|
|
The version 3 of SNMP (SNMP V3) is used to provide a secured environment in managing the systems and networks. To simulate an SNMPv3 agent using Agent Simulator is a simple task. On just specifying the version as V3 while starting the agent, a v3 agent gets initialized. This section deals with the Security levels supported by the v3 agent, the steps involved in simulating and testing the v3 agent, and adding new users to the USM and VACM Tables.
The SNMPv3 Agent supports the following set of security levels as defined in the USM MIB (RFC 2574) :
noAuthnoPriv - Communication without authentication and privacy.
authNoPriv - Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
authPriv - Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) protocol is used. For Privacy Support, you have to install some third-party privacy packages. Details about installation is dealt with in the topic "Privacy Support".
The SNMPv3 agent also supports the VACM MIB as a default Access Control Model. It consists of four tables. The context name, group name and read/write access for a user are configured in these tables.
By default, the SNMPv3 Agent provides support for three level of users, namely:
noAuthUser - Users with security level noAuthnoPriv and context name as noAuth.
authUser - Users with security level authNoPriv and context name as auth.
privUser - Users with security level authPriv and context name as priv.
The details about the users get stored in the XML files under the <Simulator Home/conf> directory.
The steps involved in simulating a v3 agent using Agent Simulator are are given below :
Start the SNMP Agent Simulator .
Load the MIBs for which the agent should be simulated. For example, load AGENT-SAMPLE-MIB.
Click on the Settings -> Agent Settings option in the menu bar.
In the dialog that is displayed change the version of the agent to V3 and click on the 'OK' button.
Click on the menu item Operations -> Start Agent to start the agent.
The SNMPv3 agent gets started with the default user configurations present in XML files under the <Simulator Home/conf/> directory.
Testing the SNMPv3 Agent with noAuth and Auth Users
Assuming that the simulated SNMPv3 agent is started, let us see how it can be tested using the default entries available in the USM and VACM Tables.
User Name "noAuthUser", Security level "noAuthnoPriv"
The default entry for noAuthUser in USM Table will be as follows. The default Context Name of this user as defined in the VACM Context Table is noAuth . The subtree OID for which read/write access is provided for this user in the VACM View Table is .1.3.6
|
User Name |
Security Level |
Auth Protocol |
Priv Protocol |
Auth Password |
Priv Password |
|---|---|---|---|---|---|
|
noAuthUser |
noAuth,noPriv |
- |
- |
- |
- |
To test the agent,
Make sure the SNMPv3 Agent is started
Start the MibBrowser application from <Simulator_Home>/bin directory.
Load the MIB which is implemented in the Agent. For example, load AGENT-SAMPLE-MIB.
Click MIB Browser Settings icon in the toolbar. The MibBrowser Settings dialog opens .
Choose the SNMP version as v3 in the "General" tab.
Select "v3Settings" tab to add the noAuthUser entry in the table. The following details need to be filled :
Target Host : localhost (by default)
Target Port : 8001.
User Name : noAuthUser
Security Level : noAuth,noPriv
Click Add Entry. The entry gets listed in v3 Settings table
Select the entry and click OK to close the MIB Browser Settings wizard.
Move on to the MIB Browser Main UI.
Give noAuth in the Context Name field of MibBrowser.
Select ".iso.org.internet.private.enterprise.zohocorp" of agent-sample-mib.txt and do a get next.
You find the agent responding to the request.
User Name "authUser", Security level "AuthnoPriv" with MD5 Auth protocol
The default entry for authUser in USM Table will be as follows. The default Context Name of this user as defined in the VACM Context Table is auth. The sub-tree OID for which read/write access is provided for this user in the VACM View Table is .1.3.6 included and 1.3.6.1.4.1.2162.4.1.1 excluded.
|
User Name |
Security Level |
Auth Protocol |
Priv Protoc |
Auth Password |
Priv Password |
|---|---|---|---|---|---|
|
authUser |
Auth,noPriv |
MD5 |
- |
authUser |
- |
To test the agent,
Make sure the SNMPv3 Agent is started.
Start the MibBrowser application from <Simulator_Home>/bin directory.
Load the MIB which is implemented in the Agent. For example, load AGENT-SAMPLE-MIB.
Click MIB Browser Settings icon in the toolbar. The MibBrowser Settings dialog opens.
Choose the SNMP version as v3 in the "General" tab. Select "v3Settings" tab to add the noAuthUser entry in the table. The following details need to be filled :
Target Host : agent host name
Target Port : 8001.
User Name : authUser
Security Level : Auth,noPriv
Auth Protocol : MD5
Auth Password : authUser
Click Add Entry. The entry gets listed in v3 Settings table
Select the entry and click OK to close the MIB Browser Settings wizard.
Move on to the MIB Browser Main UI.
Give auth in the Context Name field of MibBrowser. Select ".iso.org.internet.private.enterprise.zohocorp" of agent-sample-mib.txt and do a get next. You find the agent responding to the request.
Privacy Settings for Priv User
For privacy support, any one of the following Encryption packages can be used :
JCE
Cryptix
|
|
Note: JDK 1.5 bundles JCE privacy packages by default. The Simulation toolkit package bundles jre 1.5 . Hence, if JDK 1.5 is used, then JCE privacy jars are not required to be in the classpath.
If you are using lower JDK versions then you have to include the corresponding privacy packages in the classpath. |
To make use of JCE classes
Download JCE classes 1.2 or 1.2.1 from the following URL: http://java.sun.com/products/jce/
In case JCE 1.2 classes are downloaded, you get the following jar : jce12-rc1-dom.jar
In case JCE 1.2.1 classes are downloaded, you get the following four jars : jce1_2_1.jar; local_policy.jar; sunjce_provider.jar, and US_export_policy.jar
Make sure the jars are placed under <Simulator_Home> directory.
Also make sure the jars are included in the setenv.bat/sh file CLASSPATH . The setenv.bat file is available in <Simulator_Home>/bin directory) . Please note that the jars are required to be in the CLASSPATH settings of run.bat/sh file, that are used for running the Simulated Agent.
Edit the java.security file present in the jre/lib/security folder under the JDK installed in your machine. And add the following piece of line below :
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.crypto.provider.SunJCE
Save the java.security file.
The USMUtils.class required for encrypting v3 requests and responses is available in AdventNetSnmp.jar in <Simulator Home>/jars directory.
Now, the v3 Agent is ready for supporting Privacy.
If you run MibBrowser from the batch/script file then you have to add JCE jar in the Classpath. Similarly if you start MibBrowser from Launcher then you have to set JCE jar in the class path variable of MibBrowser. For this, select MibBrowser icon in the launcher, right-click and select settings, and add JCE jar file in the classpath
To make use of Cryptix classes
Changes to be made in the Agent side :
Download Cryptix classes 3.1 or 3.2 from the following URL: http://www.cryptix.org/
Make sure the jars are included in the setenv.bat file CLASSPATH (available in <Simulator_Home>/bin directory) in the beginning. This is applicable to all JDK versions. Please note that the jars are required to be in the CLASSPATH settings of run.bat/sh file, that are used for running the Simulated Agent.
The USMUtils.class required for encrypting v3 requests and responses is available in AdventNetSnmp.jar (<Simulator_Home>/jars directory).
Edit the java.security file present in the jre/lib/security folder under the JDK installed in your machine. And add the following piece of line below :
security.provider.1=sun.security.provider.Sun
security.provider.3=cryptix.provider.Cryptix
Now, the v3 Agent is ready for supporting Privacy.
Changes to be made in the Manager Side :
If you run MibBrowser from the batch/script file then you have to add Cryptix zip file in the Classpath. Similarly if you start MibBrowser from Launcher then you have to set Cryptix zip in the class path variable of MibBrowser. For this, select MibBrowser icon in the launcher, do right click, select settings and add Cryptix zip file in the classpath.
Export Restrictions
Encryption packages are bound by Export restrictions.
If JCE 1.2 or its implementations are used in developing application and applets, they cannot be used outside US and Canada.
JCE 1.2.1 does not have any export restrictions and it can be used in applications, which can be distributed throughout the world.
The latest JDK version ( JDK 1.5 ) comes integrated with the JCE 1.2.1.
Cryptix package does not have any such export restrictions.
Testing the v3 Agent with Priv Users
Assuming that the privacy settings are made and the simulated SNMPv3 agent is started, let us see how it can be tested using the default entries available in the USM and VACM Tables.
User Name "privUser" , Security Level "AuthPriv" with MD5 Priv Protocol
|
|
Note: For "privUserMD5" and privUserSHA" you need either cryptix package for jdk1.x or JCE for jdk1.2.x to run the MibBrowser. Please refer the topic "Privacy Settings for Priv User" for more information. |
The default entry for privUser in USM Table will be as follows. The default Context Name of this user as defined in the VACM Context Table is priv . The sub-tree OID for which read/write access is provided for this user in the VACM View Table is .1.3.6 included and 1.3.6.1.4.1.2162.4.1.6 excluded.
|
User Name |
Security Level |
Auth Protocol |
Priv Protocol | Auth Password | Priv Pass |
|---|---|---|---|---|---|
|
privUser |
Auth,Priv |
MD5 |
CBC-DES |
authUser |
privUser |
To test the agent, do the following :
Make sure the SNMPv3 Agent is started
Start the MibBrowser application from <Simulator_Home>/bin directory.
Load the MIB which is implemented in the Agent. For example, load AGENT-SAMPLE-MIB.
Click MIB Browser Settings icon in the toolbar. The MibBrowser Settings dialog opens .
Choose the SNMP version as v3 in the "General" tab.
Select "v3Settings" tab to add the privUser entry in the table. The following details need to be filled :
Target Host : agent host name
Target Port : 8001 (agent port number)
User Name : privUser
Security Level : Auth,Priv
Auth Protocol - MD5
Priv Protocol - CBC-DES
Auth Password - authUser
Priv Password - privUser
Click Add Entry. The entry gets listed in v3 Settings table.
Select the entry and click OK to close the MIB Browser Settings wizard.
Move on to the MIB Browser Main UI.
Give priv in the Context Name field of MibBrowser. Select ".iso.org.internet.private.enterprise.zohocorp" of agent-sample-mib.txt and do a get next. You find the agent responding to the request.
Adding New User to the USM Table
To add new users to the usmUserTable of the SNMP-USER-BASED-SM-MIB, WebNMS provides a tool called v3Config Tool. To invoke the tool, select SNMPv3config.bat/sh file from <SimulatorHome>/bin directory. By default, the USMUser tab will be selected and the default entries displayed as shown in the screen-shot below:
New user entries must be added to the USM and VACM tables before starting and accessing the v3 agent with the required new user names.
|
|
Note: To access the v3 agent, the new users must also be configured in the VACM Tables . Please refer the section "Adding new users to the VACM Table" for more details. |
To add a new user to the USM Table,
Choose USMUser Tab and click on Add from menu bar. Now, the Properties dialog pops up. The following are the information in this dialog.
Fill in the "UserName" (can be any name) and "Security Level" in the space provided using the options provided in the combo box as shown in the image.
In case, the "Security Level" given is AuthnoPriv, then the Auth Password has to be mentioned. If it is AuthPriv then both Auth Password and Priv Password have to be stated. Here again, the password can be of the user's choice.
Auth Protocol can be MD5 or SHA though by default it is MD5.
Priv Protocol can be CBC-DES or CFB_AES_128 though by default it is CBC-DES.
Sample entry would be :
UserName : NewUser
Security Level : AuthnoPriv
AuthProtocol : MD5
AuthPassword : newuser
On filling the entries, click on OK button. This adds the new user entry.
Adding New User to the VACM Tables
To provide view based access control, the new user entry has to be added to the VACM Tables of the SNMP-VIEW-BASED-ACM-MIB. The V3Config Tool can be used to configure the VACM entries. The steps involved in adding a new user to the VACM Table using Table view is given below:
Adding New User to the Vacm Context Table
The VACM Context table lists the context names defined for the users. To view the default context names select the VacmContext tab. The default context names will be listed as shown in the image below:
To add a new context name to the VACM context table, select the Add button.
Enter the context name in the space provided. It can be of any name. The context name is used as a reference when accessing the v3 agent.
Click OKto add the new context name to the table.
The next step is to configure the VACM Group Table.
Adding New User to the Vacm Group Table
The VACM group Table has a set of security to group mappings. If the received context name is valid then the group name is obtained from this table by giving user (security) name and security model as a input. Currently the application supports only the USM model and by default it is specified.
Model will always have to be USM.
Security Name can be either 'authUser' or 'noAuthUser' or 'privUser'.
Group Name can be of any user defined name.
To view the default group names or add new groups in the table,
Select the VacmGroup Tab. The default groups provided for the default users configured in the USM table are listed as shown in the image below :
To add a new group to this table, click Add and enter the following details in the space provided :
Security Model : The Security Model supported by the snmpv3 agent. Currently, only USM is supported.
Security Name : The name of the new user as configured in the USM Table.
Vacm Group Name : The group name to which the user belongs. You can specify any name as group name.
Click OK to add the entry to the table.
The next step is to configure the VACM Access Table.
Adding New User to the Vacm Access Table
The VACM Access table lists the access rights and restrictions of the various groups. By giving group name, context name, security model, and security level of the v3 user, the read, write, notify we can provide view name based on the received request type. It is configurable through SNMP.
The group's access rights are given for,
read - for retrieval operations - get, getnext and getbulk.
write - for write operations - set
notify - for notification operations - trap
To view the default views or add new views in the table,
Select the VacmAccess Tab. The default views provided for the default users configured in the USM table will be listed.
To add a new entry to this table, click Add and enter the following information in the space provided:
Vacm Group Name : The group to which the user belongs as defined in the VACM group table.
Context Prefix: The context name of the user as defined in the VACM context table.
Secuity Model: The Security Model supported by the snmpv3 agent - USM
Security Level: The Security Level of the user
Context Match: The Context Match "Exact"
Read View Name: The read view name provided for the v3 user.
Write View Name: The write view name provided for the v3 user.
Notify View Name: The notify view name provided for the v3 user.
Click OK, to add the entry to the table.
The next step is to configure the VACM View Tree Family Table.
Adding New User to the Vacm View Tree Family Table
This table assigns the Sub tree OID that can be accessed by a particular view. To view the default views or add new views in the table,
Select the VacmViewTree Tab displayed on the left side on the tool .The default views and sub tree oid provided for the default users configured in the USM table is listed as shown in the image below:
To add a new entry to this table, enter the following information in the space provided.
Type: Select the type as either "included" or quot;excluded". The type "excluded" denotes that the specified view cannot be accessed by the user.
View Name: The view name can be any name. Separate view names can be defined for read, write and notify access.
SubTree: The subtree is the subtree oid in the MIB for which read,write,notify access is allowed for the user.
Mask : The "mask" field is used to control the elements of the OID subtree that should be considered as relevant when determining the view in which an OID is in. Normally, the OID is included on whole, so you'll need a mask with as many bits set as there are in the OID elements. The default value is "ff". To know more, click on Mask.
Click on OK to add the entry to the table.
The "mask" field is used to control the elements of the OID sub-tree that should be considered as relevant when determining the view in which an OID is in. Normally, the OID is included on whole, so you'll need a mask with as many bits set as there are in the OID elements.
Thus, ".1" ( the whole dod tree) has one element, so the mask has one bit set - i.e. '80' (in hex). ".iso.org.dod.internet.mgmt.mib-2" has six elements, so six bits set ('fc'). If there are more than eight elements, you specify the longer masks as single octet values, separated by dots (e.g. 'ff.c0' for 10 bits)
The mask value defines how the incoming OID should be matched with the SubTree value. For example, if the subtree value is .1.3.6 and the incoming OID is .1.3.6.1.2.1.1.0, and the Mask is ff(H),(ie) 1111 1111. Then the incoming OID should exactly match .1.3.6. as the first three values are 1 (1 stands for exact match). If the Mask value is 1011 1111 , then it is enough if the first and third value i.e 1,6 in the SubTree value match with the incoming OID as 0 does not expect exact match.
After adding the new user entry to the USM and VACM Tables, click on Save to update the changes in the SNMPv3 xml configuration files. The v3 agent can now be accessed by the new user.
To test the v3 agent with the new user, follow the steps specified in Testing the SNMPv3 agent with default users by specifying the new user name, security level, password and context name
|
|
