Configuring SNMPv3 Agents

 

Overview

 

The version 3 of Simple Network Management Protocol addresses some of the long pending issues related to the large scale deployment of SNMP. Due to lack of security in using SNMP, system and network administrators were using other means, such as telnet, ASCII, etc. for configuration, accounting, and fault management. The primary goal of SNMP version 3 (SNMPv3) is to define a secure version of the SNMP. SNMPv3 also facilitates remote configuration of the SNMP entities, which make remote administration of SNMP entities a much simpler task. WebNMS has implemented SNMPv3 as defined from RFC3411 to RFC3415 (Obsoletes RFC2570 to RFC2575), RFC 3584 (Obsoletes RFC 2576) and RFC 3826 (AES cipher algorithm in the SNMP USM MIB)

 

Security Levels in SNMPv3

 

As explained earlier, SNMP version 3 (SNMPv3) is used to provide a secured environment in managing the systems and networks. The SNMPv3 Agent supports the following set of security levels as defined in the USM MIB (RFC 3414):

A framework for definition of different authentication and privacy protocols is available in V3. Currently, the MD5 and SHA authentication protocols and the CBC-DES, CFB-AES-128 (as per RFC 3826) privacy protocols are supported in USM.

 

Supported Privacy Packages

 

While creating an SNMPv3 agent with Privacy support, the agent needs additional privacy packages for both CBC-DES, CFB-AES-128 privacy protocols. These packages are required for encryption of SNMPv3 messages and are not bundled along with the Agent Toolkit C Edition product package.

These privacy package can be obtained by sending an email to the product support team cagent-support@webnms.com, along with the following information

 

Note: Start the Mib Browser with JDK / JRE 1.5.x and above for testing the SNMPv3 Agents with privacy support

 

 

Default Users of SNMPv3 Agents

 

By default, the SNMPv3 Agent provides support for three levels of users, namely

The details about the users get stored in snmpumusertable.txt file in <WebNMS>/C-Agent/projects/<Project-Name>/agent/conf/snmp/snmpv3/security directory provided the AGENT_FILE_TO_VECTOR MACRO is defined in the config.h file.

 

Developing a Sample V3 Agent

 

Please follow the steps given below to develop a Sample v3 Agent.

Testing the SNMPv3 Agent with Default Users

 

Now that a Sample Agent is created, it has to be tested with the Default Users.

 

Testing the V3 Agent for noAuth Users

 

Default entry of noAuthUser in USM Table :

 

Context Name Security Level User Name Auth Protocol Priv Protocol Auth Password Priv Password

noAuth

noAuthNoPriv

noAuthUser

-

-

-

-

 

To test the Agent for noAuthUser,

  1. Start the MIB Browser application from <WebNMS/C-Agent>/bin directory.

  2. Load Agent-Sample-MIB.

  3. Click MIB Browser Settings in the toolbar icon.

  4. A wizard opens up wherein you have to choose the version of the Manager. Choose v3.

  5. Click Add in this wizard.

  6. An SNMP Parameter Panel appears wherein the following details need to be filled :

  7. Click OK.

  8. The entry gets listed in v3 Settings.

  9. Select the entry and click OK to close the MIB Browser Settings wizard.

  10. Move on to the MIB Browser Main UI.

  11. Make sure the Agent is started from <WebNMS/C-Agent>/projects/snmpproject01/agent/bin directory using snmpagent.exe file.

  12. Now, test the SNMPv3 Agent by sending a query to the scalar variable agentDescr in the agentSystem group under the demo group. You will receive the response as

Sent get request to localhost : 8001

agentDescr.0 --> agentDescr not initialized

 

Testing the V3 Agent for authUsers

 

Default entry of authUser in USM Table :

 

Context Name Security Level User Name Auth Protocol Priv Protocol Auth Password Priv Password

auth

authNoPriv

authUserMD5

MD5

-

authUserMD5

-

 

To test the Agent for authUser,

  1. Follow the steps given above (in Testing the Agent for noAuthUser) until setting the Target Port as 8001.

  2. Later, specify the User Name as authUserMD5 for this case.

  3. Select the Security Level as Auth,noPriv from the combo box.

  4. Specify the Authentication password as authUserMD5.

  5. You can see the entry added in the Table. Select the entry and click OK to close the MIB Browser Settings wizard.

  6. Move on to the MIB Browser main UI.

  7. Make sure the Agent is started from <WebNMS/C-Agent>/projects/snmpproject01/agent/bin directory using snmpagent.exe file.

  8. Now, test the SNMPv3 Agent by sending a query to the agentDisk group under the demo group. You will receive the relevant value configured for response. If you try accessing the agentDescr of agentSystem group, you will receive the value for the agentDescr scalar variable. If you do not want to provide the access to the agentDescr scalar variable to the authUser group, then you should not provide the access for the authUsers in View Access to that particular scalar variable. To know more on View-based Access, please refer to "Enabling Authorization using VACM" topic in this section.

Testing the Agent for Privacy Users

 

Default entry of privUser in USM Table if DES is chosen as Priv Protocol

 

Context Name Security Level User Name Auth Protocol Priv Protocol Auth Password Priv Password

priv

Auth, Priv

privUserMD5

MD5

CBC-DES

privUserMD5

privUserMD5

 

To test the Agent for privUser,

  1. Privacy packages obtained from the product support team has been installed.

  2. Mib Browser has to started with JDK / JRE 1.5.x and above.

  3. Then, follow the steps given in Testing the v3Agent for noAuthUsers until setting the Target Port as 8001.

  4. Later, specify the User Name as privUserMD5

  5. Select the Security Level as Auth, Priv from the combo box.

  6. Specify the Authentication password as privUserMD5 and Privacy password as privUserMD5.

  7. Select the Priv Protocol as CBC-DES from the combo box. If the agent is generated for AES encryption, then choose CFB-AES-128 from the list.

  8. Specify the Context Name as priv

  9. Click OK.

  10. You can see the entry added in the Table. Select the entry and click OK to close the MIB Browser Settings wizard.

  11. Make sure the Agent is started from <WebNMS/C-Agent>/projects/snmpproject01/agent/bin directory using snmpagent.exe file.

  12. Move on to the MIB Browser Main UI.

  13. Now, test the SNMPv3 Agent by sending a query to the agentDisk group under the demo group. You will receive the response without any problem.

Adding More Users for v3 Agents (USM)

 

User-based Security Model (USM) is a default security model defined by SNMPv3. It provides different types of security levels using various authentication and privacy protocols as explained earlier in this section. To add more users for accessing v3 Agents, WebNMS provides a table called the USMTable. User entries can be added to the Table either : (1) Before Agent Startup or (2) During Run Time.

 

Please note that though user entries are added, these users will not be able to access the Agent unless View Access is given to them. Please refer to Enabling Authorization in V3 using VACM topic in this section for more details.

 

Before Agent Start-Up

 

Entries can be added to the USM User Table before Agent start-up using function Calls. To specify the entries before Agent start-up,

 

Using Function Calls

 

An entry can be added to the USMUserTable by calling the function AddUSMUserEntry()

 

This function is defined in <WebNMS>/C-Agent/projects/<ProjectName>/agent/source/protocols/snmp/src/ snmpv3/security/snmpusmtable.c and is called from WebNMS>/C-Agent/projects/<ProjectName>/agent/stubs/submain.c file. By calling the following function with specified parameters, a new entry will be added to the USM table. You can call this function either before Agent startup or during run time.

Example:

During Run Time: From the Manager

 

New SNMPv3 users can be added to the SNMPv3 Agent dynamically during runtime. It can be done using MIB Browser or through SNMPv3 Administration Tool or through using Command line (Java) applications.

 

Using WebNMS MIB Browser

 

To add the entry from the WebNMS MIB Browser or from any GUI based SNMP Manager, follow the steps given below

A new According to RFC 3414, to add an user in USM user table, the spinlock value needs to be set along with the Multi-varbind

 

Using WebNMS SNMPv3 Administration Tool

 

SNMPv3 Admin tool is an easy to use GUI tool to configure security and administration details of USM and VACM tables.

For more information on How to add new SNMPv3 users to the USM table using this tool, refer to the following help section
Help -> Tools -> SNMPv3 Administration Tool

 

Using Command line tool

If the user is added to the USMTable successfully "User S u c c e s s f u l l y cloned !!!" can be seen in the command prompt. Else, "Failure in USM Remote configuration" will be displayed.

 

Changing the Password of an Existing User

 

The Manager can also change the password of an existing user, using the utility called "snmpUSMKeyChange.java" available in WebNMS/C-Agent/examples/snmp/cmd_line_apps/udpapps directory.

 

The usage of this utility is as follows:

 

Usage:snmpUSMKeyChange [-d] [-p port] [-r retries] [-t time-out] [-a auth_protocol] [-w auth_password] [-s priv_password] [-n contextName] [-i contextID] [-y new_auth_password] [-z new_priv_password] [-ou user_name] [-ow old_auth_password] [ -oz old_priv_password] userName  host

 

The password can be changed in the following ways:

The following is an example for Own AuthKey change. Assuming that View access is given for the user, options are explained.

 

run snmpUSMKeyChange -d -p 8001 -a MD5 -w authUser -n auth -y authUserNew authUser localhost

 

Here,

The above inputs will modify the authentication password of the user "authUser" from"authUser" to"authUserNew".

The user's authentication protocol is "MD5".

 

Persistence Storage

 

Once a new user is added or the authKey, privKey, etc. are modified, then the corresponding entries will be added or modified in the USM user table. Those changes will be used by the agent until it reboots. If the agent is rebooted, then all newly added users and changes will not be in the USM user table. So, for persistence storage AGENT_FILE_TO_VECTOR is supported. This means, once a new user is added or old user's information is modified then those changes will be immediately written into a file called "<WebNMS>/C-Agent/projects/<Project-Name>/agent/conf/snmp/snmpv3/security/snmpusmusertable.txt". The file format is

 

User Name Clone From OID Auth Protocol (String Format) AuthKey Len AuthKey Priv Protocol (String Format) PrivKeyLen PrivKey Row Status

privUserSHA

.0.0

SHA

20

Encrypted localized key

DES

16

Encrypted localized key

ACTIVE

 

Since the authKey and privKey are stored in the encrypted format it is not possible to add a new user or modify the existing user's authKey/privKey by editing this file. Any invalid change in this file will affect the functionality of the SNMPv3. So, adding a new user or modifying user information through the agent or manager is advisable.

 

How to Generate Own EngineID value?

 

Each  SNMPv3 agent has an engine ID that uniquely identifies the agent in the device and also for the unique identification of the MIB objects within a domain. Clock synchronization in the USM security model depends on the concept of an authoritative engine which is identified by the engine ID.

 

In SNMPv3 communication, EngineID is used as an identifier for an agent among different agents. By default the agent API generates an EngineID by combining AGENT_ADDRESS + "#" + AGENT_PORT_NUM macros which are defined in

<WebNMS>/C-Agent/projects/<Project Name>/agent/source/system/include/config.h header file. The default value for AGENT_ADDRESS is "127.0.0.1" and the value for AGENT_PORT_NUM is 161 or 8001. So the resultant EngineID value is either "127.0.0.1#161" or 127.0.0.1#8001.

 

If the user wants to generate his own EngineID value, then he has to edit the method called GenEngineId() which is available in <WebNMS>/C-Agent/projects/<ProjectName>/agent/stubs/submain.c file. The agent API will call this method first before generating the default EngineID value. Before assigning the new EngineID value to the variable "engineId", the user has to allocate enough memory. After assigning a new EngineID value, the user has to update the variable "len" with length of the new EngineID value.

 

For example,

 

 

Enabling Authorization in V3 Using VACM

 

View-based Access Control Model (VACM) is a default access control model defined by SNMPV3 frame work (RFC 3415 (obsoletes RFC 2575)). It is possible to restrict a particular group in accessing an OID in the MIB using VACM. SNMPv3 Agent, has implemented the VACM MIB as a default access control model.

 

Details for VACM

 

The details for View-based Access are to be specified in the four tables of VACM MIB namely

Adding Entries to VACM Tables

 

A User can be given view access to a MIB by specifying the views in the VACM Tables. Entries can be added to the VACM Tables either : (1) Before Agent Startup or (2) During Run Time. Please note that only when all the VACM tables are configured for a user will the user entry have view access. Let us have a look at the default entries in VACM Tables and move on to the steps involved in adding view access to users.

 

Default VACM Entries

 

VACMContextTable 

 

Context Name

noAuth

auth

priv

 

VACM Group Table

 

Model Security Name Group Name

3

authUser

authGroup

3

noAuthUser

noAuthGroup

3

privUser

privGroup

 

VACM Group Access Table

 

Group Name Prefix Model Level Match

Read

Notify

 Write

noAuthGroup

noAuth

USM

noAuth.noPriv

Exact

noAuthView

noAuthView

noAuthView

privGroup

priv

USM

Auth.Priv

Exact

privView

privView

privView

authGroup

auth

USM

Auth.noPriv

Exact

authView

authView

authView

 

VACM View Table

 

View Name Sub-Tree Mask Type

noAuthView

.1.3.6

ff

included

authMD5View

.1.3.6

ff

included

authSHAView

.1.3.6

ff

included

privView

.1.3.6

ff

included

privateView

.1.3.6

ff

included

 

Adding Entries Before Agent Start-Up

 

Entries can be added to the VACM Tables before Agent start-up either using Agent Compiler UI or Text File or Function Calls. To specify the entries before Agent start-up,

 

1. Using Agent Compiler UI

    1. Create a Project and load a MIB. 

    2. Choose Settings -> Project Settings from the menu bar of Agent Compiler UI. 

    3. Select Protocols -> SNMP ->SNMPv3 -> VACM in the Settings tree.

    4. Select the required VACM Table and click Add.

    5. A wizard pops up wherein you can specify the user entries.

    6. Click OK.
       

    Suppose if you want to leave a field empty in the text box, provide the value as empty string "". For example, if you want to leave the vacmAccessWriteViewName column of Vacm Access Table as empty as per RFC 2575, then you can provide empty string ("") in this column. Kindly refer FAQ -> SNMP -> SNMPv3 for more details

2. Text File

 

The entries configured through Agent Compiler UI get stored in the configuration file under <WebNMS>/C-Agent/projects/<ProjectName>/agent/conf/snmp/acl directory, provided the storage type MACRO is defined in the config.h file as given below :

The text files generated are:

This text file has to be edited for adding new entries. Please note that the Agent has to be restarted for the changes to take effect.

 

3. Using Function Calls

 

An entry can be added to the VACM Tables by calling the function CreateAndAddNewSnmp<TableName>Entry(). This function is defined in the following files under <WebNMS>/C-Agent/projects/<ProjectName>/agent/source/protocols/snmp/src /acl directory and is called from <WebNMS>/C-Agent/projects/<ProjectName>/agent/stubs/submain.c file.

By calling the following functions with specified parameters, a new entry will be added to the respective VACM tables. You can call this function either before Agent startup or during run time

 

VacmContextTable

where,

 

VacmContextName: Refers to the context names supported by the snmpv3 agent.

VacmContextNameLen: Refers to the length of the context name.

 

Example :

VacmSecurityToGroupTable

where,

 

vacmSecuirtyModel: Refers to the Security Model supported by the snmpv3 agent.

vacmSecurityName: Refers to the name of the user

vacmSecurityNameLen: Refers to the length of the security name

vacmGroupName: Refers to the group name to which the user belongs

vacmGroupNameLen: Refers to the length of the group name

VacmSecurityToGroupStorageType: Denotes the storage type "NON_VOLATILE"

vacmSecurityToGroupStatus: Denotes the Row Status "Active"

 

Example

VacmAccessTable

where,

 

vacmGroupName: Refers to the group to which the user belongs

vacmGroupNameLen: Refers to the length of the group name

snmpVacmAccessContextPrefix: Refers to the context name of the user

snmpVacmAccessContextPrefixLen: Refers to the length of the context name

snmpVacmAccessSecurityModel: Refers to the Security Model supported by the snmpv3 agent - USM

snmpVacmAccessSecurityLevel Refers to the Security level of the user

snmpVacmAccessContextMatch Refers to the Context Match "Exact"

snmpVacmAccessReadViewName: Refers to the read view name provided for the v3 user

snmpVacmAccessReadViewNameLen: Refers to the read view name length

snmpVacmAccessWriteViewName: Refers to the write view name provided for the v3 user

snmpVacmAccessWriteViewNameLen: Refers to the write view name length

snmpVacmAccessNotifyViewName: Refers to the notify view name provided for the v3 user

snmpVacmAccessNotifyViewNameLen: Refers to the notify view name length

snmpVacmAccessStorageType Denotes the storage type "NON_VOLATILE"

snmpVacmAccessStatus Denotes the Row Status "Active"

 

Example:

VACMViewTreeFamilyTable

where,

 

VacmViewTreeFamilyViewName: The Read/Write/Notify view name provided for the v3 user

VacmViewTreeFamilyViewNameLen: The length of the view name

VacmViewTreeFamilySubtree: The Sub Tree OID for which read/write/notify access is provided

VacmViewTreeFamilyMask: The mask for the OID

VacmViewTreeFamilyMaskLen: The length of the mask/p>

VacmViewTreeFamilyType: "INCLUDED"

VacmViewTreeFamilyStorageType: Denotes the storage type "NON_VOLATILE"

VacmViewTreeFamilyStatus: Denotes the Row Status "Active"

 

Example:

During Run Time: From the Manager

 

To configure an entry from the Manager,

  1. Start the MIB Browser application.

  2. Load SNMP-VIEW-BASED-VACM MIB from <WebNMS/C-Agent>/mibs directory.

  3. This MIB contains the four tables in which the View-based Authorization has to be configured.

  4. Selecting the respective table and clicking SNMP Table icon in MIB Browser opens up a wizard wherein entries can be added to the required Tables by sending SET requests.

  5. Please note that vacm context table is not configurable from the Manager (remotely).

The User-based Security Model (USM) and View-based Access Control (VACM) Tables are implemented by default when the Agent is started in SNMP Version 3.

 

Using USM without VACM

 

To use USM without VACM, just comment or remove the MACRO defined for VACM in the config.h file. Recompile the code to see the changes.

 

Authenticating Requests from v1/v2c Managers (Co-existence Support)

 

In a typical deployment scenario, the management applications and applets will be required to communicate with SNMP Agents of different versions. They will also be required to communicate with multi-lingual agents, i.e. SNMP Agents that support all the three SNMP versions (v1, v2c, and v3 ).

 

The multi-lingual SNMP Agents support multiple SNMP message versions and co-exist with entities which support only a single SNMP message version. So, management applications with SNMPv1 or v2c support alone can communicate with SNMPv3 agents.

 

This is called co-existence in v3 as defined in RFC 3584. SNMPv3 Agent entities with co-existence support implement the SNMP-COMMUNITY-MIB. This MIB contains objects for mapping between community strings and version-independent SNMP message parameters. Apart from this, a complete implementation of Co-existence Support require the implementation of SNMP-TARGET-MIB. The implementation of this MIB facilitates the source address validation on the incoming requests.

 

In case the Agent is strictly v3, it will drop the requests sent from v1/v2c Managers. To know how to make an Agent strictly v3, please refer to the next section "Making the Agent strictly SNMPv3".

 

Enabling Co-existence Support

 

You can enable the Co-existence Support from the Agent Compiler UI.

 

Using Agent Compiler UI

 

The MACRO gets defined even if the Agent Compiler UI options are enabled. To enable the same,

    1. Create a Project and Load a MIB.

    2. Select Settings -> Project Settings menu from the Agent Compiler UI.

    3. From the Protocols -> SNMP -> SNMPv3 -> General Panel, check Co-Existence Support option.

    4. This will enable Co-existence Support in the agent.

Details for Co-existence Support

Default Users of Co-existence Support

 

The Tables of Community MIB and Target MIB used for co-existence support include SnmpCommunityTable, SnmpTargetAddrTable, and SnmpTargetAddrExtTable. The configurations present by default in these Community tables are as follows:

 

SnmpCommunityTable

 

Snmp Community Index Snmp Community Name Snmp Community Security Name Snmp Community Context Engine Snmp Community Context Name Snmp Community Transport Tag Snmp Community Storage Type Snmp Community Status

community 1

public

noAuthUser

127.0.0.1#8001

noAuth

group 1

other(1)

active(1)

community 2

private

noAuthUser

127.0.0.1#8001

noAuth

group 2

other(1)

active(1)

 

SnmpTargetAddrTable

Snmp Target Addr Name Snmp Target Addr TDomain Snmp Target Addr TAddress Snmp Target Addr TimeOut Snmp Target Addr Retry Count Snmp Target Addr TaqList Snmp Target Addr Params Snmp Target Addr Storage Type Snmp Target Addr Row Status

addr1

.1.3.6.1.6.1.1

127.0.0.1#8003

1500

3

group 1 group 2 group 3

snmpTarget

ParamsName

nonVolatile (3)

Active (1)

 

Note:

  1. Delimiters allowed for Snmp Target Addr TagList are space, carriage return, line feed, and tab space.

  2. Delimiters cannot be given as a value for the tag value.

  3. The tag value in the tag list should not be a zero length string.

 

SnmpTargetAddrExtTable

 

SnmpTargetAddrName

 SnmpTargetAddrTMask SnmpTargetAddrMMS

localhost

ff

484

 

Adding Managers for Supporting Co-existence

 

Manager entries can be added to the Community Tables either : (1) Before Agent Startup or (2) During Run time.

 

Before Agent Startup

 

Entries can be added to the Community Tables before Agent startup either using Agent Compiler UI or Text File or Function Calls. To specify the entries before Agent startup,

 

1. Using Agent Compiler UI

        1. Create a Project and load a MIB.

        2. Choose Settings -> Project Settings menu from the menu bar of Agent Compiler UI.

        3. Protocols -> SNMP -> SNMPv3 -> Community Panel

        4. Select the required table and click Add, to add entries to the table.

        5. A wizard pops up wherein you can specify the communities for Manager entries and click OK

2. Text File

 

The entries configured through Agent Compiler UI get stored in the configuration text file, under <WebNMS>/C-Agent/projects/<ProjectName>/agent/conf/snmp/snmpv3/co-existence directory, provided the storage type MACRO is defined in the config.h file as given below :

The text files generated are

Please note that the Agent has to be restarted for the changes to take effect.

 

3. Using Function Calls

 

An entry can be added to the co-existence tables by calling the function CreateAndAddNew<TableName>Entry(). This function is defined in the following files in <WebNMS>/C-Agent/projects/<ProjectName>/agent/source/protocols/snmp/src/snmpv3/co-existence folder and is called from <WebNMS>/C-Agent/projects/<ProjectName>/agent/stubs/submain.c

By calling the following functions with specified parameters, a new entry will be added to the Community tables. You can call this function during Agent startup or during run time

 

SnmpCommunityTable

SnmpTargetAddressTable

SnmpTargetAddressExtTable

During Run Time: From the Manager

 

To add an entry to the aclTable from the Manager,

    1. Start the MIB Browser application.

    2. Load SNMP-COMMUNITY-MIB from <WebNMS/C-Agent>/mibs directory.

    3. This MIB contains the SnmpCommunityTable, SnmpTargetAddrTable, and SnmpTargetAddrExtTable in which the Community Authentication has to be configured.

    4. Selecting the respective table and clicking SNMP Table icon in MIB Browser will open up a wizard wherein entries can be added to the required Tables by sending SET requests.

Note: Similar to the steps mentioned in adding entries, the entries can be deleted/removed from the table.

 

Testing the Agent for Co-existence Support

    1. Start the MIB Browser application.

    2. In the MibBrowser Settings General panel, specify the SNMP version as v1 or v2c.

    3. Load the MIB with which v3 Agent is developed.

    4. Start the v3 Agent.

    5. Send a v1/v2c request to a variable in the MIB.

    6. The v3 agent will respond for a v1/v2c request from the Manager.

Making the Agent Strictly SNMPv3

 

Normally a V3 Agent accepts requests from V1 and V2c Managers. But if you do not want to provide SNMPv1 or SNMPv2c access to the v3 Agent, please follow the steps given below and this would restrict the access making the SNMPv3 Agent strictly V3 :

Sending Notifications

 

SNMPv3 Notification PDU though similar to SNMPv2 Notification PDU, differs in the message format. It contains SNMPv3 message headers, such as message ID, version, security level, maximum supported size, security model, etc. and security parameters depending upon the security model and scoped PDU parameters, such as context name, context engine ID, varbinds, etc. Notifications can be sent to both v3 Managers (using the Manager information in v3Trap ForwardingTable) and v1/v2c Managers (using Notification Filtering Mechanism). Please go through the following topics for more details.

 

In SNMPv3, sending a Notification from an entity is not a simple process. The Agent should find out the targets, pass the filtering mechanism and access its validation. To put it in steps,

SNMPv3 by itself is not clear as to how filtering has to be done before sending Notifications. This may again depend on the individual instrumentation of the agent. Hence we provide an interface function called DoFilteringForSnmpTraps present in <WebNMS/C-Agent>/projects/<ProjectName>/agent/stubs/inform.c. This function will provide informations about the Manager (Target), Notification details, such as Trap OID, and Variable Bindings. Thus, the user can decide whether the notification needs to be sent to the specified target or not.

 

The IsAccessAllowed() method is called according to the VACM MIB, for each variable binding OID and Trap OID. Any failure in step 2 or step3 will stop the Agent in sending the notification to the specified target.

 

Notifications to v3 Managers

 

SNMPv3 frame work recommends SNMP-TARGET-MIB to identify the targets for sending Notifications, which is implementation specific. WebNMS Toolkit has a proprietary table called the V3 Trap Forwarding Table that contains all the information of the target. For more information about this table, please refer to "Sending Traps, Notifications and Informs " section. This section explains how Traps can be sent from v3 Agents to v3 Managers using v3 Trap Forwarding Table.

 

Notifications to v1/v2c Managers

 

Notifications can also be sent to v1/v2c Managers from a v3 Agent. To support this feature, Agent Toolkit has implemented the Notification Filtering Mechanism as per RFC 3413 (obsoletes RFC 2573).

 

Enabling Notification Filtering Support

 

Notification Filtering support can be enabled using Agent Compiler UI

 

Using Agent Compiler UI

      1. Create a Project and Load a MIB.

      2. Select Settings -> Project Settings menu from the menu bar of Agent Compiler UI.

      3. From the General Panel of Protocols -> SNMP -> SNMPv3, check Notification Support option.

      4. This will enable the Notification Filtering Support.

Default Users for Notification Filtering Support

 

The Tables of Notification MIB and Target MIB used for Filtering Mechanism support include SnmpTargetParamsTable, SnmpNotifyTable, SnmpNotifyFilterProfileTable, and SnmpNotifyFilterTable. The default configurations present in these Notification Filtering Tables are as follows:

 

SnmpTargetParamsTable

 

Snmp Target Params Name Snmp Target ParamsMP Model Snmp Target ParamsSecurity Model Snmp Target ParamsSecurity Name Snmp Target Params Security Level Snmp Target Params Storage Type Snmp Target Params Row Status

advent

3

3

authUser

0

non-volatile (3)

Active

WebNMS

3

3

authUser

0

non-violate (3)

Active

 

SnmpNotifyTable

 

Snmp Notify Name Snmp Notify Tag Snmp Notify Type Snmp Notify Storage Type Snmp Notify RowStatus

localhost

public

1(trap)

nonVolatile(3)

Active

localhost1

private

1(trap)

nonVolatile(3)

Active

 

SnmpNotify FilterProfileTable

 

SnmpTarget ParamsName Snmp NotifyFilter ProfileName Snmp NotifyFilter ProfileStorage Type Snmp Notify FilterProfile RowStatus

advent

test

Permanent

Active

WebNMS

test1

Permanent

Active

 

SnmpNotify FilterTable

 

SnmpNotify FilterProfile Name SnmpNotify Filter SubTree Snmp NotifyFilter Mask Snmp Notify Filter Type SnmpNotify Filter Storage Type Snmp Notify Filter Row Status

test

.1.3.6

0

Included

Nonviolate

NotInservice

test1

.1.3.6.1

0

Included

Nonviolate

NotInService

 

Adding Managers to the Notification Tables

 

After enabling Notification Filtering Support, it is required to specify the v1/v2c Managers to whom these Notifications should be sent. Manager Entries can be added to the Notification tables either : (1) Before Agent Startup or (2) During Run Time.

 

Before Agent Startup

 

Entries can be added to the Notification Tables before Agent startup either using Agent Compiler UI or Text File or Functional Calls. To specify the entries before Agent start-up,

 

1. Using Agent Compiler UI

      1. Create a Project and load a MIB>

      2. Choose Settings -> Project Settings menu from the menu bar of Agent Compiler UI>

      3. Select Target and Notification Tables under Protocols -> SNMP -> SNMPv3.

      4. Now, Click Add.

      5. A wizard pops up wherein you can specify the communities for Manager entries and click OK.

2. Text File

 

The entries configured through Agent Compiler UI get stored in the configuration text file under <WebNMS>/C-Agent/projects/<ProjectName>/agent/conf/snmp directory, provided the storage type MACRO is defined in the config.h file as given below :

Please note that the Agent has to be restarted for the changes to take effect.

 

3. Using Function Calls

 

The functions defined in <WebNMS>/C-Agent/projects/<ProjectName>/agent/source/protocols/snmp/ src/snmpv3/co-existence folder is called from <WebNMS>/C-Agent/projects/<ProjectName>/agent/ stubs/submain.c file. By calling the following functions with specified parameters, a new entry will be added to the Notification tables. You can call this function either before Agent startup or during run time.

 

SnmpTargetAddrTable

SnmpTargetParamsTable

SnmpNotifyTable

SnmpNotifyFilterTable

SnmpNotifyFilterProfileTable

During Run Time: From the Manager

 

To configure an entry from the Manager,

    1. Start the MIB Browser Application.

    2. Load SNMP-TARGET-MIB and SNMP-NOTIFICATION-MIB from WebNMS/C-Agent/mibs directory.

    3. SnmpTargetAddrTable, SnmpTargetParamsTable     SnmpNotifyTable, SnmpNotifyFilterTable, and SnmpNotifyFilterProfileTable in which Notification Filtering Support is to be configured.

    4. When you select the respective table and click SNMP Table icon (View SNMP Table Data icon), MIB browser opens up a wizard wherein entries can be added to the required Tables.

    5. Click OK and you can see the entries added to the Table.

    6. Check for the same by sending a GET request to the Table.

Note: Similar to the steps mentioned in adding entries, the entries can be deleted/removed from the table.

 

Testing Notification Filtering Support

 

Now that you have enabled this feature and added entries to the Notification Table, the next step is checking whether the Agent works with this support. To ensure the same, follow these steps:


Copyright © 2009, ZOHO Corp. All Rights Reserved.