Difference between revisions of "Using DTLS"

From Net-SNMP Wiki
Jump to: navigation, search
(Configuring snmpd and snmptrapd to Accept DTLS Connections)
Line 3: Line 3:
 
== Generating X.509 Certificates ==
 
== Generating X.509 Certificates ==
  
== Configuring snmpd and snmptrapd to Accept DTLS Connections ==
+
== Configuring Servers ==
  
 
=== Configuring Certificates ===
 
=== Configuring Certificates ===
Line 22: Line 22:
 
   defX509ClientCerts /path/to/for-users.cert
 
   defX509ClientCerts /path/to/for-users.cert
  
=== Opening and Listening on a port ===
+
=== Opening and Listening on a Port for DTLS traffic ===
  
 
[[snmpd]] and [[snmptrapd]] can both be configured to accept and process connections sent over DTLS.  This is done on the command line using the ''dtls:'' addressing specifier.  E.G. this:
 
[[snmpd]] and [[snmptrapd]] can both be configured to accept and process connections sent over DTLS.  This is done on the command line using the ''dtls:'' addressing specifier.  E.G. this:

Revision as of 19:04, 29 April 2009

SNMP over DTLS over UDP is supported in Net-SNMP 5.5 and beyond. This page describes what is necessary to configure the software to use it.

Generating X.509 Certificates

Configuring Servers

Configuring Certificates

The tokens for specifying which X.509 certificates are configured in the snmp.conf file. Note: NOT the snmpd.conf file. The tokens are specific to all applications and thus belong in the snmp.conf file (without the "d"). If you wish to put them in the snmpd.conf file you can do so by prefixing the lines with [snmp], as described in the snmp_config manual page.

Setting the Server's Certificate

The server needs to be configured with both it's private and public keys. To do this, use the following two snmp.conf tokens to configure the server:

 defX509ServerPub  /path/to/servercert.cert
 defX509ServerPriv /path/to/servercert.priv

Recognizing Client Certificates

Additionally, the client's incoming certificates need to be cryptographically checked and verified. To define the root CA certificates, or self-signed certificates, they all need to be put together in a single file containing a concatenated set of acceptable certificates:

 defX509ClientCerts /path/to/for-users.cert

Opening and Listening on a Port for DTLS traffic

snmpd and snmptrapd can both be configured to accept and process connections sent over DTLS. This is done on the command line using the dtls: addressing specifier. E.G. this:

 snmpd dtls:9161

tells snmpd to open port 9161 and listen for incoming SNMP over DTLS connections on it.

Configuring the Applications

Tools like snmpget, snmpwalk or anything that uses the core session structures within the main Net-Snmp library like the perl and python modules can make use of DTLS using the procedures described below.

Setting the Clients's Certificate

The client needs to be configured with both it's private and public keys. To do this, use the following two snmp.conf tokens to configure the client:

 defX509ClientPub  /path/to/user-cert.cert
 defX509ClientPriv /path/to/user-cert.priv

Recognizing Client Certificates

Additionally, the certificates for the servers that the client should connect to need to be cryptographically checked and verified. To define the server's root CA certificates, or self-signed certificates, they all need to be put together in a single file containing a concatenated set of acceptable certificates:

 defX509ServerCerts /path/to/servers.cert