SNMPv3 protocol configuration

转载 2007年09月25日 15:28:00

 

From OpenNMS

Contents

[hide]

Introduction

Although OpenNMS can function as a service, availability, event, and notification management platform independent of SNMP, SNMP adds additional functionality to the platform as well as enhancing these other services by way of device configuration information and SNMP traps/notifications.

Traditionally, OpenNMS centralizes SNMP configuration into an XML file, snmp-config.xml, in the OpenNMS etc/ directory. However, SNMP configuration has also been allowed to leak into other sub-system configuration files: capsd, poller, and collectd. The purposes of these “leaks” were to override or enhance the central configuration’s settings to assist the functionality of the particular sub-system. With the release of 1.3 and the improvements to SNMP within OpenNMS, the configuration for SNMP information is moving back into the central configuration where possible.

Enabling SNMPv3

One of the big additions to the 1.3 release of OpenNMS is support for alternate SNMP libraries. Calls to Joesnmp which have been a part of OpenNMS since the beginning, have been abstracted to provide a API for adding alternate SNMP implementations. This change was made to allows as to integrate SNMP4J, a pure java library that has support for SNMPv3. Though Joesnmp and SNMP versions v1 and v2c are still the default implementation, SNMP4J which supports SNMP v1, v2c and v3 support can be enabled by setting the system property 'org.opennms.snmp.strategyClass' to 'org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy'.

As of 1.3.2 SNMP4J is the default value for this and so SNMPv3 should be enabled already.


On earlier 1.3.x versions the easiest way to do this is by adding the following line to '$OPENNMS_HOME/etc/opennms.conf'

ADDITIONAL_MANAGER_OPTIONS="-Dorg.opennms.snmp.strategyClass=org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy"

Configuring SNMP

The main configuration file that determines SNMP’s behavior for your instance of OpenNMS is snmp-config.xml. The schema for this file has been modified to add support for configuring SNMPv3. The snmp-config element in this file contains attributes and sub-elements called definitions. The attributes of the snmp-config element define system wide defaults. The definition elements are sub-elements to the snmp-config and have the ability to override the system wide default settings. Let’s break that down with a sample configuration:

Sample configuration

<snmp-config port="161" retry="3" timeout="800" read-community="public" version="v1">

        <definition version="v2c">
                <specific>192.168.0.50</specific>
        </definition>
        <definition version="v3" security-name="opennmsUser">
                <specific>192.168.0.102</specific>
        </definition>
        <definition retry="1" timeout="1000">
                <range begin="192.168.100.1" end="192.168.100.254"/>
                <ip-match>77.5-12,15.1-255.255</ip-match>
        </definition>
</snmp-config>

In this sample configuration, the first definition element overrides the default version defined in the top-level snmp-config element with SNMP version 2c. The same override is specified in the second definition element except, that when specifying version 3, a minimum of one more attribute is required: “security-name”. (note: a system wide default security-name can be defined in the top-level snmp-config element) In the final definition of this sample configuration, a range element and the new “ip-match” elements are used. The range element has 2 attributes and each must be valid IP addresses. The ip-match element is a much more flexible way of configuration SNMP attributes for a specific set of devices than the previous range elements.

The ip-match element example above can be broke down to be understood like this:

	If the first octet equals 77
		Then if the 2nd octet is in the range of 5-12 or equals 15
			Then if the 3rd octet is in the range of 1-255
				Then if the 4th octet equals 255
					Use this definition’s attributes

	Else
		If attribute defined in snmp-config element
			Use snmp-config attribute
Else
	Use default attribute


Sample v3 configuration

<snmp-config
	auth-passprhase="0p3nNMSv3"
	auth-protocol="MD5"
	privacy-passphrase="0p3nNMSv3"
	privacy-protocol="DES"
	security-name="opennmsUser"
	version="v3" >

SNMPv3-specific attributes

This SNMPv3 sample configuration shows the v3 specific attributes. These attributes are supported within the definition element as well. The following table denotes these new attributes with their constraints and their default values:

Attribute Constraints Default Value
auth-passphrase string 0p3nNMSv3
auth-protocol MD5/SHA MD5
privacy-passphrase string 0p3nNmsv3
privacy-protocol DES/AES/AES192/AES256 DES
security-name String opennmsUser
version v1/v2c/v3 v1

Enabling SNMPv3 for net-snmp

Since Net-SNMP is a commonly available SNMP agent that supports SNMPv3, here are the basic steps to enable SNMPv3 support for that agent.

First, edit the snmpd.conf file, usually found at /etc/snmp/snmpd.conf. Find this section:

###############################################################################
# Further Information
#
#  See the snmpd.conf manual page, and the output of "snmpd -H".
# VACM configuration entries
rwuser initial
# lets add the new user we'll create too:
rwuser opennmsUser
# USM configuration entries
createUser initial MD5 setup_passphrase DES

The "initial" user is the default, and the line "rwuser opennmsUser" adds the OpenNMS user to the agent. Then from the command line run:

snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost create opennmsUser initial

This will clone the "initial" user to the "opennmsUser"

Next, you can change the passphrase:

snmpusm -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A setup_passphrase -Ca localhost passwd setup_passphrase 0p3nNMSv3

Which will set the authentication passphrase to "0p3nNMSv3".

Finally, restart the snmpd process and you should be able to walk:

snmpwalk -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A 0p3nNMSv3 localhost ifTable
 

相关文章推荐

SNMPV3的实现原理

  • 2010年12月05日 08:21
  • 18KB
  • 下载

SNMPv3介绍

  • 2011年11月09日 13:00
  • 256KB
  • 下载

snmpget请求获取服务器参数(snmpv3) 并连接MySQL数据库

完整的项目代码: 1、连接MySQL数据库 package mysnmp; import java.sql.Connection; import java.sql.DriverManager;...

SNMPv3USM 的一篇文章(中文翻译)

原文地址:http://www.insanum.com/docs/usm.html SNMPv3 - 用户安全模型 这是描述SNMP协议第三版安全特征的两篇文章中的第一篇. SNMPv3 ...

README.snmpv3

http://www.net-snmp.org/docs/README.snmpv3.htmlREADME.snmpv3 ------------- How to setup SNMPv3, a ...

Cisco SNMPv3配置及原理说明

SNMP当前有三个版本,分别是SNMP v1、v2、v3。SNMP v1、v2有很多共同特征,但是SNMP v2在版本上得到了增强,例如额外的协议操作。SNMP v3在先前的版本的基础上增加了安全和远...

在思科Catalyst交换机上配置SNMPv3

在思科Catalyst交换机上配置SNMPv3 注:泰信科技cisco3550主要关注和使用红色阴影命令部分   首先,我们应该决定那些主机可以使用SNMP连接交换机。在这里,我们只容许IP地址...

SNMPv3基于用户的安全模型USM(2)

转自:http://blog.csdn.net/fw0124/article/details/8557742

SNMPv3 - 用户安全模型

SNMPv3 - 用户安全模型 这是描述SNMP协议第三版安全特征的两篇文章中的第一篇. SNMPv3 RFCs描述了一个新的框架用于定义SNMP第一, 第二和第三版规范之间的关系....

使用Java进行SNMP编程-SNMP4J-SNMPv3-代码实例

转载:http://blog.csdn.net/fw0124/article/details/8559803 使用SNMP4J可以很方便的实现一个SNMP NMS的功能。 前一篇介绍了SNMP...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:SNMPv3 protocol configuration
举报原因:
原因补充:

(最多只允许输入30个字)