Difference between revisions of "TUT:Using TLS"
(→Obtaining and using test.net-snmp.org certificates) |
(→Zero-config Example: less than zero-config) |
||
Line 33: | Line 33: | ||
-T trust_cert=tutorial-CA \ | -T trust_cert=tutorial-CA \ | ||
tls:test.net-snmp.org sysUpTime.0''' | tls:test.net-snmp.org sysUpTime.0''' | ||
+ | |||
+ | # '''echo trustCert tutorial-CA >> $HOME/.snmp/snmp.conf''' | ||
+ | # '''echo clientCert tutorial-joecool >> $HOME/.snmp/snmp.conf''' | ||
+ | |||
+ | # '''snmpget -t 10 tls:test.net-snmp.org sysUpTime.0''' | ||
In this example, ''test.net-snmp.org'' is the host name of the agent to query, using version 3 of the SNMP protocol and the transport security model, and an authPriv message protected a dtls connection using the certificates identified by the given fingerprints. The OID being requested is <tt>sysUpTime.0</tt> from the MIB module <tt>SNMPv2-MIB</tt>. | In this example, ''test.net-snmp.org'' is the host name of the agent to query, using version 3 of the SNMP protocol and the transport security model, and an authPriv message protected a dtls connection using the certificates identified by the given fingerprints. The OID being requested is <tt>sysUpTime.0</tt> from the MIB module <tt>SNMPv2-MIB</tt>. |
Revision as of 23:45, 30 June 2010
Note: Features discussed on this page require Net-SNMP version 5.6 or higher.
"SNMP over DTLS over UDP" and "SNMP over TLS over TCP" are supported in Net-SNMP 5.6 and beyond. This page describes how to use DTLS or TLS for the end user. For information on the administering and configuring the agent with DTLS/TLS support, see Using_DTLS.
TLS and DTLS make use of the Transport Security Model (TSM) security model, defined in RFC:5591 which was created as an alternative to the USM security model (which is discussed in the SNMPv3 Options tutorial.
Contents
DTLS vs TLS
TLS and DTLS are both protocols that protect packets in transit. The first runs over TCP and the second over UDP, which both have unique advantages (and a discussion of those advantages is beyond scope of this tutorial).
Below you'll find examples that use both the dtlsudp: prefix and the tlstcp: prefix. Our test.net-snmp.org server will respond to both transports so you can try them both out.
Required Build Options
You must have added these options when configure was run to make the following tutorial work:
--with-security-modules=tsm --with-transports="DTLSUDP TLSTCP"
Zero-config Example
This section assumes you already have the certificate(s) in place and know the fingerprints for your identity and that of the remote server. More information on obtaining and setting up that information is discussed below.
# net-snmp-cert -t tutorial-joecool import \ http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-joecool.crt \ http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-joecool.key # net-snmp-cert -t tutorial-CA import \ http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-CA.crt # snmpget -t 10 -T our_identity=tutorial-joecool \ -T trust_cert=tutorial-CA \ tls:test.net-snmp.org sysUpTime.0 # echo trustCert tutorial-CA >> $HOME/.snmp/snmp.conf # echo clientCert tutorial-joecool >> $HOME/.snmp/snmp.conf # snmpget -t 10 tls:test.net-snmp.org sysUpTime.0
In this example, test.net-snmp.org is the host name of the agent to query, using version 3 of the SNMP protocol and the transport security model, and an authPriv message protected a dtls connection using the certificates identified by the given fingerprints. The OID being requested is sysUpTime.0 from the MIB module SNMPv2-MIB.
Obtaining and using test.net-snmp.org certificates
You will need the certificates for the Net-SNMP test server and test user for this tutorial. A compressed tarball is avaialable here, along with its gpg signature. Or you can download the individual files as well:
The net-snmp-cert command is able to pull these certificates directly from a URL, as shown in the previous example.
Extracting the tarball
If you retrieved the entire certificate tar-ball, extract it as follows:
Once you have the tutorial-.snmp tarball, uncompress it in your home directory:
$ tar xvfz tutorial-.snmp.tar.gz .snmp/ .snmp/snmp.conf.tutorial .snmp/tls/ .snmp/tls/newcerts/ .snmp/tls/private/ .snmp/tls/private/tutorial-joecool.key .snmp/tls/ca-certs/ .snmp/tls/ca-certs/tutorial-CA.crt .snmp/tls/certs/ .snmp/tls/certs/tutorial-joecool.crt .snmp/tls/certs/tutorial-agent.crt
You can use net-snmp-cert to show you the certificates (and their fingerprints):
$ net-snmp-cert showcert /home/dummy/.snmp/tls: certs/tutorial-agent.crt: subject= /C=US/ST=California/O=Net-SNMP Developers/OU=SNMP-TLS/CN=tutorial-agent/emailAddress=tutorial-agent@test.net-snmp.org certs/tutorial-joecool.crt: subject= /C=US/ST=California/O=Net-SNMP Developers/OU=SNMP-TLS/CN=Joe Cool/emailAddress=joe.cool@test.net-snmp.org
$ net-snmp-cert showcert --fingerprint /home/dummy/.snmp/tls: certs/tutorial-agent.crt: SHA1 Fingerprint=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B certs/tutorial-joecool.crt: SHA1 Fingerprint=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43
Querying the demo agent
Now that you have the certificates, you can query the test agent using the file names:
snmpget -T our_identity=tutorial-joecool \ -T their_identity=tutorial-agent \ tlstcp:test.net-snmp.org:10161 sysContact.0
or the fingerprints (or a mix):
snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \ -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \ tls:test.net-snmp.org:10161 sysContact.0
That's a long ugly command line, so you might want to add some defaults in your configuration file, snmp.conf. There is an included snmp.conf file, but to ensure that we don't overwrite any existing snmp.conf it must be appended to your existing configuration file.
$ cat $HOME/.snmp/snmp.conf.tutorial >> $HOME/.snmp/snmp.conf
Now try this much simpler query:
$ snmpget tls:test.net-snmp.org:10161 sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders <net-snmp-coders@lists.sourceforge.net>
Tutorial Sections
About the SNMP Protocol
These tutorial links talk about SNMP generically and how the protocol itself works. They are good introductory reading material and the concepts are important to understand before diving into the later tutorials about Net-SNMP itself.
- How SNMP Works: About the protocol itself (GETs, GETNEXTs, etc)
- What data is in SNMP: All about SNMP Management Information Bases (MIBs)
- Securing SNMP: How to use the SNMP protocol securely
Net-SNMP Command Line Applications
These tutorial pages discuss the command line tools provided in the Net-SNMP suite of tools. Nearly all the example commands in these tutorials works if you try it yourself, as they're all examples that talk to our online Net-SNMP test agent. Given them a shot!
- snmptranslate: learning about the MIB tree.
- snmpget: retrieving data from a host.
- snmpgetnext: retrieving unknown indexed data.
- snmpwalk: retrieving lots of data at once!
- snmptable: displaying a table.
- snmpset: peforming write operations.
- snmpbulkget: communicates with a network entity using SNMP GETBULK request
- snmpbulkwalk: retrieve a sub-tree of management values using SNMP GETBULK requests.
- snmptrap: Sending and receiving traps, and acting upon them.
- Traps/informs with SNMPv3/USM: Sending and receiving SNMPv3/USM TRAPs and INFORMs
- Sending Traps/Informs via AgentX: Sending notifications from the command line through snmpd
- Common command line options:
- Using and loading MIBS
- SNMPv3/USM Options
- Using SNMPv3 over TLS and DTLS
- Customized Output Formats
- Writing mib2c config files
Application Configuration
All of our applications support configuration to allow you to customize how they behave.
Net-SNMP Daemons
Net-SNMP comes with two long-running daemons: a SNMP agent (snmpd) for responding to management requests and a notification receiver (snmptrapd) for receiving SNMP notifications.
- SNMP Agent (snmpd) Configuration
- SNMP Notification Receiver (snmptrapd)
- Agent Monitoring
Coding Tutorials
Net-SNMP comes with a highly flexible and extensible API. The API allows you to create your own commands, add extensions to the agent to support your own MIBs and perform specialized processing of notifications.
- Client / Manager Coding Tutorials
- Agent Coding Tutorials
- The Agent Architecture page might be worth reading before or after the agent coding tutorials, and describes how the Agent Helpers work under the hood.
- Writing a mib module to serve information described by an SNMP MIB, and how to compile it into the net-snmp snmpd agent.
- Writing a Dynamically Loadable Object that can be loaded into the SNMP agent.
- Writing a Subagent that can be run to attach to the snmpd master agent.
- Writing a perl plugin to extend the agent using the NetSNMP::agent module.
- Writing shell scripts to extend the agent
- Using mib2c to help write an agent code template for you
- Header files and autoconf
Debugging SNMP Applications and Agents
All our tools and applications have extensive debugging output. These tutorials talk about how the debugging system works and how you can add your own debugging statements to you code:
- Debugging output printed using the -D command line option
- Using -Ddump to display packet breakdowns
- Debugging using GDB
Operating System Specific Tutorials
- Building With Visual Studio 2005 Express
- Building Net-SNMP 64-bit with Visual C++ 2010 Express
- Net-Snmp on Ubuntu
- Net-SNMP and lm-sensors on Ubuntu 10.04
- Net-SNMP for windows: