Difference between revisions of "TUT:Configuring snmptrapd to receive SNMPv3 notifications"
m (→SNMPv3 INFORMs vs SNMP TRAPs) |
m (→Authorizing your user to do things with the received notifications) |
||
Line 70: | Line 70: | ||
Now that your user has been properly created, you still need to allow snmptrapd to do things with the traps and INFORMs that get sent. EG, just because the request has been received and (cryptographically) verified that it was authentic, snmptrapd still won't do anything with the notification if it isn't allowed to. | Now that your user has been properly created, you still need to allow snmptrapd to do things with the traps and INFORMs that get sent. EG, just because the request has been received and (cryptographically) verified that it was authentic, snmptrapd still won't do anything with the notification if it isn't allowed to. | ||
− | In your '''/usr/local/share/snmp/ | + | In your '''/usr/local/share/snmp/snmptrapd.conf''' file put: |
'''authUser''' ''log,execute,net myuser'' | '''authUser''' ''log,execute,net myuser'' |
Revision as of 21:59, 15 May 2008
Contents
SNMPv3 background
Before you can begin to understand how to use snmptrapd with SNMPv3 protected notifications you need to understand some basic concepts. Specifically, please read:
- SNMPv3 Options -- Documents how to use Net-SNMP with SNMPv3 in general
- TUT:snmptrap -- Discussing SNMP notifications and sending them using snmptrap
- TUT:snmptrap SNMPv3 -- Discussing SNMPv3 notifications and sending them using snmptrap
SNMP INFORMs vs SNMP TRAPs Notifications
SNMP supports two types of notifications: TRAPs and INFORMs. (In SNMPv1, there was only TRAPs; SNMPv2c and SNMPv3 support INFORMs too). There is one fundamental difference between SNMP INFORMs and TRAPs:
- TRAPs
- Sent by an application or daemon but no response is sent or expected by the notification receiver.
- INFORMs
- INFORMs are nothing more than an acknowledged TRAP. I.E., when the notification receiver receives an INFORM it sends a response back that indicates "I got it". (An application may be configured to send more than one INFORM message if it failed to receive an acknowledgment)
SNMPv3 INFORMs vs SNMP TRAPs
SNMPv3 with the User-Based Security Model (USM) makes use of an EngineID identifier for the SNMPv3 application that is authoritative (meaning the one who controls the flow of information).
- With SNMPv3 TRAPs, the authoritative engine is the engine that sends the trap
- With SNMPv3 INFORMs, the authoritative engine is the engine that receives the trap.
SNMPv3 USM users are uniquely defined by a combination of the authoritative EngineID and the user name.
Configuring snmptrapd for receiving SNMPv3 INFORMs
Once you pick whether you want to use TRAPs or INFORMs you can follow the directions in the next two sections. Make sure you read below about configuring snmptrapd to allow the configured users to actually log, execute or forward a trap though. Without both these instructions and the "authuser" instruction, snmptrapd will display nothing.
Configuring a SNMPv3 TRAP User
Since the application sending the TRAP is authoratative, that means the user created within the snmptrapd must be tied to the EngineID sending the trap. You do this by creating a line like the following in your /var/net-snmp/snmptrapd.conf file:
createUser -e ENGINEID myuser SHA "my authentication pass" AES "my encryption pass"
In the above line, the following things need to be set:
- ENGINEID
- the EngineID of the application that is going to be sending the trap. (see below)
- myuser
- the USM username that is going to be sending the trap.
- SHA
- the authentication type (SHA or MD5, with SHA being better)
- "my authentication pass"
- The authentication pass-phrase to use to generate the secret authentication key. Enclose it in quotation marks if it contains spaces.
- AES
- the encryption type to use (AES or DES, with AES being better)
- "my encryption pass"
- The encryption pass-phrase to use to generate the secret encyrption key. Enclose it in quotation marks if it contains spaces. If you leave it off, it will be set to the same pass-phrase as the authentication pass-phrase.
Configuring a SNMPv3 INFORM User
Since the application receiving the INFORM is authoritative, that means it's the snmptrapd application's EngineID that will be used to help uniquely identify the user. You can create a new SNMPv3 user in you snmptrapd application which is tied to your snmptrapd engine simply by creating a line like the following in your /var/net-snmp/snmptrapd.conf file:
createUser myuser SHA "my authentication pass" AES "my encryption pass"
In the above line, the following things need to be set:
- myuser; the USM username that is going to be sending the trap.
- SHA
- the authentication type (SHA or MD5, with SHA being better)
- "my authentication pass"
- The authentication pass-phrase to use to generate the secret authentication key. Enclose it in quotation marks if it contains spaces.
- AES
- the encryption type to use (AES or DES, with AES being better)
- "my encryption pass"
- The encryption pass-phrase to use to generate the secret encyrption key. Enclose it in quotation marks if it contains spaces. If you leave it off, it will be set to the same pass-phrase as the authentication pass-phrase.
Authorizing your user to do things with the received notifications
Now that your user has been properly created, you still need to allow snmptrapd to do things with the traps and INFORMs that get sent. EG, just because the request has been received and (cryptographically) verified that it was authentic, snmptrapd still won't do anything with the notification if it isn't allowed to.
In your /usr/local/share/snmp/snmptrapd.conf file put:
authUser log,execute,net myuser
This line lets snmptrapd receive traps authenticated with the myuser passwords log, execute commands and forward them. (By default, snmptrapd only logs received notifications but it can be setup to execute commands and to forward notifications to somewhere else). The snmptrapd.conf manual page describes this configuration directive in greater detail. Please refer to it for details. for the other options that are available.
Real World Examples
A SNMPv3 TRAP
(for this, I'm making up an engineID to use: 0x8000000001020304)
In a /tmp/snmptrapd.conf file put:
createUser -e 0x8000000001020304 traptest SHA mypassword AES authuser log traptest
Then start snmptrapd pointing to that file (runs in the foreground, uses only that config file and logs to stderr):
snmptrapd -f -C -c /tmp/snmptrapd.conf -Le
Then run snmptrap (in another window) to send a linkup trap:
snmptrap -v 3 -a SHA -A mypassword -x AES -X mypassword -l authPriv -u traptest -e 0x8000000001020304 localhost 0 linkUp.0
You should see this in the output of the window running snmptrapd:
2007-10-10 10:19:11 localhost [UDP: [127.0.0.1]:46380]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp.0
Success!
A SNMPv3 INFORM
In a /tmp/snmptrapd.conf file put:
createUser informtest SHA mypassword AES authuser log informtest
Then start snmptrapd pointing to that file (runs in the foreground, uses only that config file and logs to stderr):
snmptrapd -f -C -c /tmp/snmptrapd.conf -Le
Then run snmptrap (in another window) to send a linkup inform (the -Ci switch makes snmptrap send an inform):
snmptrap -Ci -v 3 -a SHA -A mypassword -x AES -X mypassword -l authPriv -u informtest localhost 0 linkUp.0
You should see this in the output of the window running snmptrapd:
2007-10-10 10:26:39 localhost [UDP: [127.0.0.1]:46380]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp.0
Success!
Left To The Reader
- Turn on the -d switch for both snmptrap and snmptrapd to watch how packets traverse the applications. Note that the INFORMs require more packets since the snmptrap application first has to probe the snmptrapd daemon for it's engineID, then send the inform and get the response that gets sent back. However, INFORMs are more robust because of this acknowledgment.
Tutorial Sections
About the SNMP Protocol
These tutorial links talk about SNMP generically and how the protocol itself works. They are good introductory reading material and the concepts are important to understand before diving into the later tutorials about Net-SNMP itself.
- How SNMP Works: About the protocol itself (GETs, GETNEXTs, etc)
- What data is in SNMP: All about SNMP Management Information Bases (MIBs)
- Securing SNMP: How to use the SNMP protocol securely
Net-SNMP Command Line Applications
These tutorial pages discuss the command line tools provided in the Net-SNMP suite of tools. Nearly all the example commands in these tutorials works if you try it yourself, as they're all examples that talk to our online Net-SNMP test agent. Given them a shot!
- snmptranslate: learning about the MIB tree.
- snmpget: retrieving data from a host.
- snmpgetnext: retrieving unknown indexed data.
- snmpwalk: retrieving lots of data at once!
- snmptable: displaying a table.
- snmpset: peforming write operations.
- snmpbulkget: communicates with a network entity using SNMP GETBULK request
- snmpbulkwalk: retrieve a sub-tree of management values using SNMP GETBULK requests.
- snmptrap: Sending and receiving traps, and acting upon them.
- Traps/informs with SNMPv3/USM: Sending and receiving SNMPv3/USM TRAPs and INFORMs
- Sending Traps/Informs via AgentX: Sending notifications from the command line through snmpd
- Common command line options:
- Writing mib2c config files
Application Configuration
All of our applications support configuration to allow you to customize how they behave.
Net-SNMP Daemons
Net-SNMP comes with two long-running daemons: a SNMP agent (snmpd) for responding to management requests and a notification receiver (snmptrapd) for receiving SNMP notifications.
- SNMP Agent (snmpd) Configuration
- SNMP Notification Receiver (snmptrapd)
- Configuring snmptrapd
- Configuring SNMPv3 notifications
- Configuring snmptrapd to understand vendor-specific MIBS (Cisco)
- Agent Monitoring
Coding Tutorials
Net-SNMP comes with a highly flexible and extensible API. The API allows you to create your own commands, add extensions to the agent to support your own MIBs and perform specialized processing of notifications.
- Client / Manager Coding Tutorials
- Agent Coding Tutorials
- The Agent Architecture page might be worth reading before or after the agent coding tutorials, and describes how the Agent Helpers work under the hood.
- Writing a mib module to serve information described by an SNMP MIB, and how to compile it into the net-snmp snmpd agent.
- Writing a Dynamically Loadable Object that can be loaded into the SNMP agent.
- Writing a Subagent that can be run to attach to the snmpd master agent.
- Writing a perl plugin to extend the agent using the NetSNMP::agent module.
- Writing shell scripts to extend the agent
- Using mib2c to help write an agent code template for you
- Header files and autoconf
Debugging SNMP Applications and Agents
All our tools and applications have extensive debugging output. These tutorials talk about how the debugging system works and how you can add your own debugging statements to you code:
- Debugging output printed using the -D command line option
- Using -Ddump to display packet breakdowns
- Debugging using GDB
Operating System Specific Tutorials
- Building With Visual Studio 2005 Express
- Building Net-SNMP 64-bit with Visual C++ 2010 Express
- Net-Snmp on Ubuntu
- Net-SNMP and lm-sensors on Ubuntu 10.04
- Net-SNMP for windows: