Configure SNMPv3
Contents
Why SNMPv3
Where available, version 3 of the SNMP standard should really be used as it provides strong authentication, not just a community name that passes over the network in the clear. It also provides data encryption if desired. Although slightly harder to set up than SNMPv1 and SNMPv2c, it is not too onerous.
Configuring net-snmp agents for SNMP V3
On the agent which runs on the remote server to be monitored, a user ID must be generated with parameters for authentication (access control) and encryption (privacy), specifying the encryption algorithm and the encryption password to be used. See the manual (man) entry for snmpd.conf for more information.
For the net-snmp agent shipped with most versions of Linux, create /etc/snmp/snmpd.conf with entries like:
# For SNMP V3 # Uncomment next 5 lines com2sec snmpv3test localhost dummycontext com2sec snmpv3test zen42 dummycontext group snmpv3group usm snmpv3test access snmpv3group "" usm priv exact all all all rwuser jane
Create SNMPv3 User
Now, use the net-snmp-config utility to create the SNMP v3 user (jane in this case).
You need to specify a password for authentication (-A) and a password for encryption (-X), along with the algorithms to be used for authentication and encryption.
Note: On CentOS/RHEL, net-snmp-devel must be installed to provide net-snmp-config.
To do this, first stop snmpd:
# /etc/init.d/snmpd stop
Then run the following command:
# net-snmp-config --create-snmpv3-user -A fraclmyea -X fraclmyex -x DES -a MD5 jane
/var/lib/net-snmp/snmpd.conf is modified with (hidden) encryption key and rwuser jane is added to this file (/etc/snmp/snmpd.conf).
Testing
Test your SNMPv3 configuration as follows:
$ snmpwalk -v 3 -a MD5 -A fraclmyea -l authNoPriv -u jane lotschy system $ snmpwalk -v 3 -a MD5 -A fraclmyea -X fraclmyex -l authPriv -u jane lotschy system
The tests shown above are to a target called lotschy for the MIB-2 system tree.
Note: Different implementations of net-snmp on different Operating Systems may work slightly differently. For example, OpenSUSE does not need the net-snmp-devel package and the rwuser is created in a separate snmpd.conf under /usr/share/snmp (which is created automatically if it doesn't exist).
Configuring Cisco IOS for SNMPv3
Note: Cisco SNMPv3 AuthPriv requires IOS encryption features that have scary export warnings. Please follow them.
! this block is taken from Cisco's DocWiki snmp-server group V3Group v3 [auth/noauth] read V3Read write V3Write snmp-server user V3User V3Group v3 auth [sha/md5] [password] snmp-server view V3Read iso included snmp-server host <IP_address> version 3 auth V3User snmp-server enable traps
Configuring Zenoss for SNMPv3
Zenoss also needs to be configured to match these parameters for an agent. Match the Zenoss Configuration Properties to the agent's parameters.
Note that the default snmpwalk command from the Command icon does not work with SNMP V3 but it is not hard to construct a new menu option.
snmpwalk | Zenoss Configuration | snmpd.conf |
---|---|---|
-v | zSnmpVers | n/a |
-u | zSnmpSecurityName | createUser [user] |
-x | zSnmpPrivType | (AES or DES) |
-X | zSnmpPrivPassword | PASSPHRASE |
-a | zSnmpAuthType | (MD5 or SHA) |
-A | zSnmpAuthPassword | PASSPHRASE |
Use this in the command window when creating the User Command in Zenoss (see also image):
snmpwalk -${device/zSnmpVer} -l authNoPriv -a ${device/zSnmpAuthType} -x ${device/zSnmpPrivType} -A ${device/zSnmpAuthPassword} -X ${device/zSnmpPrivPassword} -u ${device/zSnmpSecurityName} ${device/snmpwalkPrefix}${here/manageIp}:${here/zSnmpPort} system
Important note for those who are cloning VM images
All of your SNMPv3 hosts should have a unique engineID. If you are cloning VM's including an snmpd.conf that has an engineID you will get errors. To avoid this, set "engineIDType 1" in snmpd.conf on the base VM that you are going to clone. This will hash the assigned IP into the id and should prevent duplicate engineID's in most cases unless multiple hosts share an IP Address.