Difference between revisions of "TUT:Configuring snmptrapd to receive SNMPv3 notifications"

From Net-SNMP Wiki
Jump to: navigation, search
(SNMPv3 INFORMs vs SNMP TRAPs)
Line 18: Line 18:
 
SNMPv3 with the [[User-Based Security Model]] (USM) makes use of an [[EngineID]] identifier for the SNMPv3 application that is ''authoratative'' (meaning the one who controls the flow of information).
 
SNMPv3 with the [[User-Based Security Model]] (USM) makes use of an [[EngineID]] identifier for the SNMPv3 application that is ''authoratative'' (meaning the one who controls the flow of information).
  
With SNMPv3 TRAPs, the ''authoratative'' engine is the engine that sends the trap
+
* With SNMPv3 TRAPs, the ''authoratative'' engine is the engine that sends the trap
  
With SNMPv3 INFORMs, the ''authoratative'' engine is the engine that receives the trap.
+
* With SNMPv3 INFORMs, the ''authoratative'' engine is the engine that receives the trap.
  
 
SNMPv3 USM users are uniquely defined by a combination of the authoratative EngineID and the user name.
 
SNMPv3 USM users are uniquely defined by a combination of the authoratative EngineID and the user name.
 +
 +
== Configuring snmptrapd for receiving SNMPv3 TRAPs ==
 +
 +
Since the application sending the TRAP is authoratative, that means the user created within the snmptrapd '''must''' be tied to the EngineID sending the trap.  You do this by creating a line like the following in your /var/net-snmp/snmptrapd.conf file:
 +
 +
  '''createUser -e''' ''ENGINEID myuser SHA "my authentication pass" AES "my encryption pass"''
 +
 +
In the above line, the following things need to be set:
 +
 +
:ENGINEID; the EngineID of the application that is going to be sending the trap.  (see below)
 +
 +
:myuser; the USM username that is going to be sending the trap.
 +
 +
:SHA; the authentication type (SHA or MD5, with SHA being better)
 +
 +
:"my authentication pass"; The authentication pass-phrase to use to generate the secret authentication key.  Enclose it in quotation marks if it contains spaces.
 +
 +
:AES; the encryption type to use (AES or DES, with AES being better)
 +
 +
:"my encryption pass"; The encryption pass-phrase to use to generate the secret encyrption key.  Enclose it in quotation marks if it contains spaces.  If you leave it off, it will be set to the same pass-phrase as the authentication pass-phrase.
  
 
{{TUT:LIST}}
 
{{TUT:LIST}}

Revision as of 17:02, 10 October 2007

SNMPv3 background

Before you can begin to understand how to use snmptrapd with SNMPv3 protected notifications you need to understand some basic concepts. Specifically, please read:

  • SNMPv3 Options -- Documents how to use Net-SNMP with SNMPv3 in general
  • TUT:snmptrap -- Discussing SNMP notifications and sending them using snmptrap
  • TUT:snmptrap SNMPv3 -- Discussing SNMPv3 notifications and sending them using snmptrap

SNMP INFORMs vs SNMP TRAPs Notifications

SNMP supports two types of notifications: TRAPs and INFORMs. (In SNMPv1, there was only TRAPs; SNMPv2c and SNMPv3 support INFORMs too). There is one fundamental difference between SNMP INFORMs and TRAPs:

TRAPs
Sent by an application or daemon but no response is sent or expected by the notification receiver.
INFORMs
INFORMs are nothing more than an acknowledged TRAP. I.E., when the notification receiver receives an INFORM it sends a response back that indicates "I got it". (An application may be configured to send more than one INFORM message if it failed to receive an acknowledgment)

SNMPv3 INFORMs vs SNMP TRAPs

SNMPv3 with the User-Based Security Model (USM) makes use of an EngineID identifier for the SNMPv3 application that is authoratative (meaning the one who controls the flow of information).

  • With SNMPv3 TRAPs, the authoratative engine is the engine that sends the trap
  • With SNMPv3 INFORMs, the authoratative engine is the engine that receives the trap.

SNMPv3 USM users are uniquely defined by a combination of the authoratative EngineID and the user name.

Configuring snmptrapd for receiving SNMPv3 TRAPs

Since the application sending the TRAP is authoratative, that means the user created within the snmptrapd must be tied to the EngineID sending the trap. You do this by creating a line like the following in your /var/net-snmp/snmptrapd.conf file:

 createUser -e ENGINEID myuser SHA "my authentication pass" AES "my encryption pass"

In the above line, the following things need to be set:

ENGINEID; the EngineID of the application that is going to be sending the trap. (see below)
myuser; the USM username that is going to be sending the trap.
SHA; the authentication type (SHA or MD5, with SHA being better)
"my authentication pass"; The authentication pass-phrase to use to generate the secret authentication key. Enclose it in quotation marks if it contains spaces.
AES; the encryption type to use (AES or DES, with AES being better)
"my encryption pass"; The encryption pass-phrase to use to generate the secret encyrption key. Enclose it in quotation marks if it contains spaces. If you leave it off, it will be set to the same pass-phrase as the authentication pass-phrase.

Tutorial Sections

About the SNMP Protocol

These tutorial links talk about SNMP generically and how the protocol itself works. They are good introductory reading material and the concepts are important to understand before diving into the later tutorials about Net-SNMP itself.

Net-SNMP Command Line Applications

These tutorial pages discuss the command line tools provided in the Net-SNMP suite of tools. Nearly all the example commands in these tutorials works if you try it yourself, as they're all examples that talk to our online Net-SNMP test agent. Given them a shot!

Application Configuration

All of our applications support configuration to allow you to customize how they behave.

Net-SNMP Daemons

Net-SNMP comes with two long-running daemons: a SNMP agent (snmpd) for responding to management requests and a notification receiver (snmptrapd) for receiving SNMP notifications.

Coding Tutorials

Net-SNMP comes with a highly flexible and extensible API. The API allows you to create your own commands, add extensions to the agent to support your own MIBs and perform specialized processing of notifications.

Debugging SNMP Applications and Agents

All our tools and applications have extensive debugging output. These tutorials talk about how the debugging system works and how you can add your own debugging statements to you code:

Operating System Specific Tutorials