关闭

SNMPv3 protocol configuration

1316人阅读 评论(0) 收藏 举报

 

From OpenNMS

Contents

[hide]

Introduction

Although OpenNMS can function as a service, availability, event, and notification management platform independent of SNMP, SNMP adds additional functionality to the platform as well as enhancing these other services by way of device configuration information and SNMP traps/notifications.

Traditionally, OpenNMS centralizes SNMP configuration into an XML file, snmp-config.xml, in the OpenNMS etc/ directory. However, SNMP configuration has also been allowed to leak into other sub-system configuration files: capsd, poller, and collectd. The purposes of these “leaks” were to override or enhance the central configuration’s settings to assist the functionality of the particular sub-system. With the release of 1.3 and the improvements to SNMP within OpenNMS, the configuration for SNMP information is moving back into the central configuration where possible.

Enabling SNMPv3

One of the big additions to the 1.3 release of OpenNMS is support for alternate SNMP libraries. Calls to Joesnmp which have been a part of OpenNMS since the beginning, have been abstracted to provide a API for adding alternate SNMP implementations. This change was made to allows as to integrate SNMP4J, a pure java library that has support for SNMPv3. Though Joesnmp and SNMP versions v1 and v2c are still the default implementation, SNMP4J which supports SNMP v1, v2c and v3 support can be enabled by setting the system property 'org.opennms.snmp.strategyClass' to 'org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy'.

As of 1.3.2 SNMP4J is the default value for this and so SNMPv3 should be enabled already.


On earlier 1.3.x versions the easiest way to do this is by adding the following line to '$OPENNMS_HOME/etc/opennms.conf'

ADDITIONAL_MANAGER_OPTIONS="-Dorg.opennms.snmp.strategyClass=org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy"

Configuring SNMP

The main configuration file that determines SNMP’s behavior for your instance of OpenNMS is snmp-config.xml. The schema for this file has been modified to add support for configuring SNMPv3. The snmp-config element in this file contains attributes and sub-elements called definitions. The attributes of the snmp-config element define system wide defaults. The definition elements are sub-elements to the snmp-config and have the ability to override the system wide default settings. Let’s break that down with a sample configuration:

Sample configuration

<snmp-config port="161" retry="3" timeout="800" read-community="public" version="v1">

        <definition version="v2c">
                <specific>192.168.0.50</specific>
        </definition>
        <definition version="v3" security-name="opennmsUser">
                <specific>192.168.0.102</specific>
        </definition>
        <definition retry="1" timeout="1000">
                <range begin="192.168.100.1" end="192.168.100.254"/>
                <ip-match>77.5-12,15.1-255.255</ip-match>
        </definition>
</snmp-config>

In this sample configuration, the first definition element overrides the default version defined in the top-level snmp-config element with SNMP version 2c. The same override is specified in the second definition element except, that when specifying version 3, a minimum of one more attribute is required: “security-name”. (note: a system wide default security-name can be defined in the top-level snmp-config element) In the final definition of this sample configuration, a range element and the new “ip-match” elements are used. The range element has 2 attributes and each must be valid IP addresses. The ip-match element is a much more flexible way of configuration SNMP attributes for a specific set of devices than the previous range elements.

The ip-match element example above can be broke down to be understood like this:

	If the first octet equals 77
		Then if the 2nd octet is in the range of 5-12 or equals 15
			Then if the 3rd octet is in the range of 1-255
				Then if the 4th octet equals 255
					Use this definition’s attributes

	Else
		If attribute defined in snmp-config element
			Use snmp-config attribute
Else
	Use default attribute


Sample v3 configuration

<snmp-config
	auth-passprhase="0p3nNMSv3"
	auth-protocol="MD5"
	privacy-passphrase="0p3nNMSv3"
	privacy-protocol="DES"
	security-name="opennmsUser"
	version="v3" >

SNMPv3-specific attributes

This SNMPv3 sample configuration shows the v3 specific attributes. These attributes are supported within the definition element as well. The following table denotes these new attributes with their constraints and their default values:

Attribute Constraints Default Value
auth-passphrase string 0p3nNMSv3
auth-protocol MD5/SHA MD5
privacy-passphrase string 0p3nNmsv3
privacy-protocol DES/AES/AES192/AES256 DES
security-name String opennmsUser
version v1/v2c/v3 v1

Enabling SNMPv3 for net-snmp

Since Net-SNMP is a commonly available SNMP agent that supports SNMPv3, here are the basic steps to enable SNMPv3 support for that agent.

First, edit the snmpd.conf file, usually found at /etc/snmp/snmpd.conf. Find this section:

###############################################################################
# Further Information
#
#  See the snmpd.conf manual page, and the output of "snmpd -H".
# VACM configuration entries
rwuser initial
# lets add the new user we'll create too:
rwuser opennmsUser
# USM configuration entries
createUser initial MD5 setup_passphrase DES

The "initial" user is the default, and the line "rwuser opennmsUser" adds the OpenNMS user to the agent. Then from the command line run:

snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost create opennmsUser initial

This will clone the "initial" user to the "opennmsUser"

Next, you can change the passphrase:

snmpusm -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A setup_passphrase -Ca localhost passwd setup_passphrase 0p3nNMSv3

Which will set the authentication passphrase to "0p3nNMSv3".

Finally, restart the snmpd process and you should be able to walk:

snmpwalk -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A 0p3nNMSv3 localhost ifTable
 
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:687442次
    • 积分:9019
    • 等级:
    • 排名:第2161名
    • 原创:146篇
    • 转载:316篇
    • 译文:13篇
    • 评论:81条
    最新评论