SPECTRUM SNMPv3 User Guide (5124) - CA Support...

SPECTRUM SNMPv3User Guide

Document 5124


Document 5124

NoticeCopyright Notice Copyright © 2002 by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.

Liability Disclaimer Aprisma Management Technologies, Inc. (“Aprisma”) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made.

The hardware, firmware, or software described in this manual is subject to change without notice.

IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES.

Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to:

http://www.aprisma.com/manuals/trademark-list.htm

All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an e-mail to [email protected]; we will do our best to help.

Restricted Rights Notice (Applicable to licenses to the United States government only.)This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR 52.227-14 (June 1987) Alternate III(g)(3) (June 1987), FAR 52.227-19 (June 1987), or DFARS 52.227-7013(c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license.

Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free.

Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH 03801 USA

Phone: 603.334.2100U.S. toll-free: 877.468.1448Web site: http://www.aprisma.com

http://www.aprisma.com/manuals/trademark-list.htm


Document 5124

Contents

Notice ........................................................................................... 2

Preface ......................................................................................... 4

Intended Audience ..................................................................... 4

Text Conventions ....................................................................... 4

Document Feedback ................................................................... 5

Online Documents ...................................................................... 5

SNMPv3 and Spectrum ................................................................. 6

Overview .................................................................................. 6

Benefits of SPECTRUM’s SNMPv3 Support ...................................... 8

Security ............................................................................... 8

Authentication ................................................................. 8

Privacy ........................................................................... 9

64-Bit Counters .................................................................... 9

Traps and Informs ................................................................. 9

Limitations of SPECTRUM’s SNMPv3 Support .................................10

get-bulk Command ..............................................................10

AutoDiscovery .....................................................................10

JMib Tools ...........................................................................10

View Based Access Control Model (VACM) ....................................10

Performance and Capacity ..........................................................10

Modeling an SNMPv3 Device ....................................................... 12

Manually Modeling an SNMPv3 Device ..........................................12

Using AutoDiscovery to Model the Rest of the Network ...................14

Modeling an SNMPv3 Device with one of SPECTRUM’s Toolkits .........14

Changing or Adding Security Information to a Device Model ............16

Adding contextName Information ................................................16

TroubleShooting ......................................................................... 17

Index .......................................................................................... 24


Document 5124

Preface

In This Section

Intended Audience [page 4]

Text Conventions [page 4]

Document Feedback [page 5]

Online Documents [page 5]

Intended Audience

This guide is intended for SPECTRUM administrators who would like to use SPECTRUM for fault management of SNMPv3 devices.

Text Conventions

The following text conventions are used in this document:

Element Convention Used Example

Variables

(The user supplies a value for the variable.)

Courier and Italic in angle brackets (<>)

Type the following:

DISPLAY=<workstation name>:0.0 export display

The directory where you installed SPECTRUM

(The user supplies a value for the variable.)

<$SPECROOT> Navigate to:

<$SPECROOT>/app-defaults

Solaris and Windows directory paths

Unless otherwise noted, directory paths are common to both operating systems, with the exception that slashes (/) should be used in Solaris paths, and backslashes (\) should be used in Windows paths.

<$SPECROOT>/app-defaults on Solaris is equivalent to <$SPECROOT>\app-defaults on Windows.

On-screen text Courier The following line displays:

path=”/audit”

User-typed text Courier Type the following path name:

C:\ABC\lib\db


Document 5124

Document Feedback

Please send feedback regarding SPECTRUM documents to the following e-mail address:

[email protected]

Thank you for helping us improve our documentation.

Online Documents

SPECTRUM documents are available online at:

http://www.aprisma.com/manuals

Check this site for the latest updates and additions.

Cross-references Underlined and hypertext-blue

See Document Feedback [page 5].

References to SPECTRUM documents (title and number)

Italic SPECTRUM Installation Guide (0675)

Element Convention Used Example

mailto:[email protected]

http://www.aprisma.com/manuals


Document 5124

SNMPv3 and Spectrum

This section gives an overview of SNMPv3 and outlines the architecture and benefits of SPECTRUM’s SNMPv3 support.

In this section:

Overview [page 6]

Benefits of SPECTRUM’s SNMPv3 Support [page 8]

Limitations of SPECTRUM’s SNMPv3 Support [page 10]

View Based Access Control Model (VACM) [page 10]

Performance and Capacity [page 10]

Overview

SNMPv3 adds several enhancements to the original SNMP architecture. SPECTRUM’s SNMPv3 support takes advantage of a number of these enhancements including authentication, encryption, 64-bit counter support, and the receipt and processing of SNMPv3 format traps and informs.

SPECTRUM uses a proxy to communicate with devices that support SNMPv3. The proxy resides on the same machine as the SpectroSERVER and is automatically started by processd on system startup.

SPECTRUM models and concurrently manages devices that support SNMPv1 and devices that support SNMPv3. Devices that support SNMPv3 must be modeled manually using the Model by IP option in SpectroGRAPH. Special fields have been added to the Model by IP screen for the additional security parameters supported by SNMPv3.

Figure 1 [page 7] illustrates the flow of data from SPECTRUM, through the proxy, to and from the SNMPv3 device.


Document 5124

Figure 1: Flow of SNMP Data

SpectroSERVER Host Machine

SNMPv3 Device

SNMPv1/v2 Device

modified

SNMPv1

SNMPv1 requests and responses

SNMPv3 requests, responses, traps and informs

SpectroSERVER

SNMPv3 Model

SNMPv1 Model

Proxy

SNMPv3 Data

The proxy translates modified SNMPv1 packets coming from SPECTRUM into SNMPv3 format to send out to an SNMPv3 device. The security data provided when the device was modeled is added to the packet.

SNMPv3 packets coming from a device are authenticated and decrypted by the proxy and then translated into SNMPv1 format and sent to SPECTRUM.

SNMPv1/v2 traps and SNMPv2 informs

SNMPv1/v2 Traps and SNMPv2 Informs

By default, the proxy will receive SNMPv1/v2 traps and SNMPv2 informs. These will be passed through the proxy and sent to the SpectroSERVER. Responses to SNMPv2 informs are sent out through the proxy.

Note that SNMPv1 requests and responses are sent directly to the SpectroSERVER, not through the proxy.

It is possible to modify the configuration of the SpectroSERVER and the proxy so that SNMPv1/v2 traps and SNMPv2 informs are sent directly to the SpectroSERVER, see TroubleShooting [page 17] for instructions.

SNMPv1/v2 traps and SNMPv2 informs


Document 5124

Benefits of SPECTRUM’s SNMPv3 Support

SPECTRUM’s support of SNMPv3 offers benefits in the following areas:

• Security

• 64-Bit Counters

• Traps and Informs

Security

SNMPv3 offers three levels of security and SPECTRUM supports each of these.

• Non Authenticated

• Authenticated

• Authenticated with Privacy

Authentication

SNMPv3’s authentication is a security feature that determines if a given message is from a valid source. SPECTRUM supports the SNMPv3 standard for the authentication of messages. The appropriate authentication password is specified for a device model when it is created (see Manually Modeling an SNMPv3 Device [page 12]). When the SNMP packet is converted to SNMPv3 by the proxy, the security parameters are added to the SNMPv3 packet that is sent to the device. The SNMPv3 entity on the device verifies the authenticity of the message to ensure that the packet came from an authorized source.

SNMPv3 data sent from the device to SPECTRUM also uses similar security parameters. The proxy receives the packet and verifies the authenticity before passing the data to SPECTRUM.

Note: The proxy supports both MD5 (Message Digest Algorithm) and SHA (Secure Hash Algorithm) for authentication. The proxy chooses the appropriate algorithm based on the configuration of the SNMPv3 user on the device. This configuration is administered via IOS commands, like 'snmp-server', which allow you to specify options such as MD5, or SHA, DES version, etc. No changes to the proxy’s configuration files are necessary for this configuration.


Document 5124

Privacy

SNMPv3’s privacy feature uses an encryption algorithm (DES) to encode the contents of an SNMPv3 packet in order to ensure that it cannot be viewed by unauthorized entities while traveling over the network. SPECTRUM supports the SNMPv3 standard for the encryption of messages. The privacy password is specified for a device model when it is created (see Manually Modeling an SNMPv3 Device [page 12]). The SNMP message is sent from SPECTRUM to the proxy and the proxy uses the password to encrypt the message before it goes out onto the network. The encrypted data travels over the network to the device and the device decrypts the data for use.

SNMPv3 data sent from the device to SPECTRUM also travels over the network in an encrypted packet. The proxy decrypts the packet and passes the information to SPECTRUM.

Note that any data sent between the SpectroSERVER and the proxy is not encrypted. Only the communication between the proxy and the actual device is carried out in a secure, encrypted format. However, since the proxy resides on the machine that runs the SpectroSERVER, only encrypted data actually travels over the network. The host system’s security should be configured to provide adequate security for both the SpectroSERVER and the proxy.

64-Bit Counters

The SNMPv3 standard provides support for 64-bit counters. SPECTRUM can access 64-bit counter MIB variables for all SNMPv3 devices that comply with this standard.

Traps and Informs

SPECTRUM supports the ability to receive SNMPv3 traps and informs that are sent from a device or management system. The proxy receives traps and informs on port 162, and then forwards them to SPECTRUM. SPECTRUM receives traps and informs on the port number configured using the brass_trap_port variable in the .vnmrc file. By default the brass_trap_port is set to 4748. When SPECTRUM receives an inform, it sends a response to the inform as outlined in the SNMPv3 standard.

By default, SNMPv1/v2 traps and SNMPv2 informs are also sent through the proxy to the SpectroSERVER.

See TroubleShooting [page 17] for more information on:


Document 5124

• Reconfiguring the SpectroSERVER and the proxy so that SNMPv1/v2 traps and SNMPv2 informs are sent directly to the SpectroSERVER.

• The brass_trap_port variable.

• How to configure the proxy to replicate traps on other ports.

• How to change the port on which the proxy receives traps and informs.

Limitations of SPECTRUM’s SNMPv3 Support

get-bulk Command

SPECTRUM’s support of SNMPv3 does not include the get-bulk command.

AutoDiscovery

SPECTRUM does not support the AutoDiscovery of SNMPv3 devices. All SNMPv3 devices must be modeled manually. See Modeling an SNMPv3 Device [page 12] for further information.

JMib Tools

SPECTRUM’s JMib tools cannot be used to contact or examine MIBs on SNMPv3 devices.

View Based Access Control Model (VACM)

Although it is possible to support the VACM features of SNMPv3 with SPECTRUM, it is not recommended that you do so. SPECTRUM has its own mechanism to ensure secure access to devices. Therefore, it is important to give SPECTRUM full view access to all device MIBs in order to ensure that SPECTRUM can monitor and manage those devices effectively.

Performance and Capacity

Keep in mind that it takes more processing resources for SPECTRUM to work with SNMPv3 devices. More overhead is consumed using the authentication and privacy features due to the time it takes to decrypt and authenticate each message. This affects the number of models that a SpectroSERVER can manage effectively. Therefore, it is recommended that only devices that will benefit from SNMPv3 support in the areas outlined


Document 5124

above be modeled as SNMPv3 devices. Other devices should be modeled using SNMPv1.


Document 5124

Modeling an SNMPv3 Device

This section describes how to create and maintain a network model that includes SNMPv3 devices.

In this section:

Manually Modeling an SNMPv3 Device [page 12]

Using AutoDiscovery to Model the Rest of the Network [page 14]

Modeling an SNMPv3 Device with one of SPECTRUM’s Toolkits [page 14]

Changing or Adding Security Information to a Device Model [page 16]

Adding contextName Information [page 16]

Manually Modeling an SNMPv3 Device

In order to model an SNMPv3 device, use SPECTRUM’s manual modeling New Model by IP option. SNMPv3 devices cannot be modeled using either SPECTRUM’s Model by Name or SPECTRUM’s AutoDiscovery functionality.

To model an SNMPv3 device, do the following:

1. In the topology view where the model is to be created, select File > Edit.

2. Choose New Model by IP from the Edit menu. The following dialog box appears.


Document 5124

3. Fill in the Network Address, Timeout, and Retry Count fields as when modeling any device using this option. Choose to Discover Connections if appropriate, and select IP Route Table to discover the connections using the IP Route Table. See How to Manage Your Network with SPECTRUM (1909) for further instructions on these options.

4. Check off the SNMP V3 Parameters selection to model an SNMPv3 device. The Community Name field at the top becomes disabled and the SNMPv3 security options in the lower part of the screen are enabled.


Document 5124

5. Choose one of the three standard SNMPv3 security options: Non Authenticated, Authenticated, or Authenticated with Privacy (see Security [page 8]).

6. If Non Authenticated is selected, the data that is sent from the SPECTRUM host machine to the SNMPv3 device is not encrypted or authenticated. The Authentication and Privacy Password fields are disabled. Fill in the User ID field with the same data that has been configured for full MIB access on the device.

7. If Authenticated is selected, the data that is sent from the SPECTRUM host machine to the SNMPv3 device is authenticated, however it is not encrypted. The Privacy Password field is disabled and the User ID field and the Authentication Password field must be filled in with the same data that has been configured for full MIB access on the device.

8. If Authenticated with Privacy is selected, the data that is sent from the SPECTRUM host machine to the SNMPv3 device is both encrypted and authenticated. Fill in the User ID field, the Authentication Password field, and the Privacy Password field with the same data that has been configured for full MIB access on the device.

9. When the appropriate selections have been completed, click the OK button. The model of the device appears in the Topology view within a short period of time.

Using AutoDiscovery to Model the Rest of the Network

Once the SNMP3 devices have been modeled, model the rest of the network using AutoDiscovery. AutoDiscovery does not overwrite any of the models that have already been created.

Modeling an SNMPv3 Device with one of SPECTRUM’s Toolkits

To use one of SPECTRUM’s Toolkits, e.g. Modeling Gateway, to create a model that supports SNMPv3, use the following syntax when specifying the community name for the model:


Document 5124

• For a community name that uses both privacy and authentication, use the following syntax:

#v3/P:<authPW>:<privPW>[/KEEP]/<user>

Where:

<authPW> is the authentication password configured on the device.

<privPW> is the privacy password configured on the device.

/KEEP indicates the information is stored for use by the proxy.

<user> is the user id configured on the device.

For example:

#v3/P:myAuthPW:myPrivPW/KEEP/myUserID

• For a community name that uses authentication only, use the following syntax:

#v3/A:<authPW>[/KEEP]/<user>

Where:

<authPW> is the authentication password configured on the device.



For example:

#v3/A:myAuthPW/KEEP/myUserID

• For a community name that does not use authentication or privacy, use the following syntax:

#v3/N[/KEEP]/<user>

Where:



For example:

#v3/N/KEEP/myUserID


Document 5124

Changing or Adding Security Information to a Device Model

To change the security information for an existing SNMPv3 device model or convert an SNMPv1 device model to an SNMPv3 device model, the appropriate security information must be added to the model. There are three ways to do this:

• Change the Community Name assigned to the model. To do this, select the Model Information view and edit the Community Name field in the Communication Information section. Use the syntax outlined in Modeling an SNMPv3 Device with one of SPECTRUM’s Toolkits [page 14] to create the appropriate string. Enter this data into the field and save the changes.

• Use CLI to modify the Community_Name attribute using the update command. To create the appropriate value for Community_Name, use the syntax outlined in Modeling an SNMPv3 Device with one of SPECTRUM’s Toolkits [page 14]. See the Command Line Interface Guide (0664) for information on using CLI commands.

• Destroy the model and rebuild it using the instructions in Manually Modeling an SNMPv3 Device [page 12]. When rebuilding the model use the new security values used on the device.

Adding contextName Information

You can add an SNMPv3 contextName value to be sent with SNMPv3 messages for a particular device. To do this:

1. Bring up the Model Information view for that device model by selecting Model Information from the device model’s Icon Subviews menu.

2. Enter Edit mode by choosing Edit from the File menu.

3. Insert the contextName value in the Community Name field.

For example, if the current community string was:

#v3/P:authPass:privPass/KEEP/myuserid

To insert the a contextName value of “quark”, you would add “-quark” to the community string as shown below:

#v3/P:authPass:privPass/KEEP/-quark/myuserid

4. Once you have added the appropriate contextName value, choose to Save All Changes in the File menu.


Document 5124

TroubleShooting

If SPECTRUM is unable to communicate with the SNMPv3 agent running on a device, an error message or alarm will appear indicating that SPECTRUM can contact the device via ICMP, but not via SNMP. In this situation, verify the following points:

Is the SNMPv3 Proxy Installed Properly?

To verify that the proxy has been installed, make sure that the executable is located at:

In the Solaris Environment:

<$SPECROOT>/SV3P/sv3p

In the Windows Environment:

<$SPECROOT>\SV3P\sv3p.exe

Is the SNMPv3 Proxy Running?

To determine if the proxy is running in the Windows environment check the Windows Task Manager. If the proxy is running, the executable sv3p.exe is shown.

To determine if the proxy is running in the Solaris environment, use one of the following commands:

1. pgrep sv3p

2. /usr/proc/bin/ptree ‘pgrep processd‘

This second option shows all processes that have been started by SPECTRUM’s Process Daemon (processd). For more information on the process daemon, refer to the SPECTRUM Concepts Guide (0647).

Are the port numbers configured correctly in SPECTRUM’s .vnmrc file?

The .vnmrc file is a text file located in the <$SPECROOT>/SS directory. This file has two parameters that SPECTRUM uses to communicate with the SNMPv3 proxy.

The brass_comm_port parameter defines the port number that SPECTRUM uses to send requests to the proxy. This parameter has a default value of 4747.


Document 5124

The brass_trap_port parameter defines the port number that SPECTRUM is listening on for incoming trap/inform data from the proxy. This parameter has a default value of 4748.

Are the ports configured correctly in the system’s services file?

The services file contains port numbers for services that interact with the system. The proxy uses two values in this file in order to communicate properly with SPECTRUM. These values define the port number on which the proxy is listening for requests from SPECTRUM and the port number from which the proxy sends data to SPECTRUM. These values should match the values defined in SPECTRUM’s .vnmrc file.

This file is located at /etc/services in the Solaris environment and at Winnt\System32\drivers\etc\services in the Windows environment.

The entry should have the following syntax:

# SPECTRUM/SNMPv3 Support

sr-unm 4747/udp

sr-unmtrap 4748/udp

Are the port numbers in use by another application?

If the port numbers chosen in the .vnmrc file and in the services file are already in use by another application, the proxy will not be able to run. In this situation, an error message is written to the <$SPECROOT>/SV3P/SV3P.OUT file. Errors such as “Cannot bind to socket” , “There may be another BRASS server running”, or other similar messages generally indicate that one or more of the ports is already occupied by another process or application.

To remedy this situation, change either the settings for the other application, or change the settings for SPECTRUM and the proxy by changing both the .vnmrc file and the services file.

Is the device model’s security information correct?

If you have changed the security information for a particular device model (see Changing or Adding Security Information to a Device Model [page 16]) and the new information provided does not match the security information on the device, SPECTRUM generates an alarm indicating that it can contact the device via ICMP, but not via SNMP.

To remedy this situation, update the security information for the device model so that it matches the information on the device.


Document 5124

How can I change the port that the proxy listens on for traps and informs?

To change this port, you must make changes to the file that allows processd to start the proxy. This file is called SV3P.idb and is located at:

<$SPECROOT>/lib/SDPM/partslist/

SV3P.idb is a text file and can be opened with a text editor. Open the file and find the line that reads:

ARGV;$WORKPATH/sv3p<CSEXE> -d -unm -nosubagent; //

Insert the following line just above this line:

ENV;SR_TRAP_TEST_PORT = <portnumber>

Where <portnumber> is the number of the port where you would like the proxy to receive traps and informs.

The following example shows the SV3P.idb configured so that the proxy will listen for traps and informs on port 5555.

# Processd Install Ticket for SNMPv3 proxy

PARTNAME;SNMPV3;

APPNAME;SNMPv3 Proxy Agent;

WORKPATH;$SPECROOT/SV3P;

LOGNAMEPATH;$WORKPATH/SV3P.OUT;

ADMINPRIVS;y;

AUTORESTART;y;

AUTOBOOTSTART;y;

#STATEBASED;N;

NUMPROCS;1; // one per host

RETRYTIMEOUT;600; // 10 minutes

TICKETUSER;btykodi;

RETRYMAX;5; // 5 retries

ENV;SR_MGR_CONF_DIR=$WORKPATH/srconf/mgr;

ENV;SR_AGT_CONF_DIR=$WORKPATH/srconf/agt;

ENV;SR_TRAP_TEST_PORT = 5555

ARGV;$WORKPATH/sv3p<CSEXE> -d -unm -nosubagent; //

Once you have inserted the appropriate line in the SV3P.idb file, you must use the restart command to restart processd so that it uses this new setting.


Document 5124

To use the restart option on the Solaris platform, do the following:

1. Become root.

2. Navigate to <$SPECROOT>/lib/SDPM directory.

3. Enter the following command:

processd.pl restart

To use the restart option on the Windows 2000/NT platform, do the following:

1. Make sure you are logged on as a member of the Spectrum Users group.

2. Select Start > Programs > Command Prompt.

3. In the Command Prompt window, navigate to the <$SPECROOT>/lib/SDPM directory.

4. Enter the following command:

perl processd.pl restart

For more information on processd and .idb files, see the Distributed SpectroSERVER Guide (2770).

How do I configure the proxy to replicate traps on other ports?

To allow the proxy to send traps to SPECTRUM and to other trap receivers, you must make changes to the SV3P.id file, which allows processd to start the proxy. This file is located at:

<$SPECROOT>/lib/SDPM/partslist/

Open SV3P.idb with a text editor and find the line that reads:

ARGV;$WORKPATH/sv3p<CSEXE> -d -unm nosubagent; //

Change this to:

ARGV;$WORKPATH/sv3p<CSEXE> -d -unm -trapport <xxxx> -trapport <yyyy> -nosubagent;//

Where:

<xxxx> is the secondary port trap destination.

<yyyy> is the port on which SPECTRUM will receive traps from the proxy as specified by the brass_trap_port parameter defined in the .vnmrc file (see Are the port numbers configured correctly in SPECTRUM’s .vnmrc file? [page 17] for more information).


Document 5124

The following example shows the SV3P.idb configured so that the proxy will send traps to the SPECTRUM and to another trap receiver. SPECTRUM will receive the traps on port 4748 and the other trap receiver will receive the traps on port 5556.

# Processd Install Ticket for SNMPv3 proxy

PARTNAME;SNMPV3;

APPNAME;SNMPv3 Proxy Agent;

WORKPATH;$SPECROOT/SV3P;

LOGNAMEPATH;$WORKPATH/SV3P.OUT;

ADMINPRIVS;y;

AUTORESTART;y;

AUTOBOOTSTART;y;

#STATEBASED;N;

NUMPROCS;1; // one per host

RETRYTIMEOUT;600; // 10 minutes

TICKETUSER;btykodi;

RETRYMAX;5; // 5 retries

ENV;SR_MGR_CONF_DIR=$WORKPATH/srconf/mgr;

ENV;SR_AGT_CONF_DIR=$WORKPATH/srconf/agt;

ARGV;$WORKPATH/sv3p<CSEXE> -d -unm -trapport 5556 -trapport 4748 -nosubagent;//

Once you have inserted the appropriate line in the SV3P.idb file, you must use the restart command to restart processd so that this new setting is used. Follow the instructions for doing this as outlined in How do I configure the proxy to replicate traps on other ports? [page 20].

For more information on processd and .idb files, see the Distributed SpectroSERVER Guide (2770).


Document 5124

How do I reconfigure the SpectroSERVER and the proxy so that SNMPv1/v2 traps and SNMPv2 informs are sent directly to the SpectroSERVER?

To allow SNMPv1/v2 traps and SNMPv2 informs to bypass the proxy, you must configure the SpectroSERVER to receive traps and informs on port 162 and change the port on which the proxy receives SNMPv3 data. The following instructions outline how to make these changes:

1. The brass_trap_port parameter defines the port number that SPECTRUM is listening on for incoming trap/inform data from the proxy. This parameter must be set to a value of 162.

a. Using a text editor, open SPECTRUM’s .vnmrc file located at <$SPECROOT>/SS/ .

b. Find the line that defines the brass_trap_port parameter and reset it to:

brass_trap_port = 162;

2. One of the SPECTRUM/SNMPv3 Support settings in the services file must also be changed.

a. Using a text editor, open the services file located at /etc (Solaris) or C:\WINNT\system32\drivers\etc (Windows).

b. Find the line that defines the sr-unmtrap parameter and reset it to:

sr-unmtrap 162/udp;

3. To change the port on which the proxy receives SNMPv3 data, you must make changes to the file that allows processd to start the proxy.

a. Using a text editor, open the SV3P.idb located at <$SPECROOT>/lib/SDPM/partslist/.

b. Find the line that reads:

ARGV;$WORKPATH/sv3p<CSEXE> -d -unm -nosubagent; //.

c. Insert the following line just above this line.

ENV;SR_TRAP_TEST_PORT = <portnumber>

Where <portnumber> is the number of the port where you would like the proxy to receive traps and informs.

For example:


Document 5124

ENV;SR_TRAP_TEST_PORT=2000;

4. Reconfigure the SNMPv3 devices so that the SNMP agent sends traps to the port defined in step 3.

5. Stop and restart the SpectroSERVER for changes made to the .vnmrc file to take effect.

6. Use the restart command to restart processd for changes made to SV3P.idb to take effect. Follow the instructions for doing this as outlined in How do I configure the proxy to replicate traps on other ports? [page 20].


Document 5124

Index

Numerics64-bit counter [6], [9]

AAuthenticated [14]Authenticated with Privacy [14]authentication [6], [8]authentication algorithm [8]AutoDiscovery [10], [14]

Cchanging the security information [16]contextName [16]converting an SNMPv1 model to an SNMPv3 model [16]

Eencryption [6], [9]

Gget-bulk [10]

Iinforms [6]

JJMib tools [10]

Mmanual modeling [12]MD5 [8]


Document 5124

Message Digest Algorithm [8]

NNon Authenticated [14]

Pprocessd [19], [22]proxy [6]

Rreplicate traps [20]

SSecure Hash Algorithm [8]SHA [8]SNMPv1/v2 traps [7], [10], [22]SNMPv2 informs [7], [10], [22]SV3P.idb [19], [20], [22]

TToolkits [14]Traps [9]traps [6]

VVACM [10]View Based Access Control Model [10]

SPECTRUM SNMPv3 User Guide (5124) - CA Support...

Documents

Transcript of SPECTRUM SNMPv3 User Guide (5124) - CA Support...