学步园

http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_receive_SNMPv3_notifications

SNMPv3 background

Before you can begin to understand how to use snmptrapd with SNMPv3 protected notifications you need to understand some basic concepts. Specifically, please read:

• SNMPv3 Options -- Documents how to use Net-SNMP with SNMPv3 in general
• TUT:snmptrap -- Discussing SNMP notifications and sending them using snmptrap
• TUT:snmptrap SNMPv3 -- Discussing SNMPv3 notifications and sending them using snmptrap

SNMP INFORMs vs SNMP TRAPs Notifications

SNMP supports two types of notifications: TRAPs and INFORMs. (In SNMPv1, there was only TRAPs; SNMPv2c and SNMPv3 support INFORMs too). There is one fundamental difference between SNMP INFORMs and TRAPs:

TRAPs

Sent by an application or daemon but no response is sent or expected by the notification receiver.

INFORMs

INFORMs are nothing more than an acknowledged TRAP. I.E., when the notification receiver receives an INFORM it sends a response back that indicates "INFORM received". The SNMP Engine will also queue up and re-send unacknowledged INFORMS up to a certain
configured number over a specified period of time. (An application may be configured to specify the wait time, retransmit interval and number of INFORMS to keep in queue).

SNMPv3 INFORMs vs SNMP TRAPs

SNMPv3 with the
User-Based Security Model (USM) makes use of an
EngineID identifier for the SNMPv3 application that is authoritative (meaning the one who controls the flow of information).

• With SNMPv3 TRAPs, the authoritative engine is the engine that sends the trap

• With SNMPv3 INFORMs, the authoritative engine is the engine that receives the trap.

SNMPv3 USM users are uniquely defined by a combination of the authoritative EngineID and the user name.

Configuring snmptrapd for receiving SNMPv3 INFORMs

Once you pick whether you want to use TRAPs or INFORMs you can follow the directions in the next two sections. Make sure you read below about configuring snmptrapd to allow the configured users to actually log, execute or forward a trap though. Without both
these instructions and the "authuser" instruction, snmptrapd will display nothing.

Configuring a SNMPv3 TRAP User

Since the application sending the TRAP is authoratative, that means the user created within the snmptrapdmust be tied to the EngineID sending the trap. You do this by creating a line like the following in your/var/net-snmp/snmptrapd.conf
file:

 createUser -e ENGINEID myuser SHA "my authentication pass" AES "my encryption pass"

In the above line, the following things need to be set:

ENGINEID

the EngineID of the application that is going to be sending the trap. (see below)

myuser

the USM username that is going to be sending the trap.

SHA

the authentication type (SHA or MD5, with SHA being better)

"my authentication pass"

The authentication pass-phrase to use to generate the secret authentication key. Enclose it in quotation marks if it contains spaces.

AES

the encryption type to use (AES or DES, with AES being better)

"my encryption pass"

The encryption pass-phrase to use to generate the secret encyrption key. Enclose it in quotation marks if it contains spaces. If you leave it off, it will be set to the same pass-phrase as the authentication pass-phrase.

Configuring a SNMPv3 INFORM User

Since the application receiving the INFORM is authoritative, that means it's the snmptrapd application's EngineID that will be used to help uniquely identify the user. You can create a new SNMPv3 user in you snmptrapd application which is tied to your snmptrapd
engine simply by creating a line like the following in your /var/net-snmp/snmptrapd.conf file:

 createUser  myuser SHA "my authentication pass" AES "my encryption pass"

In the above line, the following things need to be set:

myuser; the USM username that is going to be sending the trap.

SHA

the authentication type (SHA or MD5, with SHA being better)

"my authentication pass"

The authentication pass-phrase to use to generate the secret authentication key. Enclose it in quotation marks if it contains spaces.

AES

the encryption type to use (AES or DES, with AES being better)

"my encryption pass"

The encryption pass-phrase to use to generate the secret encyrption key. Enclose it in quotation marks if it contains spaces. If you leave it off, it will be set to the same pass-phrase as the authentication pass-phrase.

Authorizing your user to do things with the received notifications

Now that your user has been properly created, you still need to allow snmptrapd to do things with the traps and INFORMs that get sent. EG, just because the request has been received and (cryptographically) verified that it was authentic, snmptrapd still
won't do anything with the notification if it isn't allowed to.

In your /usr/local/share/snmp/snmptrapd.conf file put:

 authUser log,execute,net myuser

This line lets snmptrapd receive traps authenticated with the myuser passwords log, execute commands and forward them. (By default, snmptrapd only logs received notifications but it can be setup to execute commands and to forward notifications to somewhere
else). The
snmptrapd.conf manual page describes this configuration directive in greater detail. Please refer to it for details.

If you want to receive v3 traps (or informs) sent with noAuthNoPriv, you'll need to addnoauth to the authUser line:

 authUser log,execute,net myuser noauth

Real World Examples

A SNMPv3 TRAP

(for this, I'm making up an engineID to use: 0x8000000001020304)

In a /tmp/snmptrapd.conf file put:

 createUser -e 0x8000000001020304 traptest SHA mypassword AES
 authuser log traptest

Then start snmptrapd pointing to that file (runs in the foreground, uses only that config file and logs to stderr):

 snmptrapd -f -C -c /tmp/snmptrapd.conf -Le

Then run snmptrap (in another window) to send a linkup trap:

 snmptrap -v 3 -n "" -a SHA -A mypassword -x AES -X mypassword -l authPriv -u traptest -e 0x8000000001020304 localhost 0 linkUp.0

You should see this in the output of the window running snmptrapd:

 2007-10-10 10:19:11 localhost [UDP: [127.0.0.1]:46380]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp.0

Success!

A SNMPv3 INFORM

In a /tmp/snmptrapd.conf file put:

 createUser informtest SHA mypassword AES
 authuser log informtest

Then start snmptrapd pointing to that file (runs in the foreground, uses only that config file and logs to stderr):

 snmptrapd -f -C -c /tmp/snmptrapd.conf -Le

Then run snmptrap (in another window) to send a linkup inform (the -Ci switch makes snmptrap send an inform):

 snmptrap -Ci -v 3 -a SHA -A mypassword -x AES -X mypassword -l authPriv -u informtest localhost 0 linkUp.0

You should see this in the output of the window running snmptrapd:

 2007-10-10 10:26:39 localhost [UDP: [127.0.0.1]:46380]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp.0

Success!