP-TARGET-MIB and the server can be        authorized by another, implementation-dependent means,        then the connection MAY still proceed."    ::= { snmpTlstmCertificateMapping 9 }snmpTlstmAddrEntry OBJECT-TYPE    SYNTAX      SnmpTlstmAddrEntry    MAX-ACCESS  not-accessible    STATUS      current    DESCRIPTION       "A conceptual row containing a copy of a certificate's        fingerprint for a given snmpTargetAddrEntry.  The values        in this row SHOULD be ignored if the connection that needs        to be established, as indicated by the SNMP-TARGET-MIB        infrastructure, is not a (D)TLS-based connection.  If an        snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry,        then the presented server certificate MUST match or the        connection MUST NOT be established.  If a row in this        table does not exist to match an snmpTargetAddrEntry row,        then the connection SHOULD still proceed if some other        certification path validation algorithm (e.g., RFC 5280)        can be used."    INDEX    { IMPLIED snmpTargetAddrName }    ::= { snmpTlstmAddrTable 1 }SnmpTlstmAddrEntry ::= SEQUENCE {    snmpTlstmAddrServerFingerprint    SnmpTLSFingerprint,    snmpTlstmAddrServerIdentity       SnmpAdminString,    snmpTlstmAddrStorageType          StorageType,    snmpTlstmAddrRowStatus            RowStatus}snmpTlstmAddrServerFingerprint OBJECT-TYPE    SYNTAX      SnmpTLSFingerprint    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "A cryptographic hash of a public X.509 certificate.  This        object should store the hash of the public X.509        certificate that the remote server should present during        the (D)TLS connection setup.  The fingerprint of the        presented certificate and this hash value MUST match        exactly, or the connection MUST NOT be established."    DEFVAL { "" }    ::= { snmpTlstmAddrEntry 1 }snmpTlstmAddrServerIdentity OBJECT-TYPE    SYNTAX      SnmpAdminString    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "The reference identity to check against the identity        presented by the remote system."    DEFVAL { "" }    ::= { snmpTlstmAddrEntry 2 }snmpTlstmAddrStorageType OBJECT-TYPE    SYNTAX       StorageType    MAX-ACCESS   read-create    STATUS       current    DESCRIPTION       "The storage type for this conceptual row.  Conceptual rows        having the value 'permanent' need not allow write-access        to any columnar objects in the row."    DEFVAL      { nonVolatile }    ::= { snmpTlstmAddrEntry 3 }snmpTlstmAddrRowStatus OBJECT-TYPE    SYNTAX      RowStatus    MAX-ACCESS  read-create    STATUS      current    DESCRIPTION       "The status of this conceptual row.  This object may be        used to create or remove rows from this table.        To create a row in this table, an administrator MUST set        this object to either createAndGo(4) or createAndWait(5).        Until instances of all corresponding columns are        appropriately configured, the value of the corresponding        instance of the 'snmpTlstmAddrRowStatus' column is        notReady(3).        In particular, a newly created row cannot be made active        until the corresponding 'snmpTlstmAddrServerFingerprint'        column has been set.        Rows MUST NOT be active if the        'snmpTlstmAddrServerFingerprint' column is blank and the        snmpTlstmAddrServerIdentity is set to '*', since this        would insecurely accept any presented certificate.        The snmpTlstmAddrServerFingerprint object MUST NOT be        modified while the value of this object is active(1).        An attempt to set these objects while the value of        snmpTlstmAddrRowStatus is active(1) will result in        an inconsistentValue error."    ::= { snmpTlstmAddrEntry 4 }-- ************************************************--  snmpTlstmNotifications - Notifications Information-- ************************************************snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE    OBJECTS { snmpTlstmSessionUnknownServerCertificate }    STATUS  current    DESCRIPTION       "Notification that the server certificate presented by an        SNMP over (D)TLS server was invalid because no configured        fingerprint or CA was acceptable to validate it.  This may        be because there was no entry in the snmpTlstmAddrTable or        because no path to a known CA could be found.        To avoid notification loops, this notification MUST NOT be        sent to servers that themselves have triggered the        notification."    ::= { snmpTlstmNotifications 1 }snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE    OBJECTS {        snmpTlstmAddrServerFingerprint,        snmpTlstmSessionInvalidServerCertificates    }    STATUS  current    DESCRIPTION       "Notification that the server certificate presented by an        SNMP over (D)TLS server could not be validated even if the        fingerprint or expected validation path was known.        That is, a cryptographic validation error occurred during        certificate validation processing.        To avoid notification loops, this notification MUST NOT be        sent to servers that themselves have triggered the        notification."    ::= { snmpTlstmNotifications 2 }-- ************************************************-- snmpTlstmCompliances - Conformance Information-- ************************************************snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 }snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 }-- ************************************************-- Compliance statements-- ************************************************snmpTlstmCompliance MODULE-COMPLIANCE    STATUS      current    DESCRIPTION       "The compliance statement for SNMP engines that support the        SNMP-TLS-TM-MIB."    MODULE        MANDATORY-GROUPS { snmpTlstmStatsGroup,                           snmpTlstmIncomingGroup,                           snmpTlstmOutgoingGroup,                           snmpTlstmNotificationGroup }    ::= { snmpTlstmCompliances 1 }-- ************************************************-- Units of conformance-- ************************************************snmpTlstmStatsGroup OBJECT-GROUP    OBJECTS {        snmpTlstmSessionOpens,        snmpTlstmSessionClientCloses,        snmpTlstmSessionOpenErrors,        snmpTlstmSessionAccepts,        snmpTlstmSessionServerCloses,        snmpTlstmSessionNoSessions,        snmpTlstmSessionInvalidClientCertificates,        snmpTlstmSessionUnknownServerCertificate,        snmpTlstmSessionInvalidServerCertificates,        snmpTlstmSessionInvalidCaches    }    STATUS      current    DESCRIPTION       "A collection of objects for maintaining statistical        information of an SNMP engine that implements the SNMP        TLSTM."    ::= { snmpTlstmGroups 1 }snmpTlstmIncomingGroup OBJECT-GROUP    OBJECTS {        snmpTlstmCertToTSNCount,        snmpTlstmCertToTSNTableLastChanged,        snmpTlstmCertToTSNFingerprint,        snmpTlstmCertToTSNMapType,        snmpTlstmCertToTSNData,        snmpTlstmCertToTSNStorageType,        snmpTlstmCertToTSNRowStatus    }    STATUS      current    DESCRIPTION       "A collection of objects for maintaining incoming        connection certificate mappings to tmSecurityNames of an        SNMP engine that implements the SNMP TLSTM."    ::= { snmpTlstmGroups 2 }snmpTlstmOutgoingGroup OBJECT-GROUP    OBJECTS {        snmpTlstmParamsCount,        snmpTlstmParamsTableLastChanged,        snmpTlstmParamsClientFingerprint,        snmpTlstmParamsStorageType,        snmpTlstmParamsRowStatus,        snmpTlstmAddrCount,        snmpTlstmAddrTableLastChanged,        snmpTlstmAddrServerFingerprint,        snmpTlstmAddrServerIdentity,        snmpTlstmAddrStorageType,        snmpTlstmAddrRowStatus    }    STATUS      current    DESCRIPTION       "A collection of objects for maintaining outgoing        connection certificates to use when opening connections as        a result of SNMP-TARGET-MIB settings."    ::= { snmpTlstmGroups 3 }snmpTlstmNotificationGroup NOTIFICATION-GROUP    NOTIFICATIONS {        snmpTlstmServerCertificateUnknown,        snmpTlstmServerInvalidCertificate    }    STATUS current    DESCRIPTION       "Notifications."    ::= { snmpTlstmGroups 4 }END<CODE ENDS>