using snmpv3 with serverview suite products - overview

Overview - English

FUJITSU Software ServerView Suite

Using SNMPv3 with ServerView SuiteProducts(Windows and Linux)

Edition January 2017

Comments… Suggestions… Corrections…The User Documentation Department would like to know your opinion of this manual. Yourfeedback helps us optimize our documentation to suit your individual needs.

Feel free to send us your comments by e-mail [email protected].

Certified documentation according to DIN EN ISO 9001:2008To ensure a consistently high quality standard and user-friendliness, this documentation wascreated to meet the regulations of a quality management system which complies with therequirements of the standard DIN EN ISO 9001:2008.

cognitas. Gesellschaft für Technik-Dokumentation mbH

www.cognitas.de

Copyright and trademarksCopyright 1998 - 2017 FUJITSU LIMITED

All rights reserved.

Delivery subject to availability; right of technical modifications reserved.

All hardware and software names used are trademarks of their respective manufacturers.

mailto:[email protected]

http://www.cognitas.de/

Contents

1 Using SNMPv3 with ServerView Suite Products 6

1.1 What’s new 7

1.2 Target groups and objectives 7

1.3 Documentation for the ServerView Suite 7

1.4 Notational conventions 9

2 SNMPv3: New features 10

2.1 Origins 10

2.2 SNMPv3: New features 10

2.3 SNMP architecture 10

2.3.1 SNMP manager and SNMP agent 11

2.4 Security issues 12

2.4.1 SNMPv3: Threats 122.4.2 SNMPv3: Security model and access control 132.4.3 User-based Security Model (USM) 132.4.4 View-based Access Control Model (VACM) 14

2.5 User management 14

3 Using SNMPv3 with ServerView Agents 16

3.1 Architecture and requirements 16

3.1.1 Agent architecture 163.1.2 Technical requirements of ServerView Agents 18

3.2 Windows-based server: Overview of procedures 19

3.2.1 Switch to SNMPv3 193.2.2 Initial installation of a managed server 203.2.3 Updates 21

3.3 Linux-based server: Overview of procedures 21

3.3.1 Switch to SNMPv3 213.3.2 Initial installation of a managed server 223.3.3 Updates 22

3.4 Procedures 22

3.4.1 Installing and/or activating the Microsoft Windows SNMP service (Windows) 233.4.2 Installing the ServerView Agents (Windows/Linux) 233.4.3 Deactivating the Windows SNMP service and Installing Net-SNMP (Windows) 23

ServerView Suite 3

Inhalt

3.4.3.1 Net-SNMP Installer for Windows 243.4.3.2 Step by Step 26

3.4.4 Configuring Net-SNMP (Windows/Linux) 283.4.4.1 Configuring snmpd.conf 29

3.4.5 Updating ServerView Agents with Net-SNMP master agent (Windows/Linux) 313.4.5.1 Linux 313.4.5.2 Windows 31

4 Using SNMPv3 with ServerView Operations Manager 33


4.1.1 SNMPv3 communication between ServerView Operations Manager and ServerView Agents334.1.1.1 A common user for SNMPv3 communication 334.1.1.2 Windows: Coexistence of two SNMP services: Reconfiguring UDP ports 33

4.1.2 Technical requirements of ServerView Operations Manager 354.1.2.1 Managed Server: ServerView Agents 354.1.2.2 Central Management Station: ServerView Operations Manager 35

4.2 Settings on the central management station (CMS) 36

4.2.1 Windows-based system: Overview of procedures 364.2.1.1 Switch to SNMPv3 364.2.1.2 Initial installation 37

4.2.2 Linux-based system: Overview of procedures 384.2.2.1 Switch to SNMPv3 384.2.2.2 Initial installation 38

4.2.3 Installing ServerView Operations Manager (Windows/Linux) 394.2.4 Installing and/or activating the Microsoft Windows SNMP service (Windows) 394.2.5 Deactivating the Windows SNMP service (Windows) 404.2.6 Installing Net-SNMP (Windows) 404.2.6.1 Source of Net-SNMP 404.2.6.2 Installing 41

4.2.7 Windows on CMS: Reconfiguring UDP ports, registering and configuring snmptrapd.conf 414.2.7.1 Reconfiguring UDP ports 414.2.7.2 Register the Net-SNMP service as a Windows service 424.2.7.3 Configuring snmptrapd.conf 424.2.7.4 Example of an snmptrapd.conf file: 44

4.2.8 Linux on CMS: Configuring snmptrapd.conf 444.2.8.1 Configuring snmptrapd.conf 444.2.8.2 Example of an snmptrapd.conf file: 46

4.2.9 Enabling SNMPv3 in SVOM 464.2.9.1 Enabling SNMPv3 in SVOM via the 'V3 Setting' configuration window 474.2.9.2 Enabling SNMPv3 in SVOM via snmp.conf 48

4.3 Settings on the managed server 50

ServerView Suite 4

Inhalt

4.3.1 Windows-based server: Overview of procedures 504.3.1.1 Switch to SNMPv3 504.3.1.2 Initial installation of a managed server 514.3.1.3 Updates 51

4.3.2 Linux-based server: Overview of procedures 524.3.2.1 Switch to SNMPv3 524.3.2.2 Initial installation of a managed server 524.3.2.3 Updates 52

4.3.3 Windows on a managed server: Reconfiguring UDP ports, registering and configuringsnmpd.conf 53

4.3.3.1 Reconfiguring UDP ports 534.3.3.2 Register the Net-SNMP service as a Windows service 544.3.3.3 Configuring snmpd.conf 544.3.3.4 Example of an snmpd.conf file: 56

4.3.4 Linux on a managed server: Configuring snmpd.conf 574.3.4.1 Example of an snmpd.conf file: 59

4.4 Operating items 60

4.4.1 Unsuccessful browsing for servers with SNMPv3 enabled 604.4.2 CMS visibility in SVOM 60

5 Using SNMPv3 with iRMC 61


5.1.1 iRMC architecture 615.1.1.1 Remote Management Controller - iRMC S4 615.1.1.2 ServerView integration 625.1.1.3 Agentless mode with ServerView Agentless Service 625.1.1.4 SNMP service on iRMC S4 635.1.1.5 User permissions on iRMC S4 63

5.1.2 Technical requirements 64

5.2 SNMPv3 in the iRMC S4 User Information page 64

5.3 Overview of procedures 65

5.3.1 Setting the SNMP version 655.3.2 Configuring user-specific settings for SNMPv3 675.3.2.1 Supported authentication/privacy configurations: 69

ServerView Suite 5

1 Using SNMPv3 with ServerView Suite ProductsFUJITSU Software ServerView® Suite provides all the necessary elements for professionallymanaging server systems during their lifecycle.

The basic protocol of the ServerView Suite is SNMP. SNMPv1 security is based oncommunity strings, which have to be set on both the agent site and the managementstation site. Version 3 of SNMP implements a security model that defines new concepts toreplace the old community-based pseudo-authentication and provide communicationprivacy by means of encryption. For further information see "SNMPv3: New features" onpage 10.

The following ServerView products support SNMPv3:

ServerView Agents

To manage a system with ServerView, the SNMP Service and the ServerView Agentsmust be installed on this system. The ServerView Agents get the management datafrom the system and transport it via SNMP to the requester of this information, forexample to ServerView Operations Manager.

To use SNMPv3 in ServerView communication, the Net-SNMP master agent isrecommended.

For further information see "Using SNMPv3 with ServerView Agents" on page 16.

ServerView Operations Manager

ServerView Operations Manager, ServerView Suite’s central management component,monitors and analyzes physical and virtual servers and the associated infrastructurecomponents as storage extension units in the network.

The detection of servers in the network is SNMP- and IPMI-based and including them inthe server list is simple - as of version 7.10, ServerView also supports SNMPv3.

To use SNMPv3 in ServerView communication, the Net-SNMP master agent isrecommended.

For further information see "Using SNMPv3 with ServerView Operations Manager" onpage 33.

iRMC

The ServerView integrated Remote Management Controller iRMC S4 enables extensivemonitoring and management of Fujitsu servers regardless of their system status –even in out-of-band operation. Implemented in a chip on the motherboard, it

ServerView Suite 6

1.1 What’s new

integrates essential system management functions with extensive remotemanagement functionality.

The iRMC S4 provides an SNMP service which supports GET requests on a set of SNMPMIBs.

For further information see "Using SNMPv3 with iRMC" on page 61.

ServerView RAID Manager

ServerView RAID Manager provides uniform administration and monitoring of host-based hardware and software RAID solutions that are provided by different vendors forFujitsu PRIMERGY platforms.

ServerView RAID supports the Net-SNMP stack, which is recommended for usingSNMPv3 in ServerView communication.

For further information see the manual "ServerView RAID Manager" - "Documentationfor the ServerView Suite" on page 7.

1.1 What’s newThis edition of the manual replaces the online manual "FUJITSU Software ServerView Suite,Using SNMPv3 with ServerView Suite products (Windows and Linux)", May 2016 edition.

The manual features the following changes and enhancements:

l Net-SNMP Installer for Windows, see "Net-SNMP Installer for Windows" on page 24.

The Net-SNMP Installer for Windows package offers support for SNMPv1, SNMPv2 andSNMPv3 for Windows operating systems (64-bit systems only).

1.2 Target groups and objectivesThis manual is intended for system administrators, network administrators and servicetechnicians with a profound knowledge of hardware and software.

The manual explains how to enable the ServerView Agents, ServerView OperationsManager and ServerView integrated Remote Management Controller iRMC S4 to useSNMPv3.

1.3 Documentation for the ServerView SuiteThe documentation can be downloaded free of charge from the Internet. You will find theonline documentation at http://manuals.ts.fujitsu.com under x86 Servers.

ServerView Suite 7

http://manuals.ts.fujitsu.com/

1.3 Documentation for the ServerView Suite

For an overview of the documentation to be found under ServerView Suite as well as thefiling structure, see the ServerView Suite sitemap (ServerView Suite – Site Overview).

ServerView Suite 8

1.4 Notational conventions

1.4 Notational conventionsThe following notational conventions are used in this manual:

Notationalconventions

Indicates

Indicates various types of risks, namely health risks,risk of data loss and risk of damage to devices.

Indicates additional relevant information and tips.

Bold Indicates references to names of interface elements.

monospace Indicates system output and system elements, forexample file names and paths.

monospacesemibold

Indicates statements that are to be entered usingthe keyboard.

blue continuoustext

Indicates a link to a related topic.

purple continuoustext

Indicates a link to a location you have alreadyvisited.

<abc> Indicates variables which must be replaced withreal values.

[abc] Indicates options that can be specified (syntax).

[key] Indicates a key on your keyboard. If you need toexplicitly enter text in uppercase, the Shift key isspecified, for example [SHIFT] + [A] for A. If youneed to press two keys at the same time, this isindicated by a plus sign between the two keysymbols.

Screenshots

The screenshots are to some degree system-dependent and consequently will notnecessarily match the output on your system in all the details. The menus and theircommands can also contain system-dependent differences.

ServerView Suite 9

2.1 Origins

2 SNMPv3: New featuresFor further information - beyond this section - see the RFCs on SNMPv3 of the IETF(www.ietf.org - in particular RFC 3411, RFC 3414, RFC 3415).

2.1 OriginsSNMP (Simple Network Management Protocol) was adopted at the beginning of the 1990sand quickly achieved widespread use because it is simple and extremely robust.

However SNMP, later referred to as SNMPv1, transfers data with no protection and doesnot offer a real framework. For these reasons later versions were expanded.

2.2 SNMPv3: New featuresSNMPv3 (1998-2002) introduces a new framework with a new format of SNMP messages,security issues, access control, and remote configuration of SNMP parameters.

This new framework complies with the following security requirements:

l Authentication - Are sender and addressee really the requested entities?

l Privacy - Can an unauthorized third party read the message?

l Integrity - Has the message passed through the communication without changes?

SNMPv3 is not a stand alone replacement for SNMPv1 and/or SNMPv2c. It defines asecurity capability to be used in conjunction with SNMPv2c (or SNMPv1 - withcertain limitations).

2.3 SNMP architectureThe SNMP architecture defines the following instances for generating and receivingSNMP protocol data units (PDUs):

l Command generator

l Command responder

l Notification originator

ServerView Suite 10

http://www.ietf.org/

2.3 SNMP architecture

l Notification receiver

l Proxy forwarder.

The architecture also defines an SNMP engine, which provides:

l Services for sending and receiving messages

l Services for authenticating and encrypting messages

l Services for controlling access to managed objects.

The SNMP engine can contain the following components:

l Dispatcher

l Message Processing Subsystem

l Security Subsystem

l Access Control Subsystem.

An implementation of the SNMP architecture is called an SNMP entity. An SNMP entityconsists of an SNMP engine and one or more associated applications.

2.3.1 SNMP manager and SNMP agent

ServerView Suite 11

2.4 Security issues

SNMP manager

An SNMP entity containing one or more command generator and/or notification receiverapplications is called an SNMP manager.

In a traditional SNMP manager, the SNMP engine contains:

l A Dispatcher

The Dispatcher is a traffic manager.

l A Message Processing Subsystem

The Message Processing Subsystem receives outgoing PDUs from the Dispatcher. Itwraps them with a message header and returns them to the Dispatcher.

l A Security Subsystem

The Security Subsystem executes authentication and encryption functions.

SNMP agent

An SNMP entity containing one or more command responder and/or notification originatorapplications is called an SNMP agent.

The SNMP engine for a traditional agent contains all the components of an SNMP enginefor a traditional manager, plus an Access Control Subsystem.

l Access Control Subsystem

An Access Control Subsystem executes authorization services to control access to MIBsfor the reading and setting of management objects.

2.4 Security issues

2.4.1 SNMPv3: Threats

SNMPv3 is designed to safeguard against the following principal threats:

l Modification of information

An entity could alter an in-transit SNMP message generated by an authorized entity insuch a way as to effect unauthorized management operations.

l Masquerade

Management operations that are not authorized for a particular entity may beattempted by that entity by assuming the identity of an authorized entity.

ServerView Suite 12

2.4 Security issues

l Message stream modification

SNMP is designed to operate over a connection-less transport protocol. Because ofthis, SNMP messages could be reordered, delayed or replayed (duplicated) to triggerunauthorized management operations.

l Disclosure

An entity could observe exchanges between a manager and an agent. In doing so, itcould learn the values of managed objects and find out about notifiable events.

2.4.2 SNMPv3: Security model and access control

SNMPv3 defines two security-related capabilities: the Security Subsystem with one or moredistinct supported security models (for authentication purposes) and the Access ControlSubsystem with one or more distinct supported access control models (for authorizationpurposes). So far, the only defined models are the User-based Security Model (USM) andthe View-based Access Control Model (VACM):

l User-based Security Model (USM)

l Provides authentication and privacy (encryption) functions

l Operates at the message level.

l View-based Access Control Model (VACM)

l Determines whether a given principal is allowed access to particular MIB objects toperform particular functions (authorization)

l Operates at the PDU level.

2.4.3 User-based Security Model (USM)

The security models in the Security Subsystem should protect against these threats.

So far, the User-based Security Model (USM) is the only defined security model forSNMPv3. USM provides authentication and privacy (encryption) functions.

This model provides the following communication mechanisms:

l Communication without authentication and privacy (NoAuthNoPriv).

l Communication with authentication but without privacy (AuthNoPriv).

l Communication with authentication and privacy (AuthPriv).

The USM is designed to:

l Verify that incoming SNMP messages have not been modified during networkprocessing.

l Verify the identity of the sender.

ServerView Suite 13

2.5 User management

l Filter for older incoming messages that ask for or contain management information.

l Make sure that incoming messages are protected from disclosure.

2.4.4 View-based Access Control Model (VACM)

The View-based Access Control Model (VACM) defines a set of services that an application(e.g. a Command Responder or Notification Originator application) can use for checkingaccess rights.

The VACM is designed to:

l Use a MIB to define access control regulations for an agent.

l Check whether a remote entity should be allowed access to a managed object of alocal MIB.

2.5 User managementTo use the authentication and authorization mechanisms of SNMPv3, the following fieldsmust be set for each user:

l securityName

User name

l authProtocol

Authentication protocol. Two protocols may be used: MD5 or SHA.

l privProtocol

Privacy protocol. Two protocols may be used: AES or DES.

l authKey

Authentication key generated from the passphrase that must have at least 8characters.

l privKey

Privacy key generated from the passphrase that must have at least 8 characters.

l securityLevel

May take the following values:

l NoAuthNoPriv

Messages are sent unauthenticated and unencrypted.

l AuthNoPriv

Messages are sent authenticated but unencrypted.

ServerView Suite 14

2.5 User management

l AuthPriv

Messages are sent authenticated and encrypted.

For further information - beyond this section - see the RFCs on SNMPv3 of the IETF(www.ietf.org - in particular RFC 3411, RFC 3414, RFC 3415).

ServerView Suite 15

http://www.ietf.org/

3.1 Architecture and requirements

3 Using SNMPv3 with ServerView AgentsSNMPv3 must be implemented as part of your own comprehensive security conceptand security management plan.

The steps and mechanisms described in this manual are not sufficient to providecomprehensive protection alone, and must be aligned and integrated with youroverall security concept.


3.1.1 Agent architecture

The ServerView SNMP agents are implemented as subagents. Each specializes in specifictasks. According to lean programming concepts, a central component over all subagents isappropriate, which executes central services such as messaging and access control.

To use SNMPv3 in ServerView Agent communication, the Net-SNMP master agent isrecommended.

ServerView Suite 16


Architecture of a Net-SNMP master agent/ ServerView SNMP subagent scenario

In this architecture the subagents have no information on SNMP. The message processing(which protocol in which version) and the security and access control are handled by themaster agent.

Windows

For versions 1 and 2c of SNMP, Microsoft integrated a so-called Microsoft Windows SNMPservice into Microsoft Windows. The ServerView SNMP agents are implemented assubagents and their DLL information is uploaded by this service.

Unfortunately, the Microsoft Windows SNMP service does not support version 3 of SNMP.

To use SNMPv3 to manage a Windows-based server, the Net-SNMP master agent must beadded.

Although the Microsoft Windows SNMP service does not support SNMPv3, it mustbe installed in order to provide the necessary Windows SNMP service extensionDLLs and the Windows SNMP API from snmpapi.dll.

As the required add-on for the Microsoft Windows SNMP service, the Net-SNMPmaster agent is recommended (see "Deactivating the Windows SNMP service(Windows)" on page 26).

ServerView Suite 17


Linux

The Net-SNMP master agent comes with most Linux distributions.

3.1.2 Technical requirements of ServerView Agents

ServerView Agents are available for:

Windowsl Windows Server 2008 / 2008 x64 / 2008 R2

l Windows Server 2012 Datacenter / Standard / Foundation

l Windows Server 2012 R2 Datacenter / R2 Standard / R2 Foundation

l Windows Storage Server 2012 Standard

Linuxl SUSE (SLES 11): SP3 and SP4

l SUSE (SLES 12): GA and SP1

l Red Hat Enterprise Linux 5.10/5.11



Windows-based server: ScenariosThe procedure differs according to the given situation and purpose.

For further information on the individual steps, see "Windows-based server: Overview ofprocedures" on page 50.

l Switch to SNMPv3

Situation: A Windows-based server is monitored via the ServerView Agents.

Purpose: To use SNMPv3.

l Initial installation of a managed server

Situation: A Windows-based server is not monitored via the ServerView Agents.

Purpose: To monitor the server via the ServerView Agents using SNMPv3.

ServerView Suite 18

3.2 Windows-based server: Overview of procedures

l Updates

Situation: A Windows-based server is monitored via the ServerView Agents usingSNMPv3.

Purpose: To update the ServerView Agents.

Linux-based server: ScenariosThe procedure differs according to the given situation and purpose.

For further information on the individual steps, see "Linux-based server: Overview ofprocedures" on page 52.

l Switch to SNMPv3

Situation: A Linux-based server is monitored via the ServerView Agents.


l Initial installation of a managed server

Situation: A Linux-based server is not monitored via the ServerView Agents.


l Updates

Situation: A Linux-based server is monitored via the ServerView Agents using SNMPv3.


3.2 Windows-based server: Overview of proceduresThe procedure differs according to the given situation and purpose:

3.2.1 Switch to SNMPv3



Procedure:

1. Updating the ServerView Agents to V7.01

This update before installing Net-SNMP can be performed as usual (see ServerViewdocumentation on update management).

ServerView Suite 19

3.2 Windows-based server: Overview of procedures

2. Deactivating the Microsoft Windows SNMP service

The Microsoft Windows SNMP service does not support version 3 of SNMP. To useSNMPv3 to manage a Windows-based server, the Microsoft Windows SNMP servicemust be deactivated and then the SNMP master agent must be replaced by anotherSNMPv3-capable stack.

For further information see "Agent architecture" on page 16.

For instructions see "Deactivating the Windows SNMP service and Installing Net-SNMP(Windows)" on page 23.

3. Installing Net-SNMP


4. Settings for the new SNMP master agent - using the example of Net-SNMP

At the minimum you must create a USM user, define access control and configuretraps.

For further information see "SNMPv3: New features" on page 10.

For instructions see "Configuring Net-SNMP (Windows/Linux)" on page 28.

3.2.2 Initial installation of a managed server



Procedure:

1. Installing and/or activating the Microsoft Windows SNMP service

For instructions see "Installing and/or activating the Microsoft Windows SNMP service(Windows)" on page 23.

2. Installing the ServerView Agents V7.01 or higher

For instructions see "Installing the ServerView Agents (Windows/Linux)" on page 23.





ServerView Suite 20

3.3 Linux-based server: Overview of procedures







3.2.3 Updates

Situation: A Windows-based server is monitored via the ServerView Agents using SNMPv3.


Procedure: For instructions see "Updating ServerView Agents with Net-SNMP master agent(Windows/Linux)" on page 31.

3.3 Linux-based server: Overview of proceduresThe procedure differs according to the given situation and purpose:

3.3.1 Switch to SNMPv3



Procedure:


This update can be performed before installing Net-SNMP (see ServerViewdocumentation on update management).

2. Settings for the SNMP master agent




ServerView Suite 21

3.4 Procedures

3.3.2 Initial installation of a managed server



Procedure:







3.3.3 Updates




3.4 ProceduresSNMPv3 must be implemented as part of your own comprehensive security conceptand security management plan.


The procedure differs according to the operating system, given situation and purpose.

For further information on individual scenarios see "Windows-based server: Overview ofprocedures" on page 50 or "Linux-based server: Overview of procedures" on page 52.

ServerView Suite 22

3.4 Procedures

3.4.1 Installing and/or activating the Microsoft Windows SNMP service(Windows)


For installing the ServerView Agents, the Microsoft Windows SNMP service must beactivated to ensure a correct installation process.

While a Windows-based server is being monitored via the Net-SNMP master agent,the Microsoft Windows SNMP service must be disabled to ensure SNMPv3communication, see "Deactivating the Windows SNMP service (Windows)" on page26.

1. Install and/or activate the Microsoft Windows SNMP service.For detailed information on installing and activating this service, see the ServerViewAgents for Windows manual or the appropriate documentation by Microsoft.

3.4.2 Installing the ServerView Agents (Windows/Linux)

1. Install the ServerView Agents.For detailed information on installing the ServerView Agents, see the manualServerView Agents for Windows or ServerView Agents for Linux.

3.4.3 Deactivating the Windows SNMP service and Installing Net-SNMP(Windows)

The Microsoft Windows SNMP service does not support version 3 of SNMP. To use SNMPv3to manage a Windows-based server, the Microsoft Windows SNMP service must bedeactivated and then the SNMP master agent must be replaced by another SNMPv3-capable stack. In order to use SNMPv3 to manage a Windows-based server, the Net-SNMPmaster agent has to be added.

There are two options to deactivate the Windows SNMP service and to install Net-SNMP:

ServerView Suite 23

3.4 Procedures

l You can use the FUJITSU Net-SNMP Installer for Windows.

l You can manually deactivate the Microsoft Windows SNMP service and install Net-SNMP - step-by-step.

FUJITSU Net-SNMP Installer for Windows

You can use the FUJITSU Net-SNMP Installer for Windows.

The most convenient way to deactivate the Microsoft Windows SNMP service and to installNet-SNMP.

For further information and instruction see "Net-SNMP Installer for Windows" on page 24.

Manually - Step-by-Step

You can manually deactivate the Microsoft Windows SNMP service and install Net-SNMP -step-by-step.

l Deactivating the Microsoft Windows SNMP service

For instructions see "Deactivating the Windows SNMP service (Windows)" on page 26.

l Installing Net-SNMP

For instructions see "Installing Net-SNMP (Windows)" on page 26.

3.4.3.1 Net-SNMP Installer for Windows

The Net-SNMP Installer for Windows package offers support for SNMPv1, SNMPv2 andSNMPv3 for Windows operating systems (64-bit systems only).

The package is based on the Net-SNMP Windows binaries and is modified to provide allnecessary items for Net-SNMP agent and Net-SNMP trap handler as well as some clienttools for SNMP protocol.

The Net-SNMP service can replace the Windows SNMP service or it can run in parallel (ondifferent network ports).

Some parts of OpenSSL are also included in this package, so there's no need to installOpenSSL separately to use encryption.

Provisioning

You can obtain the Net-SNMP Installer for Windows in the following ways:

l Download from the FUJITSU Support website (http://support.ts.fujitsu.com/):

1. In the field Search enter Net-SNMP.

2. In the Search result list select the item Tools and Utilities.

ServerView Suite 24

http://support.ts.fujitsu.com/

3.4 Procedures

In the Tools and Utilities list you find the item Net-SNMP Installer for Windows.

l Download from the ServerView Suite DVD.

Requirements

Supported operating systems: x64 Windows systems

Installing

The installer stops the native SNMP services and disables them. It registers the Net-SNMPagent and the Net-SNMP trap handler as services on the Windows system and starts them.

The installer does not configure the Net-SNMP services! You have to configure theservices manually (see "Configuring Net-SNMP (Windows/Linux)" on page 28).

Files of the package:

l 0x0409.ini

l Data1.cab

l Net-SNMP_x64.msi

l Setup.exe

l Setup.ini

l THIRDPARTYLICENSEREADME.txt

The Net-SNMP Installer for Windows does not require any input for installing purposes. Butthe Net-SNMP Installer for Windows is protected by copyright law and internationaltreaties, therefore you have to accept their terms.

1. Double click on the file Setup.exe.

The Net-SNMP Installer for Windows starts. A welcome page is displayed.

2. Click Next.

The license agreement is displayed.

3. Select I accept the terms in the license agreement and click Next.

The third party license agreement is displayed.

4. Select I accept the terms in the license agreement and click Next.

The page Ready to Install the Program is displayed.

5. Click Install.

A progress bar is displayed.

ServerView Suite 25

3.4 Procedures

The Setup Wizard Completed page is displayed after termination of installing.

6. Click Finish.

Net-SNMP package is installed on directory C:\usr.

The installer does not configure the Net-SNMP services! You have to configurethe services manually (see "Configuring Net-SNMP (Windows/Linux)" on page28).

3.4.3.2 Step by Step

Deactivating the Windows SNMP service (Windows)

1. If the Microsoft Windows SNMP service is running, stop it.

2. Disable the Windows SNMP service or set its startup type to Manual.

Otherwise the Windows SNMP service will be restarted next time the systemstarts.

For further information on the coexistence of the two master agents, see theNet-SNMP documentation.

For detailed information on handling the Microsoft Windows SNMP service, see theServerView Agents for Windows manual or the appropriate documentation byMicrosoft.

Installing Net-SNMP (Windows)

To use SNMPv3 in ServerView Agent communication, the Net-SNMP master agent isrecommended.

Linux: The Net-SNMP master agent comes with most Linux distributions.

Source of Net-SNMP:

Net-SNMP provides tools and libraries relating to the Simple Network ManagementProtocol, including: an extensible agent, an SNMP library, tools to request or setinformation from SNMP agents, tools to generate and handle SNMP traps, etc.

You will find Net-SNMP at http://www.net-snmp.org/download.html.

ServerView Suite 26

http://www.net-snmp.org/download.html

3.4 Procedures

Net-SNMP is an open-source framework; therefore unexpected changes arepossible.

Make sure the releases of your Windows platform and Net-SNMP for Windows arecompatible.

If your Windows is based on a Win64 platform and you install Net-SNMP for Win32platforms, the Windows service extension DLLs will be incompatible. In this casethe Net-SNMP master agent cannot communicate with the ServerView Agents.

Installing:

Net-SNMP documentation:

Net-SNMP refers to the INSTALL file distributed with the installation package.

For further documentation visit http://www.net-snmp.org/docs/.

1. Install the Net-SNMP package according to the Net-SNMP documentation.

Bear in mind the following:

As of v5.4, the Net-SNMP agent can load the Windows SNMP service extensionDLLs by using the Net-SNMP winExtDLL extension.

To be able to use encryption you must install OpenSSL(https://www.openssl.org).

Net-SNMP versions 5.7.3 (LTS), 5.6.2.1, 5.5.2.1, and 5.4.4 (LTS)):

The Net-SNMP Windows binaries have been built with OpenSSL version 0.9.8r.Since the OpenSSL 0.9 and 1.0 DLLs are incompatible, any attempt to installNet-SNMP on a system where OpenSSL 1.0 has been installed will fail.

a. In the Choose Components window of the Net-SNMP installation wizard:

For the component Net-SNMP Agent Service, enable the setting With WindowsExtension DLL support.

b. To be able to use encryption:

In the Choose Components window of the Net-SNMP installation wizard, enablethe component Encryption support (openSSL).

2. Register Net-SNMP Agent Service as a Windows service.

Recommended: Use the batch file registeragent.bat provided in the Net-SNMPinstallation directory.

ServerView Suite 27

http://www.net-snmp.org/docs/

https://www.openssl.org/

3.4 Procedures

3.4.4 Configuring Net-SNMP (Windows/Linux)

SNMPv3 must be implemented as part of your own comprehensive security conceptand security management plan.




In this architecture (see "Agent architecture" on page 16) the subagents have noinformation on SNMP. The message processing (which protocol in which version)and the security and access control are handled by the master agent.

So it is a generic task of the Net-SNMP master agent configuration to supportSNMPv3 security, which is in no way related to the subagents.

There are several ways to configure Net-SNMP. In the following, Net-SNMP is configured viathe configuration file snmpd.conf.

For further information visit http://www.net-snmp.org.

Windows: Find the snmpd.conf file on Windows

1. The snmpd.conf file can be found in the directory <net-snmp installdir>\etc\snmp.

Linux: Find the snmpd.conf file on Linux

There are several ways to find the snmpd.conf file. One way is to debug the output of theNet-SNMP master agent:

1. Call the snmpd daemon with the following parameters:

snmpd -f -Lo -Dread_config -H 2>&1 | grep "config path" |head -1

This outputs something like:

config path used forsnmpd:/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp:(persistent path:/var/lib/net-snmp)

2. Therefore the snmpd.conf file can be found in the directory /etc/snmp.

ServerView Suite 28


http://www.net-snmp.org/

3.4 Procedures

3.4.4.1 Configuring snmpd.conf

1. Open the snmpd.conf configuration file.

The contents of the persistent snmpd.conf file will be overwritten every timethe Net-SNMP master agent is stopped. It is recommended not to edit thepersistent snmpd.conf file when the Net-SNMP master agent is running.

2. Create a user.Add a createUser statement to the snmpd.conf file:

createUser [-e ENGINEID] <username> [(MD5|SHA)<authpassphrase> [DES|AES] [<privpassphrase>]]

Examples:

l createUser adminA MD5 adminAadminA

Defines a user called adminA, which can be used for requests with authentication,but without privacy. The password is adminAadminA and the hash algorithm tobe used is MD5.

l createUser adminP MD5 adminAadminA DES adminPadminP

Defines a user called adminP, which can be used for requests with privacy (andtherefore with authentication too, see "SNMPv3: New features" on page 10). Thepassword for the authentication process is adminAadminA and the hashalgorithm to be used is MD5. The password for the encryption procedure isadminPadminP and the encryption algorithm is DES.

If you want to use the same password for authentication and privacy, skip thestatement after the encryption algorithm.

USM (see "SNMPv3: New features" on page 10) does not define privacy withoutauthentication.

SNMPv3 passphrases must be at least 8 characters long.

3. Define access control.

Add an rouser for read-only access or an rwuser for read-write access to thesnmpd.conf file:

rouser <username> secLevel:{noauth|auth|priv} [restriction_mibtree]

rwuser <username> secLevel:{noauth|auth|priv} [restriction_mibtree]

ServerView Suite 29

3.4 Procedures

Examples:

l rouser adminA auth

Grants read-only access to the full MIB tree for the SNMPv3 user adminA definedabove.

l rwuser adminA auth .1.3.6.1.4.1.231.2

Grants selective read-write access to the individual subtree 1.3.6.1.4.1.231.2 foradminA.

4. Restart the Net-SNMP service.

Restarting the daemon will produce a usmUser entry in the persistent snmpd.conf file.

Example:

usmUser 1 3 0x80001f88800706b92268f49349000000000x61646d696e4100 0x61646d696e4100 NULL .1.3.6.1.6.3.10.1.1.20x60c245359704f595b1af164a411d299d .1.3.6.1.6.3.10.1.2.1 """"

Basically, the usmUser statement contains the same information as the createUserentry. The main difference is that the readable passwords are replaced by localizedkeys (see Net-SNMP documentation).

From now on the snmpd a daemon uses the usmUser information.

5. Delete the original createUser entry in the snmpd.conf file for security reasons.

6. Option: More complex access control - VACMView-based access control (VACM) is part of the SNMPv3 standard and animplementation aspect of the framework. The key point of VACM is to assign a securityname (user name in SNMPv3) to access rights for a dedicated MIB tree.

For further information see the Net-SNMP documentation.

7. Configure traps.To specify the target of a trap/inform notification, add a line to snmpd.conf:

trapsess [-e ENGINEID] -v 3 -l(noAuthNoPriv|authNoPriv|authPriv) -u <username> <target>

Example:

trapsess -v 3 -l authNoPriv -u adminA 10.172.103.139:162

This sends an authenticated but not encrypted trap to the IP address 10.172.103.139port 162.


ServerView Suite 30

3.4 Procedures

3.4.5 Updating ServerView Agents with Net-SNMP master agent(Windows/Linux)

3.4.5.1 Linux

With an SNMPv3 configuration of the ServerView Agent communication, all updateprocedures are possible as usual.

3.4.5.2 Windows

In summary, the relationship between Net-SNMP and the Microsoft Windows SNMP servicerequires the following:

l Although the Microsoft Windows SNMP service does not support SNMPv3, it must beinstalled in order to support other features of server monitoring.

Furthermore, the following is relevant if you update from a ServerView Agents version<7.20 to a version £7.20:

l For installing the ServerView Agents, the Microsoft Windows SNMP service must beactivated to ensure a correct installation process.

l While a Windows-based server is being monitored via the Net-SNMP master agent, theMicrosoft Windows SNMP service must be disabled or its startup type must be set toManual to ensure SNMPv3 communication. Otherwise the Windows SNMP service willbe restarted next time the system starts.

For further information on the coexistence of the two master agents, see theNet-SNMP documentation.

Therefore, the updating process differs according to the version of ServerView Agents:

Update from a ServerView Agents version <7.20 to a version ≤7.20:

To update the ServerView Agents, proceed as follows:

1. Enable the Microsoft Windows SNMP service if it is disabled (Not necessary if itsstartup type has been set to Manual).


2. Activate the Microsoft Windows SNMP service.

ServerView Suite 31

3.4 Procedures

3. Update the ServerView Agents as usual (see ServerView documentation on updatemanagement).

4. Stop the Microsoft Windows SNMP service.




Update from a ServerView Agents version ≥7.20 to a version >7.20:

To update the ServerView Agents, proceed as follows:

1. Update the ServerView Agents as usual (see ServerView documentation on updatemanagement).

ServerView Suite 32


4 Using SNMPv3 with ServerView OperationsManager

SNMPv3 must be implemented as part of your own comprehensive security conceptand security management plan.


ServerView Operations Manager up to and including version 7.0x does not supportSNMPv3.


4.1.1 SNMPv3 communication between ServerView Operations Managerand ServerView Agents


4.1.1.1 A common user for SNMPv3 communication

For communication between the central management station of ServerView OperationsManager and the ServerView Agents on the managed nodes via version 3 of SNMP, acommon user must be configured on the communication end points.

4.1.1.2 Windows: Coexistence of two SNMP services: Reconfiguring UDP ports

For versions 1 and 2c of SNMP, Microsoft integrated a so-called Microsoft Windows SNMPservice into Microsoft Windows. Unfortunately, the Microsoft Windows SNMP service doesnot support version 3 of SNMP.

ServerView Suite 33


To use SNMPv3 to manage a Windows-based server, the Net-SNMP service must be added.

As the required add-on for the Microsoft Windows SNMP service, the Net-SNMPservice is recommended.


For further information on the coexistence of the two SNMP services, see the Net-SNMP documentation.

To pass the traffic on to the Windows SNMP service, you must reconfigure the UDP ports ofthe Windows SNMP service (see figure).

Ports in SNMP agent / central management station of SVOM communication

ServerView Suite 34


4.1.2 Technical requirements of ServerView Operations Manager

4.1.2.1 Managed Server: ServerView Agents

For the technical requirements of ServerView Agents, see "Technical requirements ofServerView Agents" on page 18.

4.1.2.2 Central Management Station: ServerView Operations Manager

ServerView Operations Manager is available for:

Windows

l Microsoft Windows® Server 2012 all editions

(but not Server Core installation)

l Microsoft Windows® Server 2012 R2 all editions


l Microsoft Windows® Server 2008 all editions


l Microsoft Windows® Server 2008 R2 all editions


For information on the technical requirements of ServerView Operations Manager, see themanual "ServerView Operations Manager Vx.x. Installing ServerView Operations ManagerSoftware under Windows (Operations Manager, Update Manager, Event Manager)".

Linux

l SUSE (SLES 11): SP2 and SP3



l Red Hat Enterprise Linux 7.0

For information on the technical requirements of ServerView Operations Manager, see themanual "ServerView Operations Manager Vx.x. Installing ServerView Operations ManagerSoftware under Linux (Operations Manager, Update Manager, Event Manager)".

ServerView Suite 35

4.2 Settings on the central management station (CMS)


4.2.1 Windows-based system: Overview of procedures


The procedure differs according to the given situation and purpose:

4.2.1.1 Switch to SNMPv3

Situation: SVOM is installed on a Windows-based system and this monitoring solutionuses SNMPv1.


Procedure:

1. Updating ServerView Operations Manager to V7.1x or later



The Microsoft Windows SNMP service does not support version 3 of SNMP. To useSNMPv3 to manage a Windows-based system, the Microsoft Windows SNMP servicemust be deactivated and then the SNMP master agent must be replaced by anotherSNMPv3-capable stack.

For further information see "SNMPv3 communication between ServerView OperationsManager and ServerView Agents" on page 33.




4. Settings for the new SNMP daemon - using the example of Net-SNMP

At the minimum you must create a USM user, define access control and configure trapsand trap forwarding to the Windows SNMP service.

For further information see "SNMPv3: New features" on page 10 and "SNMPv3communication between ServerView Operations Manager and ServerView Agents" onpage 33.

ServerView Suite 36


For instructions see "Windows on CMS: Reconfiguring UDP ports, registering andconfiguring snmptrapd.conf" on page 41.

5. Enabling SNMPv3 in ServerView Operations Manager - snmp.conf

For instructions see "Enabling SNMPv3 in SVOM" on page 46.

4.2.1.2 Initial installation

Situation: SVOM is to be installed on a Windows-based system.

Purpose: To use SNMPv3 in this newly installed monitoring solution.

Procedure:



2. Installing ServerView Operations Manager V7.1x or later

For instructions see "Installing ServerView Operations Manager (Windows/Linux)" onpage 39.



For further information see "SNMPv3 communication between ServerView OperationsManager and ServerView Agents" on page 33.





At the minimum you must create a USM user, define access control and configure trapsand trap forwarding to the Windows SNMP service.

For further information see "SNMPv3: New features" on page 10 and "SNMPv3communication between ServerView Operations Manager and ServerView Agents" onpage 33.




ServerView Suite 37


4.2.2 Linux-based system: Overview of procedures




Situation: SVOM is installed a Linux-based system and this monitoring solution usesSNMPv1.

Purpose: To use SNMPv3 .

Procedure:

1. Updating ServerView Operations Manager to V7.1x or later








4.2.2.2 Initial installation

Situation: SVOM is to be installed on a Linux-based system.

Purpose: To use SNMPv3 in this newly installed monitoring solution.

Procedure:

1. Installing ServerView Operations Manager V7.1x or later

For instructions see "Installing ServerView Operations Manager (Windows/Linux)" onpage 39.

ServerView Suite 38





For instructions see "Linux on CMS: Configuring snmptrapd.conf" on page 44.



4.2.3 Installing ServerView Operations Manager (Windows/Linux)


1. Install ServerView Operations Manager version 7.1x or later.For detailed information on installing ServerView Operations Manager, see the manualServerView Operations Manager - Installation Guide.

4.2.4 Installing and/or activating the Microsoft Windows SNMP service(Windows)


For installing ServerView Operations Manager the Microsoft Windows SNMP servicemust be activated to ensure a correct installation process.

1. Install and/or activate the Microsoft Windows SNMP service.For detailed information on installing and activating this service, see the appropriatedocumentation by Microsoft.

ServerView Suite 39


4.2.5 Deactivating the Windows SNMP service (Windows)

1. If the Microsoft Windows SNMP service is running, stop it.


Otherwise the Windows SNMP service will be restarted next time the systemstarts.

For further information on the coexistence of the two daemons, see the Net-SNMP documentation.

For detailed information on handling the Microsoft Windows SNMP service, see theappropriate documentation by Microsoft.

4.2.6 Installing Net-SNMP (Windows)

To use SNMPv3 in ServerView communication, the Net-SNMP service isrecommended.

Linux: The Net-SNMP service comes with most Linux distributions.

4.2.6.1 Source of Net-SNMP

Net-SNMP provides tools and libraries relating to the Simple Network ManagementProtocol, including: an extensible agent, an SNMP library, tools to request or setinformation from SNMP agents, tools to generate and handle SNMP traps, etc.

You will find Net-SNMP at http://www.net-snmp.org/download.html.


Make sure the releases of your Windows platform and Net-SNMP for Windows arecompatible.

If your Windows is based on a Win64 platform and you install Net-SNMP for Win32platforms, the Windows service extension DLLs will be incompatible. In this casethe Net-SNMP master agent cannot communicate with the ServerView Agents.

ServerView Suite 40

http://www.net-snmp.org/download.html


4.2.6.2 Installing

Net-SNMP documentation:

Net-SNMP refers to the INSTALL file distributed with the installation package.


1. Install the Net-SNMP package according to the Net-SNMP documentation.

Bear in mind the following:

To be able to use encryption you must install OpenSSL(https://www.openssl.org).

Net-SNMP versions 5.7.3 (LTS), 5.6.2.1, 5.5.2.1, and 5.4.4 (LTS):

The Net-SNMP Windows binaries have been built with OpenSSL version 0.9.8r.Since the OpenSSL 0.9 and 1.0 DLLs are incompatible, any attempt to installNet-SNMP on a system where OpenSSL 1.0 has been installed will fail.

a. In the Choose Components window of the Net-SNMP installation wizard:

For the component Net-SNMP Agent Service, enable the setting With WindowsExtension DLL support.

b. To be able to use encryption:

In the Choose Components window of the Net-SNMP installation wizard, enablethe component Encryption support (openSSL).

2. Register Net-SNMP Agent Service as a Windows service.

Recommended: Use the batch file registeragent.bat provided in the Net-SNMPinstallation directory.

4.2.7 Windows on CMS: Reconfiguring UDP ports, registering andconfiguring snmptrapd.conf

Requirement: SVOM must be installed, see "Installing ServerView OperationsManager (Windows/Linux)" on page 39.

4.2.7.1 Reconfiguring UDP ports


ServerView Suite 41


https://www.openssl.org/



To pass the traffic on to the Windows SNMP service, you must reconfigure the UDP ports ofthe Windows SNMP service (see "SNMPv3 communication between ServerView OperationsManager and ServerView Agents" on page 33).

1. Open the file C:\Windows\<Systems32>\drivers\etc\services.

2. Find the lines beginning with snmpd.

3. Change the value 162/udp (e.g. to 1162/udp).

4. Save the changes.

5. Restart the Windows SNMP service.


To forward the traffic to the Windows SNMP service, you must set a forwardcommand in the snmptrapd.conf file (see below).

4.2.7.2 Register the Net-SNMP service as a Windows service

1. Locate the snmpd.exe file in the Net-SNMP installation.

2. Open a command line.

3. Run the commands:

snmpd -register -Lf"C:\usr\LOG_AGENT"-I-

udp,udpTable,tcp,tcpTable,icmp,ip,interfaces,system_mib,sysORTable

4.2.7.3 Configuring snmptrapd.conf

1. Find the snmptrapd.conf file on Windows:

The snmptrapd.conf file can be found in the directory <net-snmp installdir>\etc\snmp.

2. Open the snmptrapd.conf configuration file.

3. Configure the settings for traffic forwarding and the common user:

ServerView Suite 42


l Create a user.

For communication between the central management station ofServerView Operations Manager and the ServerView Agents on themanaged nodes via version 3 of SNMP, a common user must be configuredon the communication end points.

Add a createUser statement to the snmptrapd.conf file:


Examples:


Defines a user called adminA, which can be used for authenticated SNMPv3messages without encryption. The password is adminAadminA and the hashalgorithm to be used is MD5.


Defines a user called adminP, which can be used for authenticated andencrypted SNMPv3 messages, see "SNMPv3: New features" on page 10. Thepassword for the authentication process is adminAadminA and the hashalgorithm to be used is MD5. The password for the encryption procedure isadminPadminP and the encryption algorithm is DES.

If you want to use the same password for authentication and privacy, skipthe statement after the encryption algorithm.

USM (see "SNMPv3: New features" on page 10) does not define privacywithout authentication.


l Define the program to be executed in response to a trap.

Add a traphandle statement to the snmptrapd.conf file:

traphandle default "<file path>"

Defines the program to be executed in response to a certain trap OID. defaultcovers all trap OIDs not previously defined.

l Set forwarding of traps to the Windows SNMP service.

Add a forward statement to the snmptrapd.conf file:

forward default localhost:1162

Forwards a trap with a certain OID to a destination IP address. default covers alltrap OIDs not previously defined.


ServerView Suite 43


4.2.7.4 Example of an snmptrapd.conf file:

authCommunity net public

authUser log,execute testuser

createUser testuser MD5 testuser AES testuser

traphandle default "C:\Program Files (x86)\Fujitsu\ServerView Suite\ServerView\ServerViewServices\scripts\ServerView\SnmpTrap\SnmpTrapListen3"

forward default localhost:1162

Explanations:

l authCommunity/authUser

Defines the credentials owned by a certain user or community string.

l net

Forwarding communication.

l log

Logging traps.

l execute

Running executables in response to a trap.

4.2.8 Linux on CMS: Configuring snmptrapd.conf

Requirement: SVOM must be installed, see "Installing ServerView OperationsManager (Windows/Linux)" on page 39.

4.2.8.1 Configuring snmptrapd.conf

1. Find the snmptrapd.conf file on Linux:

There are several ways to find the snmptrapd.conf file. One way is to debug the outputof the Net-SNMP master agent:

ServerView Suite 44


l Call the snmpd daemon with the following parameters:



config path used forsnmptrapd:/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp: (persistent path:/var/lib/net-snmp)

l Therefore the snmptrapd.conf file can be found in the directory /etc/snmp.

2. Open the snmptrapd.conf configuration file.


l Create a user.


Add a createUser statement to the snmptrapd.conf file:


Examples:


Defines a user called adminA, which can be used for requests withauthentication, but without privacy. The password is adminAadminA and thehash algorithm to be used is MD5.


Defines a user called adminP, which can be used for requests with privacy(and therefore with authentication too, see "SNMPv3: New features" on page10). The password for the authentication process is adminAadminA and thehash algorithm to be used is MD5. The password for the encryption procedureis adminPadminP and the encryption algorithm is DES.

If you want to use the same password for authentication and encryption,skip the statement after the encryption algorithm.

USM (see "SNMPv3: New features" on page 10) does not define encryptionwithout authentication.


ServerView Suite 45


l Define the program to be executed in response to a trap.

Add a traphandle statement to the snmptrapd.conf file:

traphandle default "<file path>"

Defines the program to be executed in response to a certain trap OID. defaultcovers all trap OIDs not previously defined.


4.2.8.2 Example of an snmptrapd.conf file:

authCommunity net public

authUser log,execute testuser


traphandle default "C:\Program Files (x86)\Fujitsu\ServerView Suite\ServerView\ServerViewServices\scripts\ServerView\SnmpTrap\SnmpTrapListen3"

Explanations:

l authCommunity/authUser

Defines the credentials owned by a certain user or community string.

l net

Forwarding communication.

l log

Logging traps.

l execute

Running executables in response to a trap.

4.2.9 Enabling SNMPv3 in SVOM

If you have prepared the managed node (see "Settings on the managed server" on page50) and the central management station (see "Settings on the central managementstation (CMS)" on page 36), you can enable SNMPv3 in ServerView Operations Manager.

You have two options for enabling SNMPv3 in SVOM:

l Via a V3 Setting configuration window

See "Enabling SNMPv3 in SVOM via the 'V3 Setting' configuration window" on page 47

ServerView Suite 46


or

l Via the configuration file snmp.conf

See "Enabling SNMPv3 in SVOM via snmp.conf" on page 48

4.2.9.1 Enabling SNMPv3 in SVOM via the 'V3 Setting' configuration window

With ServerView Operations Manager V7.10 or higher you can enable SNMPv3 in SVOM viathe V3 Setting configuration window.

Opening the 'V3 Setting' configuration window

You can open the V3 Setting configuration window of ServerView Operations Managerdirectly via the Web address of the central management station.

1. Enter the following Web address:

https://<server_name>.<domain_name>:3170/SNMPv3Settings/Settings

The V3 Setting configuration window opens.

Settings

Explanations:

For communication between the central management station of ServerViewOperations Manager and the ServerView Agents on the managed nodes via version3 of SNMP, a common user must be configured on the communication end points.

ServerView Suite 47


l Enable V3

Sets protocol version 3 of SNMP.

l Security Name

The user name defined for ServerView Operations Manager - see "Windows on CMS:Reconfiguring UDP ports, registering and configuring snmptrapd.conf" on page 41 or"Linux on CMS: Configuring snmptrapd.conf" on page 44.

l Authentication Password

The password for authentication.

l Privacy Password

The password for encryption.

l Security level

The security level.

Possible values: None, authNoPriv, authPriv - for further information see "SNMPv3:New features" on page 10.

l Authentication algorithm

The authentication algorithm used by the user.

Possible values: MD5, SHA - for further information see "SNMPv3: New features" onpage 10.

l Privacy algorithm

The encryption algorithm used by the user.

Possible values: DES, AES - for further information see "SNMPv3: New features" onpage 10.

Saving the settings

1. Click the Save button in the V3 Setting configuration window.

4.2.9.2 Enabling SNMPv3 in SVOM via snmp.conf

Location of snmp.conf

SNMPv3 is enabled in ServerView Operations Manager by creating an additionalconfiguration file snmp.conf, which must be located in the following directories:

Windows:

C:\usr\etc\snmp\snmp.conf

ServerView Suite 48


Linux:

/etc/snmp/snmp.conf

Contents of snmp.conf

snmp.conf must contain:

defVersion 3

defSecurityName testuser

defSecurityLevel authNoPriv

defPassphrase testuser

defAuthType MD5

defPrivType AES

Explanations:

For communication between the central management station of ServerViewOperations Manager and the ServerView Agents on the managed nodes via version3 of SNMP, a common user must be configured on the communication end points.

l defSecurityName

The user name defined for ServerView Operations Manager - see "Windows on CMS:Reconfiguring UDP ports, registering and configuring snmptrapd.conf" on page 41 or"Linux on CMS: Configuring snmptrapd.conf" on page 44.

l defPassphrase

The password for both authentication and encryption.

If the passwords differ, use the following settings: defAuthPassphrase,defPrivPassphrase.

l defSecurityLevel

The security level.

Possible values: noAuthNoPriv, authNoPriv, authPriv - for further information see"SNMPv3: New features" on page 10.

l defAuthType

The authentication algorithm used by the user.

Possible values: MD5, SHA - for further information see "SNMPv3: New features" onpage 10.

ServerView Suite 49

4.3 Settings on the managed server

l defPrivType

The encryption algorithm used by the user.

Possible values: DES, AES - for further information see "SNMPv3: New features" onpage 10.


4.3.1 Windows-based server: Overview of procedures





Procedure:













ServerView Suite 50


4.3.1.2 Initial installation of a managed server



Procedure:















4.3.1.3 Updates

Situation: A Windows-based server is monitored via the ServerView Agents using SNMPv3.



ServerView Suite 51


4.3.2 Linux-based server: Overview of procedures





Procedure:


This update can be performed before installing Net-SNMP (see ServerViewdocumentation on update management).





4.3.2.2 Initial installation of a managed server



Procedure:







4.3.2.3 Updates



ServerView Suite 52



4.3.3 Windows on a managed server: Reconfiguring UDP ports, registeringand configuring snmpd.conf

Requirement:

The managed server must be prepared to use SNMPv3, for information see "UsingSNMPv3 with ServerView Agents" on page 16.

The following are additional settings to enable communication between the centralmanagement station of ServerView Operations Manager and the ServerView Agents on themanaged nodes via SNMPv3.

4.3.3.1 Reconfiguring UDP ports



To pass the traffic on to the Windows SNMP service, you must reconfigure the UDP ports ofthe Windows SNMP service (see "SNMPv3 communication between ServerView OperationsManager and ServerView Agents" on page 33).

1. Open the file C:\Windows\<Systems32>\drivers\etc\services.

2. Find the lines beginning with snmpd.

3. Change the value 161/udp (e.g. to 1161/udp).

4. Save the changes.

5. Restart the Windows SNMP service.


To forward the traffic to the Windows SNMP service, you must set a proxycommand in the snmpd.conf file (see below).

ServerView Suite 53


4.3.3.2 Register the Net-SNMP service as a Windows service

1. Locate the snmpd.exe file in the Net-SNMP installation.

2. Open a command line.

3. Run the command:

snmpd -register -Lf"C:\usr\LOG_AGENT"-I-

udp,udpTable,tcp,tcpTable,icmp,ip,interfaces,system_mib,sysORTable

4.3.3.3 Configuring snmpd.conf

1. Find the snmpd.conf file on Windows:

The snmpd.conf file can be found in the directory <net-snmp installdir>\etc\snmp.




l Define access control.


rouser <username> secLevel:{noauth|auth|priv}[restriction_mibtree]

rwuser <username> secLevel:{noauth|auth|priv}[restriction_mibtree]

Examples:


Grants read-only access to the full MIB tree for the SNMPv3 user adminAdefined above.


Grants selective read-write access to the individual subtree 1.3.6.1.4.1.231.2for adminA.

ServerView Suite 54


l Create a user.


Add a createUser statement to the snmpd.conf file:


Examples:








l Set forwarding of SNMPv1 communication to the Windows SNMP service.

Add a proxy statement to the snmpd.conf file:

proxy -v 1 -c public localhost:1161 .1.3



Example:


ServerView Suite 55



From now on the snmpd daemon uses the usmUser information.

4.3.3.4 Example of an snmpd.conf file:

agentaddress udp:161

agentaddress udp6:161

com2sec public default public

com2sec6 public default public

group MyGroup v1 public

group MyGroup v2c public

view all included .1

access MyGroup "" any noauth exact all all all

rwuser testuser auth .1


proxy -v 1 -c public localhost:1161 1.3

proc mountd

proc ntalkd 4

proc sendmail 10 1

ServerView Suite 56


4.3.4 Linux on a managed server: Configuring snmpd.conf

Requirement:

The managed server must be prepared to use SNMPv3, for information see "UsingSNMPv3 with ServerView Agents" on page 16.

The following are additional settings to enable communication between the centralmanagement station of ServerView Operations Manager and the ServerView Agents on themanaged nodes via SNMPv3.

1. Find the snmpd.conf file on Linux:

There are several ways to find the snmpd.conf file. One way is to debug the output ofthe Net-SNMP master agent:

l Call the snmpd daemon with the following parameters:



config path used forsnmpd:/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp: (persistent path:/var/lib/net-snmp)

l Therefore the snmpd.conf file can be found in the directory /etc/snmp.



3. Configure the settings for the common user:

l Define access control.


rouser <username> secLevel:{noauth|auth|priv}[restriction_mibtree]

rwuser <username> secLevel:{noauth|auth|priv}[restriction_mibtree]

ServerView Suite 57


Examples:


Grants read-only access to the full MIB tree for the SNMPv3 user adminAdefined above.


Grants selective read-write access to the individual subtree 1.3.6.1.4.1.231.2for adminA.

l Create a user.


Add a createUser statement to the snmpd.conf file:


Examples:










ServerView Suite 58


Example:



From now on the snmpd daemon uses the usmUser information.

4.3.4.1 Example of an snmpd.conf file:

agentaddress udp:161

agentaddress udp6:161

com2sec public default public

com2sec6 public default public

group MyGroup v1 public

group MyGroup v2c public

view all included .1

access MyGroup "" any noauth exact all all all

rwuser testuser auth .1


proc mountd

proc ntalkd 4

proc sendmail 10 1

ServerView Suite 59

4.4 Operating items

4.4 Operating items

4.4.1 Unsuccessful browsing for servers with SNMPv3 enabled

When trying to browse for servers with SNMPv3 enabled on CMS, with only a few (SNMPv3-enabled) servers in the subnet, browsing may timeout. It is recommended to add SNMPv3hosts to the server list

individually.

If automated browsing in this host configuration is required, the following steps should beperformed:

* Disable SNMPv3 on CMS

* Make sure SNMPv3 hosts also communicate in SNMPv1

* Browse the subnet

* Add all required servers to server list

* Enable SNMPv3 on CMS

* Disable SNMPv1 on servers if required.

4.4.2 CMS visibility in SVOM

To allow the CMS to be visible by itself in the SVOM, you need to correctly configure theSNMP service on the CMS.

Windows:

1. Go to Services.

2. In the properties of the SNMP service go to the Security tab.

3. Under Accepted community names click the Add button to insert Public.

Linux:

1. In the snmpd.conf file add the following line: rwcommunity public default.

2. Immediately after these changes, restart the SNMP service.

ServerView Suite 60


5 Using SNMPv3 with iRMCSNMPv3 must be implemented as part of your own comprehensive security conceptand security management plan.


The iRMC S4 offers SNMPv3 service with firmware V7.8 or higher (only SNMPv3service, no SNMPv3 traps).


5.1.1 iRMC architecture

5.1.1.1 Remote Management Controller - iRMC S4

The integrated Remote Management Controller iRMC S4 represents a BMC with integratedLAN connection and extended functionality. In this way, the iRMC S4 offers comprehensivecontrol over PRIMERGY servers, irrespective of the system status. In particular, the iRMC S4allows for out-of-band management (Lights Out Management, LOM) of PRIMERGY servers.Out-of-band management uses a dedicated management channel that enables a systemadministrator to monitor and manage servers via remote control, regardless of whetherthe server is powered on.

ServerView Suite 61


5.1.1.2 ServerView integration

The ServerView Agents detect the iRMC S4 and automatically assign it to the relevantserver. This means it is possible to start the iRMC S4 Web interface and text consoleredirection using the ServerView Remote Management Frontend directly from ServerViewOperations Manager.

ServerView Operations Manager monitors all key internal subsystems using the SNMPstack of the iRMC S4.

5.1.1.3 Agentless mode with ServerView Agentless Service

In agentless mode with ServerView Agentless Service, the server is managed exclusively viathe iRMC S4 of the managed server. Communication between the ServerView AgentlessService and the iRMC S4 occurs via HTI (High-speed Transfer Interface). SNMP runs on theiRMC S4, not on the managed server itself.

The consumers, such as ServerView Operations Manager, communicate with the iRMC S4via the dedicated management LAN port only.

As well as the information about several system components, such as the motherboard,memory modules, power supplies, RAID controller and others, ServerView agentless

ServerView Suite 62


management in agentless mode with Agentless Service provides operating system-basedinformation, e.g. PrimeCollect data including the OS event log.

5.1.1.4 SNMP service on iRMC S4

By default, the SNMP service on the iRMC S4 is disabled.

The SNMP service on the iRMC S4 supports GET requests on the following SNMP MIBs:

l SNMP STATUS.MIB

l SNMP OS.MIB

l SNMP SC2.MIB

l SNMP MIB-2.MIB

When the SNMP service is enabled, information provided by these MIBs can be used by anysystem running an SNMP manager.

5.1.1.5 User permissions on iRMC S4

The iRMC S4 distinguishes between two mutually complementary types of userpermissions:

l Channel-specific privileges

l Permissions to use special iRMC S4 functions

ServerView Suite 63

5.2 SNMPv3 in the iRMC S4 User Information page

Since iRMC S4 assigns permissions on a channel-specific basis, users can have differentpermissions, depending on whether they access the iRMC S4 over LAN interface or theserial interface.

LAN channels or serial/modem channels are session-based channels. The session concept isa concept for user authentication.

5.1.2 Technical requirements

On the remote workstation:

l Browser:

Browser Version Engine Restrictions

Firefox 4x.x Gekoa/ Mozilla

InternetExplorer

11 Trident MS Edge1.0

EdgeHTMLNo Browser Helper Objects (1)

Chrome 4x.x Blink

l For console redirection:

Sun Java Virtual Machine V1.6 or higher.

In your network:

l You must have a DHCP server in your network.

l If you want to log in to the iRMC Web interface with a symbolic name rather than anIP address, the DHCP server in your network must be configured for dynamic DNS.

l DNS must be configured. Otherwise you must ask for the IP address.

5.2 SNMPv3 in the iRMC S4 User Information pageThe iRMC S4 User Information page contains a table showing all the configured users.Each line contains the data for one configured user. The user names are implemented inthe form of links. Clicking on a user name opens the User “<name>” Configuration window(see "Configuring user-specific settings for SNMPv3" on page 67), in which you can view ormodify the settings for this user.

To open the iRMC S4 User Information page:

1. In the navigation tree of the iRMC S4 Web interface select Network Settings - SNMP.

The iRMC S4 User Information page is displayed:

ServerView Suite 64

5.3 Overview of procedures

This page contains a column called SNMPv3 Enabled. This column is displayed even ifSNMP is globally disabled (see " Setting the SNMP version" on page 65).

5.3 Overview of proceduresThe iRMC S4 offers SNMPv3 service with firmware V7.8 or higher (only SNMPv3service, no SNMPv3 traps).


Enabling the SNMP service is a two-step procedure:

1. Setting the SNMP version in the Network Settings.

2. Configuring user-specific settings for SNMPv3 in the iRMC S4 User configuration page.

5.3.1 Setting the SNMP version


The SNMP service on the iRMC S4 supports GET requests on the following SNMP MIBs:

l SNMP STATUS.MIB

l SNMP OS.MIB

l SNMP SC2.MIB

l SNMP MIB-2.MIB

ServerView Suite 65


When the SNMP service is enabled, information provided by these MIBs can be used by anysystem running an SNMP manager.

Procedure:

1. In the navigation tree of the iRMC S4 Web interface select Network Settings - SNMP.

The SNMP Generic Configuration page is displayed.

2. On this page set the desired parameters.

SNMPv3 defines a security capability that SNMPv1 and SNMPv2c do not offer.A setting All (SNMPv1/v2c/v3) makes your overall system only as secure as theweakest protocol version.

SNMPv3 must be implemented as part of your own comprehensive securityconcept and security management plan.

The steps and mechanisms described in this manual are not sufficient toprovide comprehensive protection alone, and must be aligned and integratedwith your overall security concept.

l SNMP Enabled

Enables SNMP service on the iRMC S4 (default: disabled).

l SNMP Port

Port on which the SNMP service is listening (normally UDP 161).

l SNMP Protocol

ServerView Suite 66


SNMP protocol version to be used.

l All (SNMPv1/v2c/v3)

The SNMP service is available for all SNMP protocol versions (SNMP v1/v2c/v3).

l SNMPv3 only

Only SNMPv3 is available.

l SNMPv1/v2c Community and SNMPv1/v2c Permission

These two options are only displayed if All (SNMPv1/v2c/v3) has been selectedunder SNMP Protocol (for further information see the manual RemoteManagement. iRMC S4 - integrated Remote Management Controller).

3. Click Apply to store the configured settings.

According to the user management concept of the iRMC S4 (see " iRMC architecture" onpage 61), you configure the user-specific settings for SNMPv3 in the iRMC S4 Userconfiguration page - see "Configuring user-specific settings for SNMPv3" on page 67.

5.3.2 Configuring user-specific settings for SNMPv3

Since iRMC S4 assigns permissions on a channel-specific basis, users can have differentpermissions.

SNMP user configuration is implemented in addition to the IPMI user configuration.Therefore, a user may have different configurations: IPMI-enabled and SNMP-enabled, oneof them enabled and one not, or both disabled.

The user name and password defined under iRMC S4 User Information apply to both IPMIand SNMP.

Procedure:

1. In the navigation tree of the iRMC S4 Web interface select User Management - iRMC S4User.

The User 'xx' Configuration page is displayed.

ServerView Suite 67


For configuring SNMP, two groups are important: iRMC S4 User Information andSNMPv3 configuration.

2. iRMC S4 User Information

SNMPv3 needs passwords for authentication and privacy purposes. You can set thepasswords here and under iRMC S4 User Information.

Enabling SNMPv3 for the user requires a password with at least 8 characters.

3. SNMPv3 configuration

The parameters of the SNMPv3 configuration group are disabled (grayed out)if the SNMP Enabled option in the SNMP Generic Configuration page isdisabled (see " Setting the SNMP version" on page 65).

l SNMP Enabled

Enables SNMPv3 support for the user (default: disabled).

ServerView Suite 68


l Access privilege

Access privilege of the user. Currently, readonly is preset (default: readonly andgrayed out).

l Authentication

For further information on supported authentication/privacyconfigurations see "Supported authentication/privacy configurations:" onpage 69.

Select the authentication protocol that SNMPv3 uses for authentication (default:SHA).

l SHA

Secure hash algorithm (SHA) is used for authentication.

l MD5

Message-Digest Algorithm 5 (MD5) is used for authentication.

l Privacy

Select the privacy protocol that SNMPv3 uses for encrypting the SNMPv3 traffic(default: AES).

l DES

Digital Encryption Standard is used for encrypting the SNMPv3 traffic.

l AES

Advanced Encryption Standard (AES) 128-bit encryption is used for encryptingthe SNMPv3 traffic.

l Click Apply to store the configured settings.

5.3.2.1 Supported authentication/privacy configurations:

Authentication protocol Privacy protocol Support

none none supported in future

none AES not supported

none DES not supported

MD5 none supported in future

MD5 AES supported

MD5 DES supported

SHA none supported in future

SHA AES supported

ServerView Suite 69


SHA DES supported

ServerView Suite 70

using snmpv3 with serverview suite products - overview

Documents