spectrum snmpv3 user guide (5124) - ca support...

SPECTRUM SNMPv3

User GuideDocument 5124

NoticeThis documentation (the "Documentation") and related computer software program (the "Software") (hereinafter collectively referred to as the "Product") is for the end user's informational purposes only and is subject to change or withdrawal by CA at any time.

This Product may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Product is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the Software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Software are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the Software is limited to the period during which the license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user's responsibility to certify in writing to CA that all copies and partial copies of the Product have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS PRODUCT "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS PRODUCT, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of this Product and any product referenced in the Documentation is governed by the end user's applicable license agreement.

The manufacturer of this Product is CA.

This Product is provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7013(c)(1)(ii), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2006 CA. All rights reserved.

3

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 1: SPECTRUM SNMPv3 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Features of SPECTRUM SNMPv3 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

64-Bit Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Traps and Informs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

SPECTRUM SNMPv3 Support Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

AutoDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

JMib Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

get-bulk Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

View Access Control Model (VACM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Performance and Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2: Modeling and Managing SNMPv3 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Manually Modeling an SNMPv3 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Modeling an SNMPv3 Device Using a SPECTRUM Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . 18

Modeling the SNMPv2c Device Using a SPECTRUM Toolkit . . . . . . . . . . . . . . . . . . . . . . . . 19

Changing or Adding Security Information to a Device Model . . . . . . . . . . . . . . . . . . . . . . 19

Change the Community Name Assigned to the Model . . . . . . . . . . . . . . . . . . . . . . . . 19

Use the Update Command to Modify the Community_Name Attribute . . . . . . . . . . . . . 19

Destroy the Model and Rebuild . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Adding Context Name Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Specifying an Authentication Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Changing the Default Authentication Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . 21

Specifying a Privacy Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Changing the Default Privacy Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring the SNMPv3 Communication Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 3: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SPECTRUM SNMPv3 Proxy Communication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Is the SNMPv3 proxy installed properly? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Is the SNMPv3 proxy running properly? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Are the port numbers configured correctly in SPECTRUM’s .vnmrc file? . . . . . . . . . . . . 26

Are the ports configured correctly in the SDM.idb file? . . . . . . . . . . . . . . . . . . . . . . . 26

Are the port numbers in use by another application? . . . . . . . . . . . . . . . . . . . . . . . . . 26

Is the device model’s security information correct? . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 SPECTRUM SNMPv3 User Guide

Contents

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

How can I change the port that the SNMPv3 proxy listens on for traps and informs? . . . 27

How do I configure the SNMPv3 proxy to replicate traps on other ports? . . . . . . . . . . . 28

How do I reconfigure the SpectroSERVER and the SNMPv3 proxy for SNMPv1/v2 traps and SNMPv2 informs to be sent directly to the SpectroSERVER? . . . . . . . . . . . . . . . . . . . . 29

SPECTRUM looses SNMPv3 contact with my Cisco routers after I reboot them. How do I optimize performance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5

Preface

This guide is intended for SPECTRUM administrators who use SPECTRUM for fault management of SNMPv3 devices.

What is in this book

This guide is organized as follows:

• Chapter 1: “SPECTRUM SNMPv3 Support” - provides an overview of SNMPv3 support.

• Chapter 2: “Modeling and Managing SNMPv3 Devices” - explains how to create and maintain an SNMPv3 device model.

• Chapter 3: “Troubleshooting” - addresses device connectivity issues with the SNMPv3 proxy.

Text Conventions

The following text conventions are used in this document:

Element Convention Used Example

Variables

(The user supplies a value for the variable.)

Courier and Italic in angle brackets (<>)

Enter the following:

DISPLAY=<workstation name>:0.0 export display

The directory where you installed SPECTRUM

(The user supplies a value for the variable.)

<$SPECROOT> Go to:

<$SPECROOT>/app-defaults

Solaris and Windows directory paths Unless otherwise noted, directory paths are common to both operating systems, with the exception that slashes (/) should be used in Solaris paths, and backslashes (\) should be used in Windows paths.

<$SPECROOT>/app-defaults on Solaris is equivalent to <$SPECROOT>\app-defaults on Windows.

On-screen text Courier The following line displays:

path=”/audit”

6

Document Feedback

Please send feedback regarding SPECTRUM documents to the following e-mail address:

[email protected]

Thank you for helping us improve our documentation.

Online Documents

SPECTRUM documents are available online at:

http://support.concord.com/support/secure/products/Spectrum_Doc/

Check this site for the latest updates and additions.

User-typed text Courier Enter the following path name:

C:\ABC\lib\db

Cross-references Underlined and hypertext-blue

See “Document Feedback” on page 6.

References to SPECTRUM documents (title and number)

Italic SPECTRUM Installation Guide (0675)

Element Convention Used Example

mailto:[email protected]

7

Chapter 1: SPECTRUM SNMPv3 Support

This chapter provides an overview of SPECTRUM SNMPv3 support. SPECTRUM SNMPv3 support provides a translation engine for SNMPv1 and SNMPv3 requests and responses.

In this chapter

• “Overview” on page 8

• “Features of SPECTRUM SNMPv3 Support” on page 10

• “SPECTRUM SNMPv3 Support Issues” on page 12



OverviewSPECTRUM SNMPv3 support includes:

• Authentication

• Encryption

• 64-bit counter support

• Receipt and processing of SNMPv3 format traps and informs

SPECTRUM uses the SNMPv3 proxy to communicate with devices that support SNMPv3. This proxy resides on the same system as the SpectroSERVER. It is started by the processd file during system startup.

SPECTRUM models and concurrently manages devices that support SNMPv1, SNMPv2c, and SNMPv3.

You need to manually model devices that support SNMPv3 as explained in “Manually Modeling an SNMPv3 Device” on page 14.

Figure 1-1 on page 9 illustrates the flow of data from SPECTRUM to and from the SNMPv3 device (through the SNMPv3 proxy).

Overview

SPECTRUM SNMPv3 User Guide 9

Figure 1-1: SPECTRUM Flow of Data

SpectroSERVER Host System

SNMPv3 Device SNMPv1/v2 Device

Modified

SNMPv1

SNMPv3 requests, responses, traps, and informs

SpectroSERVER

SNMPv3 Model SNMPv1 Model

SNMPv3 Proxy

The SNMPv3 proxy translates modified SNMPv1 packets from SPECTRUM into SNMPv3 format to send out to an SNMPv3 device.

Security data is added to the packet when you model the device.

SNMPv3 packets from a device are authenticated and decrypted by the SNMPv3 proxy. The packets are then translated into SNMPv1 format and sent to SPECTRUM.

SNMPv1/v2 traps

SNMPv2 informs

SNMPv1/v2

By default, the SNMPv3 proxy receives SNMPv1/v2 traps and SNMPv2 informs. They are passed through the proxy and sent to SpectroSERVER. Responses to SNMPv2 informs are sent out through the SNMPv3 proxy.

SNMPv1 requests and responses are sent directly to the SpectroSERVER (not through the SNMPv3 proxy).

You can configure Spectro-SERVER and the SNMPv3 proxy for SNMPv1/v2 traps and SNMPv2 informs to be sent directly to the SpectroSERVER. See “Troubleshooting” on page 25 for instructions.

SNMPv1/SNMPv2 traps

SNMPv2 informs



Features of SPECTRUM SNMPv3 SupportSPECTRUM SNMPv3 support includes the following:

• “Authentication”

• “Privacy”

• “64-Bit Counters”

• “Traps and Informs”

SNMPv3 provides these levels of security: non-authenticated, authenticated, and authenticated with privacy.

Authentication

Authentication in SNMPv3 uses an encryption algorithm to determine if a message is from a valid source. SPECTRUM supports the SNMPv3 standard for the authentication of messages. You specify an authentication password for a device model when you create it (see “Manually Modeling an SNMPv3 Device” on page 14).

When an SNMP packet is converted to SNMPv3 by the proxy, security parameters are added to the SNMPv3 packet that is sent to the device. The SNMPv3 agent on the device verifies the authenticity of the message to ensure that the packet came from an authorized source.

SNMPv3 data sent from the device to SPECTRUM also uses similar security parameters. The SNMPv3 proxy receives the packet and verifies the authenticity before passing the data to SPECTRUM.

The SNMPv3 proxy supports the following encryption algorithms for authentication:

• MD5 (Message Digest Algorithm) — produces a 128-bit (16 byte) message digest. This is the default. You can model a device configured to use MD5, using "Authenticated" or "Authenticated with Privacy.”

• SHA (Secure Hash Algorithm) — produces a 160-bit (20 byte) message digest.

The SNMPv3 proxy uses MD5 by default. You can specify a different authentication encryption algorithm by prepending it to the password in the community string. See “Specifying an Authentication Encryption Algorithm” on page 21 for more information.

Privacy

Privacy in SNMPv3 uses an encryption algorithm to encode the contents of an SNMPv3 packet to ensure that it cannot be viewed by unauthorized entities when routed over the network. SPECTRUM supports the SNMPv3 standard for the encryption of messages. You specify a privacy password for a device model when you created it (see “Manually Modeling an SNMPv3 Device” on page 14).

The SNMP message is sent from SPECTRUM to the SNMPv3 proxy. The proxy uses the password to encrypt the message before it goes out onto the network. The destination device decrypts the data when it receives it.

Features of SPECTRUM SNMPv3 Support


SNMPv3 data sent from the device to SPECTRUM is also encrypted. The proxy decrypts the packet and passes the information to SPECTRUM.

Any data sent between the SpectroSERVER and the SNMPv3 proxy is not encrypted. Only the communication between the proxy and the actual device is carried out in a secure, encrypted format. However, since the SNMPv3 proxy resides on the system that runs the SpectroSERVER, only encrypted data actually travels over the network. You should configure the host system’s security to provide adequate security for both the SpectroSERVER and the proxy.

The SNMPv3 proxy supports the following encryption algorithms for privacy:

• DES — Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data.

• 3DES — Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data three times.

• AES — Advanced Encryption Standard (AES) is a 128-bit standard, cryptographic algorithm that encrypts and decrypts data.

The SNMPv3 proxy and uses DES by default. You can specify a different privacy encryption algorithm by prefixing it to the password in the community string. See “Specifying a Privacy Encryption Algorithm” on page 22 for more information.

64-Bit Counters

The SNMPv3 standard provides support for 64-bit counters. SPECTRUM can access 64-bit counter MIB variables for all SNMPv3 devices that comply with this standard.

Traps and Informs

SPECTRUM supports the ability to receive SNMPv3 traps and informs that are sent from a device or management system. The proxy receives traps and informs on port 162, and then forwards them to SPECTRUM.

SPECTRUM receives traps and informs on the port number configured using the brass_trap_port variable in the .vnmrc file. By default the brass_trap_port is set to 4748. When SPECTRUM receives an inform, it sends a response to the inform as outlined in the SNMPv3 standard.

By default, SNMPv1/SNMPv2 traps and SNMPv2 informs are also sent through the proxy to the SpectroSERVER.

See “Troubleshooting” on page 25 for more information on the following:

• Reconfiguring the SpectroSERVER and the proxy so that SNMPv1/v2 traps and SNMPv2 informs are sent directly to the SpectroSERVER

• brass_trap_port variable

• Configuring the proxy to replicate traps on other ports

• Changing the port on which the proxy receives traps and informs



SPECTRUM SNMPv3 Support Issues

AutoDiscovery

SPECTRUM does not support the AutoDiscovery of SNMPv3 devices. You must manually model SNMPv3 devices. See “Modeling and Managing SNMPv3 Devices” on page 13 for further information.

JMib Tools

You cannot use SPECTRUM JMib tools to contact or examine MIBs on SNMPv3 devices.

get-bulk Command

SPECTRUM’s support of SNMPv3 does not include the get-bulk command.

View Access Control Model (VACM)

SPECTRUM supports the VACM features of SNMPv3; however, VACM is not recommended. SPECTRUM has features to ensure secure access to devices. If you give SPECTRUM full view access to all device MIBs, you receive effective monitoring and management performance.

Performance and Capacity

High processing resources are required for SPECTRUM to effectively manage SNMPv3 devices. More overhead is consumed using the Authentication and Privacy features due to the time it takes to decrypt and authenticate each message.

This affects the number of device models that a SpectroSERVER can manage. Therefore, it is recommended that you only model devices that benefit from SNMPv3 support. You can model other devices using SNMPv1.

13

Chapter 2: Modeling and Managing SNMPv3 Devices

This chapter explains how to model and maintain an SNMPv3 device.

In this chapter:

• “Manually Modeling an SNMPv3 Device” on page 14

• “Modeling an SNMPv3 Device Using a SPECTRUM Toolkit” on page 18

• “Modeling the SNMPv2c Device Using a SPECTRUM Toolkit” on page 19

• “Changing or Adding Security Information to a Device Model” on page 19

• “Adding Context Name Information” on page 20

• “Specifying an Authentication Encryption Algorithm” on page 21

• “Specifying a Privacy Encryption Algorithm” on page 22

• “Configuring the SNMPv3 Communication Port” on page 23



Manually Modeling an SNMPv3 DeviceThis section explains how to model an SNMPv3 device.

Note: You cannot model SNMPv3 devices using the Model by Name or AutoDiscovery features in SPECTRUM.

Procedure

On Solaris:

1. In SpectroGRAPH, select Edit from the File menu.

2. Select the New model by IP from the Edit Menu.

The Create Model by IP Address dialog box appears.

Figure 2-1: Create Model By IP Address Dialog Box

Manually Modeling an SNMPv3 Device


On the OneClick Console:

1. Click the Topology tab.

2. Click the Create a new model by IP icon in the toolbar.

The Create Model by IP Address dialog box appears.

Figure 2-2: Create Model By IP Address Dialog Box

3. Enter the IP address for the device you want to model in the Network Address field.

4. Enter an SNMP community string for the device in the Community Name field.

5. Enter the timeout between retry attempts (in milliseconds) in the DCM (Device Communications Manager) Timeout (ms) box. The default is 3000 milliseconds (3 seconds).

6. Enter the number of times that the DCM attempts to send a request to a device that is not responding in the DCM Retry Count box.

7. Choose to Discover Connections if appropriate. See How to Manage Your Network with SPECTRUM (1909) for further instructions on these options.



8. Check the Use SNMPv3 option to model an SNMPv3 device. The Community Name box becomes disabled. The SNMPv3 security options in the lower part of the screen are enabled.

9. Choose one of the following SNMPv3 standard security options:

• Non Authenticated — data sent from the SPECTRUM host system to the SNMPv3 device is not encrypted or authenticated (proceed to step 13).

• Authenticated — data sent from the SPECTRUM host system to the SNMPv3 device is authenticated; however it is not encrypted.

• Authenticated with Privacy — data sent from the SPECTRUM host system to the SNMPv3 device is both encrypted and authenticated.

If you select Authenticated:

On Solaris:

Enter a password in the Authentication box.


Click the (Set password) link. The Authentication Password dialog box appears.

Figure 2-3: Authentication Password Dialog Box

10.Enter the same data that has been configured for full MIB access on the device in the Authentication Password box. Confirm the password and click OK.

11. If you selected Authenticated with Privacy:

On Solaris:

Enter a password in the Authentication and Privacy boxes.


Click the (Set password) link. The Authentication and Privacy Password dialog box appears.

Manually Modeling an SNMPv3 Device


Figure 2-4: Authentication and Privacy Password Dialog Box

12. Fill in the Authentication Password, and Privacy Password fields with the same data that has been configured for full MIB access on the device, and click OK.

13. Fill in the User ID box with the same data that has been configured for full MIB access on the device.

14.Click the OK button in the Create Model By IP Address dialog box to accept your selections. The model of the device appears in the Topology view.

Important: Modifying the User ID box after your model has connected results in loss of contact with the SNMPv3 device. You can modifying the Authentication Password or Privacy Password boxes without a loss of contact.

Note: After you have modeled SNMP3 devices, you can model the rest of the network using AutoDiscovery. AutoDiscovery does not overwrite any of the devices that you have already created.



Modeling an SNMPv3 Device Using a SPECTRUM ToolkitYou can use one of SPECTRUM’s Toolkits (for example, Modeling Gateway) to create a device model that supports SNMPv3. Use the following syntaxes when specifying the community name for the model:

• For a community name that uses both privacy and authentication, use the following syntax:

#v3/P:<authPW>:<privPW>/<user>

where:

<authPW> is the authentication password configured on the device.

<privPW> is the privacy password configured on the device.

<user> is the user id configured on the device.

For example:

#v3/P:myAuthPW:myPrivPW/myUserID

• For a community name that uses authentication only, use the following syntax:

#v3/A:<authPW>/<user>

where:



For example:

#v3/A:myAuthPW/myUserID

• For a community name that does not use authentication or privacy, use the following syntax:

#v3/N/<user>

where:


For example:

#v3/N/myUserID

• For a community name that uses authentication (SHA), use the following syntax:

#v3/SHA^<authPW>/<user>

• For a community name that uses both privacy (3DES) and authentication, use the following syntax:

#v3/<authPW>:3DES<privPW/<user>

Modeling the SNMPv2c Device Using a SPECTRUM Toolkit


Modeling the SNMPv2c Device Using a SPECTRUM ToolkitTo use one of SPECTRUM’s Toolkits (for example, Modeling Gateway) to create a device model that supports SNMPv2c, use the following syntax when specifying the community name for the model:

#v3/<community name>

where:

<community name> is the community name of the device.

For example:

#v3/mycommunityname

Changing or Adding Security Information to a Device ModelYou can change security information for an existing SNMPv3 device model or add an SNMPv1 device model to an SNMPv3 device model. You need to add the appropriate security information to the device model.

Change the Community Name Assigned to the Model

Procedure

1. Right click on the device model and select Model Information.

The Model Information window appears.

2. Edit the Community Name box in the Communication Information section. Use a syntax listed in “Modeling an SNMPv3 Device Using a SPECTRUM Toolkit” on page 18 to create the appropriate string.

3. Enter this data into the box and save your changes.

Use the Update Command to Modify the Community_Name Attribute

Use the syntax outlined in “Modeling an SNMPv3 Device Using a SPECTRUM Toolkit” on page 18. See the Command Line Interface Guide (0664) for information on using CLI commands.

Destroy the Model and Rebuild

See “Manually Modeling an SNMPv3 Device” on page 14.



Adding Context Name InformationYou can add the SNMPv3 context name value to be sent with SNMPv3 messages for a particular device.

Procedure

1. Right click on the device model to display a pop-up menu.

2. Select Model Information.

The Model Information window appears.

Figure 2-5: Model Information View

3. Enter Edit mode by choosing Edit from the File menu.

4. Insert the context name value in the Community Name field. For example, if the current community string is:

#v3/P:authPass:privPass/myuserid

To insert the a contextName value of “quark”, add “-quark” to the community string as follows:

#v3/P:authPass:privPass/-quark/myuserid

5. Once you have added the appropriate context name value, choose to Save All Changes in the File menu.

Specifying an Authentication Encryption Algorithm


Specifying an Authentication Encryption AlgorithmThe SNMPv3 proxy supports both MD5 and SHA authentication encryption. It uses MD5 by default. You can specify an alternate encryption algorithm by prepending it to the password in the community string. Prefixing the encryption algorithm on the community name for a particular device model overrides the default algorithm for that device model only.

For example:

For a community name that uses authentication only, use the following syntax:

#v3/SHA^<authPW>/<user>

For a community name that uses both privacy and authentication, use the following syntax:

#v3/SHA^<authPW>:<privPW>/<user>

where:




Changing the Default Authentication Encryption Algorithm

To change the default authentication encryption algorithm for all device models, you must modify the SDM.idb file.

Procedure

1. Go to the following directory:

<$SPECROOT>/lib/SDPM/partslist/

2. Open SDM.idb with a text editor and locate the following line:

ARG;$WORKPATH/SDManager<CSEXE> -c64 -d -secpack -listen 4747 -trapport 4748 -du-notrap_throttle -wbufnum 16384;

3. Add -sha to the end of this line.



Specifying a Privacy Encryption AlgorithmThe SNMPv3 proxy supports DES, 3DES, and AES privacy encryption. It uses DES by default. You can specify an alternate encryption algorithm by prefixing it to the password in the community string. Appending the encryption algorithm on the community name for a particular device model overrides the default algorithm for that device model only.

For example:

For a community name that uses both privacy and authentication, use the following syntax:

#v3/<authPW>:3DES^<privPW/<user>

where:




Changing the Default Privacy Encryption Algorithm

To change the default privacy encryption algorithm for all device models, you must modify the the SDM.idb.

Procedure





3. Add one of the following algorithms to the end of this line:

-3des (makes the default privacy 3DES, instead of DES)

-aes (makes the default privacy AES128, instead of DES)

where,

AES — Advanced Encryption Standard (AES) is a 128-bit standard, cryptographic algorithm that encrypts and decrypts data.

3DES — Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data three times.

Configuring the SNMPv3 Communication Port


Configuring the SNMPv3 Communication PortYou can configure the port on which SPECTRUM sends SNMPv3 communication. You can also specify a particular port for SNMPv3 communication if you are working in an environment with a firewall.

Procedure





3. Modify this line to include the following command:

-snmp_send_port ‹port›

where:

<port> is the port number for SNMPv3 communication.

For example:

ARG;$WORKPATH/SDManager<CSEXE> -c64 -d -secpack -listen 4747 -trapport 4748 -snmp_send_port 25556 -du -notrap_throttle -wbufnum 16384;

4. Stop and restart processd.

For information on processd, see the Distributed SpectroSERVER (2770) guide.

25

Chapter 3: Troubleshooting

This chapter addresses device connectivity issues with the SNMPv3 proxy.

SPECTRUM SNMPv3 Proxy Communication IssuesAn error message or alarm is displayed in the event that SPECTRUM cannot communicate with an SNMPv3 proxy running on a device. This message indicates that SPECTRUM can contact the device using ICMP; however, it cannot contact the device using SNMP.

The following questions and answers help you troubleshoot SNMPv3 proxy issues:

Is the SNMPv3 proxy installed properly?

To verify that the SNMPv3 proxy is installed, ensure that the SDManager executable is installed:

On Solaris:

<$SPECROOT>/SDM/SDManager

On Windows:

<$SPECROOT>\SDM\SDManager.exe

Is the SNMPv3 proxy running properly?

To determine if the SNMPv3 proxy is running properly:

On Windows:

Open Task Manager and click the Processes tab. The executable SDManager.exe should appear in the list.

On Solaris/Linux:

Enter the following command:

pgrep SDManager



Are the port numbers configured correctly in SPECTRUM’s .vnmrc file?

The .vnmrc file is a text file located in the <$SPECROOT>/SS directory (on Windows, Solaris, and Linux). This file includes the following two parameters that SPECTRUM uses to communicate with the SNMPv3 proxy:

• brass_comm_port - defines the port number that SPECTRUM uses to send requests to the SNMPv3 proxy. The default value for this parameter is 4747.

• brass_trap_port - defines the port number that SPECTRUM is listening on for incoming trap/inform data from the SNMPv3 proxy. The default value for this parameter is 4748.

Are the ports configured correctly in the SDM.idb file?

The SDM.idb file lists port numbers for services that interact with the system. The SNMPv3 proxy uses the two values in this file to communicate properly with SPECTRUM. These values define the following:

• Port number on which the SNMPv3 proxy is listening for requests from SPECTRUM

• Port number on which SPECTRUM receives traps from the SNMPv3 proxy

Procedure



2. Open the SDM.idb file using a text editor and ensure these entries appear:

-listen 4747 -trapport 4748

Are the port numbers in use by another application?

The SNMPv3 proxy cannot run if the port numbers listed in the .vnmrc file and in the SDM.idb file are used by another application. In this case, an error message is written to <$SPECROOT>/SDM/SDManager.OUT file.

The following error messages are displayed when ports numbers are being used by another application:

“Cannot bind to socket”

“There may be another BRASS server running”

These messages indicate that one or more of the ports are occupied by another process or application. Perform one of the following steps to troubleshoot this problem:

• Change the port settings of the other application

• Change the port settings for SPECTRUM and the SNMPv3 proxy by modifying the .vnmrc file and the SDM.idb file

Is the device model’s security information correct?

If you changed security information for a particular device model (see “Changing or Adding Security Information to a Device Model” on page 19), and the new information provided does not

Frequently Asked Questions


match the security information on the device, SPECTRUM generates an alarm indicating that it can contact the device using ICMP; however, it cannot contact the device using SNMP.

To troubleshoot this problem, update the security information for the device model to match the information on the device.


How can I change the port that the SNMPv3 proxy listens on for traps and informs?

To change the port that the SNMPv3 proxy listens on for traps and informs, you need to modify the SDM.idb file, which allows processd to start the SNMPv3 proxy.

Procedure





3. Insert the following line above this line:

ENV;SR_TRAP_TEST_PORT = <portnumber>

where,

<portnumber> is the number of the port where you want the proxy to receive traps and informs.

4. Restart the processd file for it to use this new setting.

On Solaris:

a. Login as root.

b. Go to the <$SPECROOT>/lib/SDPM directory.

c. Enter the following command:

processd.pl restart

Output appears onscreen, for example: starting “SPECTRUM Process Daemon” daemon: pid 170

On Windows:

a. Ensure you are logged on as a member of the Spectrum Users group.

b. Open a DOS command prompt.

c. Go to the following directory:

<$SPECROOT>/lib/SDPM



d. Enter the following command:

perl processd.pl restart

Output appears onscreen, for example:

Requesting start of service “SPECTRUM Process Daemon”

Requesting start of service “osagent”

Requesting start of service “mysql”

Requesting start of service “icmpd”

For more information on processd and .idb files, see the Distributed SpectroSERVER Guide (2770).

How do I configure the SNMPv3 proxy to replicate traps on other ports?

To allow the SNMPv3 proxy to send traps to SPECTRUM and to other trap receivers, you need to modify the SDM.idb file, which allows processd to start the SNMPv3 proxy.

Procedure

1. Go the following directory:



ARG;$WORKPATH/SDManager<CSEXE> -c64 -d -secpack -listen 4747 -trapport 4748 -du -notrap_throttle -wbufnum 16384;

3. Add -trapport <xxxx> to the line. For example:

ARG;$WORKPATH/SDManager<CSEXE> -c64 -d -secpack -listen 4747 -trapport 4748 -trapport <xxxx> -du -notrap_throttle -wbufnum 16384;

where:

• <xxxx> is the secondary port trap destination.

• <4748> is the port on which SPECTRUM receives traps from the SNMPv3 proxy as specified by the brass_trap_port parameter defined in the .vnmrc file. See “Are the port numbers configured correctly in SPECTRUM’s .vnmrc file?” on page 26 for details.

After you insert the appropriate line in the SDM.idb file, use the restart command to restart processd (for it to use this new setting) as explained in “How can I change the port that the SNMPv3 proxy listens on for traps and informs?” on page 27.

For more information on processd and .idb files, see the Distributed SpectroSERVER Guide (2770).



How do I reconfigure the SpectroSERVER and the SNMPv3 proxy for SNMPv1/v2 traps and SNMPv2 informs to be sent directly to the SpectroSERVER?

To allow SNMPv1/v2 traps and SNMPv2 informs to bypass the SNMPv3 proxy, you need to configure the SpectroSERVER to receive traps and informs on port 162 and change the port on which the SNMPv3 proxy receives data.

Procedure


<$SPECROOT>/SS/

2. Using a text editor, open the .vnmrc file.

3. Locate the brass_trap_port parameter. This parameter defines the port number that SPECTRUM is listening on for incoming trap/inform data from the proxy. Reset it to:

brass_trap_port = 162;


On Solaris:

/etc

On Windows:

C:\WINNT\system32\drivers\etc

5. Using a text editor, open the services file.

6. Reset the sr-unmtrap line to:

sr-unmtrap 162/udp;

7. Change the port on which the SNMPv3 proxy receives data by modifying the processd file (which starts the SNMPv3 proxy).



9. Using a text editor, open the SDM.idb file.

10. Locate the following line:

ARG;$WORKPATH/SDManager<CSEXE> -c64 -d -secpack -listen 4747 -trapport 4748 -du -notrap_throttle -wbufnum 16384;

11. Insert the following line above this line.

ENV;SR_TRAP_TEST_PORT = <portnumber>

where,

<portnumber> is the number of the port where the SNMPv3 proxy receives traps and informs.



For example:

ENV;SR_TRAP_TEST_PORT=2000;

12.Reconfigure the SNMPv3 device so that the SNMP agent sends traps to the port you defined.

13.Stop and restart the SpectroSERVER for changes made to the .vnmrc file to take effect.

14.Go to the <$SPECROOT>/lib/SDPM directory and enter the following command:

processd.pl restart

15.Ensure you follow the steps in “How do I configure the SNMPv3 proxy to replicate traps on other ports?” on page 28.

SPECTRUM looses SNMPv3 contact with my Cisco routers after I reboot them. How do I optimize performance?

SPECTRUM can loose communication via the SNMPv3 agent with Cisco devices, such as Cisco router models such as 2621 v12.2 (IOS), 2517 v12.0 (IOS), or 2514 v12.2 (IOS).

SPECTRUM’s SNMPv3 support includes a security feature called "replay protection,” which guards against SNMPv3 packet deciphering activities over the network. Replay protection checks the following two values on a device whenever a SNMP query is initiated:

• snmpEngineBoots - the number of times the device has rebooted.

• snmpEngineTime - the number of seconds since the snmpEngineBoots counter was last incremented.

SDManager (Security Domain Manager/SNMPv3 proxy) monitors these values for every device. When SNMP communication is properly occurring, SDManager and a device are in sync with one another. If a device goes down, SDManager receives the snmpEngineTime with the value of 0. SDManager compares the snmpEngineBoots value and if it has incremented then communication resumes. If the snmpEngineBoots value has not incremented, then SDManager does not resume communication.

This problem is due to a Cisco IOS firmware bug that will not increment the boot count causing SDManager to stop communication.

To avoid this performance problem, upgrade these routers with the latest Cisco IOS firmware (see http://www.cisco.com for details).

For more information on replay protection, see the RFC entitled “SNMPv3 cf. RFC3414, section 2.2. Replay Protection.”

31

Index

Numerics3DES 11, 2264-bit counters 11

AAES 11, 22Authenticated 16Authenticated with Privacy 16authentication concept 10authentication encryption algorithms

changing the default 21

Bbrass_comm_port 26brass_trap_port 26

CCisco routers 30community name syntaxes 18context name information 20converting an SNMPv1 model to an SNMPv3

model 19

DDES 11, 22

Eencryption algorithms 10, 21, 22

Ffeatures in SNMPv3 10frequently asked questions 27

MMD5 10, 21, 22modeling an SNMPv3 device 14

using a SPECTRUM Toolkit 18

NNon Authenticated 16

Ppasswords 16, 17ports

changing 27configuration 26replicating traps 28

privacy concept 10privacy encryption algorithms

changing the default 22

Rrelay protection 30replicating traps 28


Index

SSDM.idb file 26, 28SDManager 30security features 10security information 19SHA 10, 21, 22SNMPv1 19SNMPv2 19SNMPv3

authentication 10encryption algorithms 10features 10overview 8privacy 10

SNMPv3 communication port 23SPECTRUM Toolkit 18supported encryption algorithms 10

Ttoolkit 18traps and informs 11

bypassing the proxy 29troubleshooting 25

Vverifying the SNMPv3 proxy 25vnmrc file 26