SNMPv3 protocol configuration
Although OpenNMS can function as a service, availability, event, and notification management platform independent of SNMP, SNMP adds additional functionality to the platform as well as enhancing these other services by way of device configuration information and SNMP traps/notifications.
Traditionally, OpenNMS centralizes SNMP configuration into an XML file, snmp-config.xml, in the OpenNMS etc/ directory. However, SNMP configuration has also been allowed to leak into other sub-system configuration files: capsd, poller, and collectd. The purposes of these “leaks” were to override or enhance the central configuration’s settings to assist the functionality of the particular sub-system. With the release of 1.3 and the improvements to SNMP within OpenNMS, the configuration for SNMP information is moving back into the central configuration where possible.
One of the big additions to the 1.3 release of OpenNMS is support for alternate SNMP libraries. Calls to Joesnmp which have been a part of OpenNMS since the beginning, have been abstracted to provide a API for adding alternate SNMP implementations. This change was made to allows as to integrate SNMP4J, a pure java library that has support for SNMPv3. Though Joesnmp and SNMP versions v1 and v2c are still the default implementation, SNMP4J which supports SNMP v1, v2c and v3 support can be enabled by setting the system property 'org.opennms.snmp.strategyClass' to 'org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy'.
As of 1.3.2 SNMP4J is the default value for this and so SNMPv3 should be enabled already.
On earlier 1.3.x versions the easiest way to do this is by adding the following line to '$OPENNMS_HOME/etc/opennms.conf'
The main configuration file that determines SNMP’s behavior for your instance of OpenNMS is snmp-config.xml. The schema for this file has been modified to add support for configuring SNMPv3. The snmp-config element in this file contains attributes and sub-elements called definitions. The attributes of the snmp-config element define system wide defaults. The definition elements are sub-elements to the snmp-config and have the ability to override the system wide default settings. Let’s break that down with a sample configuration:
<snmp-config port="161" retry="3" timeout="800" read-community="public" version="v1"> <definition version="v2c"> <specific>192.168.0.50</specific> </definition> <definition version="v3" security-name="opennmsUser"> <specific>192.168.0.102</specific> </definition> <definition retry="1" timeout="1000"> <range begin="192.168.100.1" end="192.168.100.254"/> <ip-match>77.5-12,15.1-255.255</ip-match> </definition> </snmp-config>
In this sample configuration, the first definition element overrides the default version defined in the top-level snmp-config element with SNMP version 2c. The same override is specified in the second definition element except, that when specifying version 3, a minimum of one more attribute is required: “security-name”. (note: a system wide default security-name can be defined in the top-level snmp-config element) In the final definition of this sample configuration, a range element and the new “ip-match” elements are used. The range element has 2 attributes and each must be valid IP addresses. The ip-match element is a much more flexible way of configuration SNMP attributes for a specific set of devices than the previous range elements.
The ip-match element example above can be broke down to be understood like this:
If the first octet equals 77 Then if the 2nd octet is in the range of 5-12 or equals 15 Then if the 3rd octet is in the range of 1-255 Then if the 4th octet equals 255 Use this definition’s attributes Else If attribute defined in snmp-config element Use snmp-config attribute Else Use default attribute
Sample v3 configuration
<snmp-config auth-passprhase="0p3nNMSv3" auth-protocol="MD5" privacy-passphrase="0p3nNMSv3" privacy-protocol="DES" security-name="opennmsUser" version="v3" >
This SNMPv3 sample configuration shows the v3 specific attributes. These attributes are supported within the definition element as well. The following table denotes these new attributes with their constraints and their default values:
Enabling SNMPv3 for net-snmp
Since Net-SNMP is a commonly available SNMP agent that supports SNMPv3, here are the basic steps to enable SNMPv3 support for that agent.
First, edit the snmpd.conf file, usually found at /etc/snmp/snmpd.conf. Find this section:
############################################################################### # Further Information # # See the snmpd.conf manual page, and the output of "snmpd -H". # VACM configuration entries rwuser initial # lets add the new user we'll create too: rwuser opennmsUser # USM configuration entries createUser initial MD5 setup_passphrase DES
The "initial" user is the default, and the line "rwuser opennmsUser" adds the OpenNMS user to the agent. Then from the command line run:
snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost create opennmsUser initial
This will clone the "initial" user to the "opennmsUser"
Next, you can change the passphrase:
snmpusm -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A setup_passphrase -Ca localhost passwd setup_passphrase 0p3nNMSv3
Which will set the authentication passphrase to "0p3nNMSv3".
Finally, restart the snmpd process and you should be able to walk:
snmpwalk -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A 0p3nNMSv3 localhost ifTable