Summary
Question
How can the hp-ux 11i native Emanate SNMP agent be configured to accept SNMP v3 queries and send SNMP v3 traps?
Answer
The hp-ux native Emanate SNMP agent is pre-installed on most hp-ux servers. By default, the Emanate SNMP agent is not configered to accept SNMP v3 requests. The system administrator needs to enable the Emanate Agent configuration for SNMP v3. The below procedure can be used to setup a default v3 configuration.
Procedure to create a new SNMP v3 configuration from scratch
1. Check the Emanate SNMP agent version by running the system command 'what' on the Emanate Agent binary, the version needs to list SNMP Research Distribution version 16.1.4.3 or higher. Run the below commands as user 'root' to ensure proper access to the directories and files.
# what snmpdm
snmpdm:
$Revision: 92453-07 linker linker crt0.o B.11.37 031205 $
HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP32) $Revision: 75.04 $
Copyright 1992-2005 SNMP Research, Incorporated
SNMP Research Distribution version 16.1.4.3Note: The hp-ux CPE team releases Emanate Agent patches on a regular basis. The recent patche IDs are:
IA-64: PHSS_43647
PA-RISC: PHSS_43646
2. Get the current Emanate Agent configuration by running a 'snmpwalk' on the system table, the information in this table is needed later on to setup the SNMP v3 basic agent configuration.
# nnmsnmpwalk.ovpl <hp-ux hostname> system
sysDescr.0 : OCTET STRING- (ascii): HP-UX l3000 B.11.11 U 9000/800 1184494621
sysObjectID.0 : OBJECT IDENTIFIER: .1.3.6.1.4.1.11.2.3.2.5
sysUpTime.0 : Timeticks: (1987) 0:00:19.87
sysContact.0 : OCTET STRING- (ascii): hp-ux support team
sysName.0 : OCTET STRING- (ascii): l3000
sysLocation.0 : OCTET STRING- (ascii): HP Bern / BSC
...
3. Stop the running agent
To stop a running Emanate Agent run a kill -9 on the snmpdm pid
# ps -ef | grep snmpdm
# kill -9 <pid of snmpdm>
4. It is assumed that SNMP v3 has not been configured before. In order to enable v3, the directory /etc/srconf/agt must manually be created. If the directory already exists and contains a snmpd.cnf file, then skip to the procedure to add or modify an existing user at the end of this document.
# mkdir -p /etc/srconf/agt
5. Start the Emanate Agent to create the initial v3 setup and answer the questions. Highlighted in blue are the answers based on the system table queried in step 2:
# /usr/sbin/snmpdm
HP OpenView EMANATE Agent Version 16.1.4.3
Copyright 1989-2005 Hewlett-Packard Development Company, LP.
Enter sysDescr: HP-UX l3000 B.11.11 U 9000/800 1184494621
Enter sysLocation: HP Bern / BSC
Enter sysContact: hp-ux support team
Enter sysName: l3000
The following security postures are available (see RFCs 3414 and 3415):
1) Minimum-secure
2) Semi-secure
3) Very-secure
Select a security posture: 2
You must enter passwords for the initial user.
Enter Authentication Password: authpass
Enter Privacy Password : privpass
Enter IP address for trap destination: <trap-dest-ip-address>
6. As the above started the Emanate SNMP Master agent, it needs to be stopped once more to make a final modification to the configuration file.
ps -ef | grep snmpdm
kill -9 <pid of snmpmd>
7. Edit /etc/srconf/agt/snmpd.cnf
- locate the sysObjectID, change it from 0.0 to nm.3.2.5 (the value from step 2, nm can be used as a shortcut for .1.3.6.1.4.1.11.2)
# Entry type: sysObjectID
# Entry format: OID
sysObjectID nm.3.2.5
8. Save the snmpd.cnf file.
9. Start the Emanate SNMP agent and the subagents:
# /usr/sbin/snmpd (note: do not run /usr/sbin/snmpdm as this would only start the Emanate Master agent)
10. Revisit the snmpd.cnf file and note the 'default' v3 user name 'initial', this user now needs to be configured into the NNMi system as a v3 configuration item for this node:
User name: initial
Context: <empty>
Authentication pass phrase: authpass
Privacy pass phrase: privpass
Procedure to add a new v3 user to the existing SNMP v3 configuration (when configured using above method)
1. Edit the file /etc/srconf/agt/snmpd.cnf
- locate the "usmUserEntry" block and add a new user, for example "v3user" with authentication pass phrase "authpass" and privacy pass phrase "privpass"
usmUserEntry localSnmpID v3user usmHMACMD5AuthProtocol usmDESPrivProtocol \
nonVolatile - \
"authpass" \
"privpass"
- locate the "vacmSecurityToGroupEntry" block and add a new group entry for the user v3user, pointing to the previously created group initialvacmSecurityToGroupEntry usm v3user initial nonVolatile
2. Save the file
3. Kill and restart the Emanate SNMP agent
ps -ef | grep snmpdm
kill -9 <pid of snmpdm>
/usr/sbin/snmpd
Procedure to add a new user to existing SNMP v3 including new trap destinations
1. Edit the file /etc/srconf/agt/snmpd.cnf
- scroll to the end of the file and add these lines defining a new user "root" with "authpass" and "privpass" authentication and privacy pass phrases. This user has access to all MIBs and sends traps to the destination 10.20.30.40 and 10.20.30.41
# define the user "root" with authentication and privacy
usmUserEntry localSnmpID root usmHMACMD5AuthProtocol usmDESPrivProtocol \
nonVolatile anywhereTag \
"authpass" \
"privpass"
# assign the user "root" to the Administator group
vacmSecurityToGroupEntry usm root Administrator nonVolatile
# define the "Administator" access for the group "All"
vacmAccessEntry Administrator - usm noAuthNoPriv exact All - All nonVolatile
# allow the group "All" to read the entire MIB (iso)
vacmViewTreeFamilyEntry All iso - included nonVolatile
# add a new line per trap destination where the name (second) entry
# can be anything, it will be referenced in the next block to match against a target address
snmpNotifyEntry node1 Traps trap nonVolatile
snmpNotifyEntry node2 Traps trap nonVolatile
# Note: snmpTargetAddrEntry has 2 meanings:
# the first entry allows SNMP requests from any source
# the 2 next entries define trap destinations
snmpTargetAddrEntry anywhere snmpUDPDomain 0.0.0.0:0 0 0 anywhereTag none \
nonVolatile 0.0.0.0:0 2048
snmpTargetAddrEntry node1 snmpUDPDomain 10.20.30.40:0 100 3 Traps v3Params \
nonVolatile 255.255.255.255:0 2048
snmpTargetAddrEntry node2 snmpUDPDomain 10.20.30.41:0 100 3 Traps v3Params \
nonVolatile 255.255.255.255:0 2048
# defines the v3Params
snmpTargetParamsEntry v3Params 3 usm root noAuthNoPriv nonVolatile
2. Save the file
3. Kill and restart the Emanate SNMP agent
ps -ef | grep snmpdm
kill -9 <pid of snmpdm>
/usr/sbin/snmpd
Note: To restart from scratch:
- kill -9 <pid of snmpdm>
- mv /etc/srcconf/agt/snmpd.* /tmp
- /usr/sbin/snmpdm (and answer the questions)