Configure SNMPv3

From Zenoss Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

Why SNMPv3

Where available, version 3 of the SNMP standard should really be used as it provides strong authentication, not just a community name that passes over the network in the clear. It also provides data encryption if desired. Although slightly harder to set up than SNMPv1 and SNMPv2c, it is not too onerous.

Configuring net-snmp agents for SNMP V3

On the agent which runs on the remote server to be monitored, a user ID must be generated with parameters for authentication (access control) and encryption (privacy), specifying the encryption algorithm and the encryption password to be used. See the manual (man) entry for snmpd.conf for more information.

For the net-snmp agent shipped with most versions of Linux, create /etc/snmp/snmpd.conf with entries like:

# For SNMP V3
# Uncomment next 5 lines
com2sec snmpv3test localhost    dummycontext
com2sec snmpv3test zen42        dummycontext
group snmpv3group       usm     snmpv3test
access snmpv3group        ""      usm       priv    exact  all     all   all
rwuser jane

Create SNMPv3 User

Now, use the net-snmp-config utility to create the SNMP v3 user (jane in this case).

You need to specify a password for authentication (-A) and a password for encryption (-X), along with the algorithms to be used for authentication and encryption.

Bulbgraph.png Note: On CentOS/RHEL, net-snmp-devel must be installed to provide net-snmp-config.

To do this, first stop snmpd:

# /etc/init.d/snmpd stop

Then run the following command:

# net-snmp-config --create-snmpv3-user -A fraclmyea -X fraclmyex -x DES -a MD5 jane

/var/lib/net-snmp/snmpd.conf is modified with (hidden) encryption key and rwuser jane is added to this file (/etc/snmp/snmpd.conf).

Testing

Test your SNMPv3 configuration as follows:

$ snmpwalk -v 3 -a MD5 -A fraclmyea -l authNoPriv -u jane lotschy system
$ snmpwalk -v 3 -a MD5 -A fraclmyea -X fraclmyex -l authPriv -u jane lotschy system

The tests shown above are to a target called lotschy for the MIB-2 system tree.

Bulbgraph.png Note: Different implementations of net-snmp on different Operating Systems may work slightly differently. For example, OpenSUSE does not need the net-snmp-devel package and the rwuser is created in a separate snmpd.conf under /usr/share/snmp (which is created automatically if it doesn't exist).

Configuring Cisco IOS for SNMPv3

Bulbgraph.png Note: Cisco SNMPv3 AuthPriv requires IOS encryption features that have scary export warnings. Please follow them.

! this block is taken from Cisco's DocWiki
snmp-server group V3Group v3 [auth/noauth] read V3Read write V3Write
snmp-server user V3User V3Group v3 auth [sha/md5] [password]
snmp-server view V3Read iso included
snmp-server host <IP_address> version 3 auth V3User
snmp-server enable traps

Configuring Zenoss for SNMPv3

Zenoss also needs to be configured to match these parameters for an agent. Match the Zenoss Configuration Properties to the agent's parameters.

Zen42 conf props snmpv3.jpg

Note that the default snmpwalk command from the Command icon does not work with SNMP V3 but it is not hard to construct a new menu option.

Command snmpwalk v3.jpg
snmpwalk Zenoss Configuration snmpd.conf
-v zSnmpVers n/a
-u zSnmpSecurityName createUser [user]
-x zSnmpPrivType (AES or DES)
-X zSnmpPrivPassword PASSPHRASE
-a zSnmpAuthType (MD5 or SHA)
-A zSnmpAuthPassword PASSPHRASE

Use this in the command window when creating the User Command in Zenoss (see also image):

snmpwalk -${device/zSnmpVer} -l authNoPriv -a ${device/zSnmpAuthType} -x ${device/zSnmpPrivType} -A ${device/zSnmpAuthPassword} -X ${device/zSnmpPrivPassword} -u ${device/zSnmpSecurityName} ${device/snmpwalkPrefix}${here/manageIp}:${here/zSnmpPort} system

Important note for those who are cloning VM images

All of your SNMPv3 hosts should have a unique engineID. If you are cloning VM's including an snmpd.conf that has an engineID you will get errors. To avoid this, set "engineIDType 1" in snmpd.conf on the base VM that you are going to clone. This will hash the assigned IP into the id and should prevent duplicate engineID's in most cases unless multiple hosts share an IP Address.