关闭

SNMPv3 protocol configuration

1377人阅读 评论(0) 收藏 举报

 

From OpenNMS

Contents

[hide]

Introduction

Although OpenNMS can function as a service, availability, event, and notification management platform independent of SNMP, SNMP adds additional functionality to the platform as well as enhancing these other services by way of device configuration information and SNMP traps/notifications.

Traditionally, OpenNMS centralizes SNMP configuration into an XML file, snmp-config.xml, in the OpenNMS etc/ directory. However, SNMP configuration has also been allowed to leak into other sub-system configuration files: capsd, poller, and collectd. The purposes of these “leaks” were to override or enhance the central configuration’s settings to assist the functionality of the particular sub-system. With the release of 1.3 and the improvements to SNMP within OpenNMS, the configuration for SNMP information is moving back into the central configuration where possible.

Enabling SNMPv3

One of the big additions to the 1.3 release of OpenNMS is support for alternate SNMP libraries. Calls to Joesnmp which have been a part of OpenNMS since the beginning, have been abstracted to provide a API for adding alternate SNMP implementations. This change was made to allows as to integrate SNMP4J, a pure java library that has support for SNMPv3. Though Joesnmp and SNMP versions v1 and v2c are still the default implementation, SNMP4J which supports SNMP v1, v2c and v3 support can be enabled by setting the system property 'org.opennms.snmp.strategyClass' to 'org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy'.

As of 1.3.2 SNMP4J is the default value for this and so SNMPv3 should be enabled already.


On earlier 1.3.x versions the easiest way to do this is by adding the following line to '$OPENNMS_HOME/etc/opennms.conf'

ADDITIONAL_MANAGER_OPTIONS="-Dorg.opennms.snmp.strategyClass=org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy"

Configuring SNMP

The main configuration file that determines SNMP’s behavior for your instance of OpenNMS is snmp-config.xml. The schema for this file has been modified to add support for configuring SNMPv3. The snmp-config element in this file contains attributes and sub-elements called definitions. The attributes of the snmp-config element define system wide defaults. The definition elements are sub-elements to the snmp-config and have the ability to override the system wide default settings. Let’s break that down with a sample configuration:

Sample configuration

<snmp-config port="161" retry="3" timeout="800" read-community="public" version="v1">

        <definition version="v2c">
                <specific>192.168.0.50</specific>
        </definition>
        <definition version="v3" security-name="opennmsUser">
                <specific>192.168.0.102</specific>
        </definition>
        <definition retry="1" timeout="1000">
                <range begin="192.168.100.1" end="192.168.100.254"/>
                <ip-match>77.5-12,15.1-255.255</ip-match>
        </definition>
</snmp-config>

In this sample configuration, the first definition element overrides the default version defined in the top-level snmp-config element with SNMP version 2c. The same override is specified in the second definition element except, that when specifying version 3, a minimum of one more attribute is required: “security-name”. (note: a system wide default security-name can be defined in the top-level snmp-config element) In the final definition of this sample configuration, a range element and the new “ip-match” elements are used. The range element has 2 attributes and each must be valid IP addresses. The ip-match element is a much more flexible way of configuration SNMP attributes for a specific set of devices than the previous range elements.

The ip-match element example above can be broke down to be understood like this:

	If the first octet equals 77
		Then if the 2nd octet is in the range of 5-12 or equals 15
			Then if the 3rd octet is in the range of 1-255
				Then if the 4th octet equals 255
					Use this definition’s attributes

	Else
		If attribute defined in snmp-config element
			Use snmp-config attribute
Else
	Use default attribute


Sample v3 configuration

<snmp-config
	auth-passprhase="0p3nNMSv3"
	auth-protocol="MD5"
	privacy-passphrase="0p3nNMSv3"
	privacy-protocol="DES"
	security-name="opennmsUser"
	version="v3" >

SNMPv3-specific attributes

This SNMPv3 sample configuration shows the v3 specific attributes. These attributes are supported within the definition element as well. The following table denotes these new attributes with their constraints and their default values:

Attribute Constraints Default Value
auth-passphrase string 0p3nNMSv3
auth-protocol MD5/SHA MD5
privacy-passphrase string 0p3nNmsv3
privacy-protocol DES/AES/AES192/AES256 DES
security-name String opennmsUser
version v1/v2c/v3 v1

Enabling SNMPv3 for net-snmp

Since Net-SNMP is a commonly available SNMP agent that supports SNMPv3, here are the basic steps to enable SNMPv3 support for that agent.

First, edit the snmpd.conf file, usually found at /etc/snmp/snmpd.conf. Find this section:

###############################################################################
# Further Information
#
#  See the snmpd.conf manual page, and the output of "snmpd -H".
# VACM configuration entries
rwuser initial
# lets add the new user we'll create too:
rwuser opennmsUser
# USM configuration entries
createUser initial MD5 setup_passphrase DES

The "initial" user is the default, and the line "rwuser opennmsUser" adds the OpenNMS user to the agent. Then from the command line run:

snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost create opennmsUser initial

This will clone the "initial" user to the "opennmsUser"

Next, you can change the passphrase:

snmpusm -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A setup_passphrase -Ca localhost passwd setup_passphrase 0p3nNMSv3

Which will set the authentication passphrase to "0p3nNMSv3".

Finally, restart the snmpd process and you should be able to walk:

snmpwalk -v 3 -u opennmsUser -n "" -l authNoPriv -a MD5 -A 0p3nNMSv3 localhost ifTable
 
0
0
查看评论
发表评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场

在思科Catalyst交换机上配置SNMPv3

在思科Catalyst交换机上配置SNMPv3 注:泰信科技cisco3550主要关注和使用红色阴影命令部分   首先,我们应该决定那些主机可以使用SNMP连接交换机。在这里,我们只容许IP地址...
  • Gaga_yan
  • Gaga_yan
  • 2014-08-22 14:01
  • 608

SNMPv3 - 用户安全模型

SNMPv3 - 用户安全模型 这是描述SNMP协议第三版安全特征的两篇文章中的第一篇. SNMPv3 RFCs描述了一个新的框架用于定义SNMP第一, 第二和第三版规范之间的关系....
  • mrwangwang
  • mrwangwang
  • 2015-08-03 19:13
  • 783

动态主机配置协议(DHCP)

地址:http://www.xxglx.com/net/zyk/htmlfiles/protocol/protocol00043.htm (一)概述   DHCP 是 Dynamic Host...
  • anlidengshiwei
  • anlidengshiwei
  • 2015-01-20 14:59
  • 755

SNMPv3原理-SNMPv3协议框架

1、SNMPv3的体系结构 SNMPv3定义了新的体系结构,并在其中包含了对SNMPv1和SNMPv2c的兼容,即这个新的体系结构也适用于SNMPv1及SNMPv2c,弥补了SNMP没有完整体系结构...
  • jijian_jinan
  • jijian_jinan
  • 2015-01-25 13:19
  • 4298

Hadoop的RPC实现

之前文章已经介绍过RPC及一个RPC框架Thrift,现在再介绍一下Hadoop的RPC实现。 被调用方(也可称为服务端)的业务代码中必须有一个接口,而业务的具体实现写在 此接口的实现类中(jd...
  • koushr
  • koushr
  • 2016-05-13 02:38
  • 1142

Cisco SNMPv3配置及原理说明

SNMP当前有三个版本,分别是SNMP v1、v2、v3。SNMP v1、v2有很多共同特征,但是SNMP v2在版本上得到了增强,例如额外的协议操作。SNMP v3在先前的版本的基础上增加了安全和远...
  • blakegao
  • blakegao
  • 2013-12-08 07:08
  • 2917

SNMPv3基于用户的安全模型USM(2)

SNMPv3 Message Format 一个SNMPv3的Message包括以下部分: 1) msgVersion 2) msgID 3) msgMaxSize 发送方支持的最大消息长度/the...
  • fw0124
  • fw0124
  • 2013-01-31 13:18
  • 8083

SNMPv3认证和加密过程

1 UsmSecurityParameters(安全参数) 安全参数存在于snmp消息中的msgSecurityParameters字段,以ASN.1语法定义如下: UsmSecurityParam...
  • yu_xiaofei
  • yu_xiaofei
  • 2013-10-30 09:23
  • 4621

SNMPv3原理-SNMPv3协议框架

1、SNMPv3的体系结构 SNMPv3定义了新的体系结构,并在其中包含了对SNMPv1和SNMPv2c的兼容,即这个新的体系结构也适用于SNMPv1及SNMPv2c,弥补了SNMP没有完整体系...
  • wzsy
  • wzsy
  • 2017-05-04 16:50
  • 223

SNMP报文PDU格式

 SNMPv1/SNMP2c的报文格式: version+community+PDU SNMPv3的报文格式: SNMPv3的报文格式要复杂一些,可以看作是header+PDU。具体可以看...
  • fw0124
  • fw0124
  • 2014-12-14 01:06
  • 1966
    个人资料
    • 访问:764695次
    • 积分:9700
    • 等级:
    • 排名:第2138名
    • 原创:143篇
    • 转载:311篇
    • 译文:13篇
    • 评论:84条
    最新评论