Sometimes people still rely heavily on SNMP to get performance metrics and status information.
The main topic of security is often not considered. SNMP version 1 and 2c transmit everything in plain text over the wire. There is also no user, password authentication method, just a shared community string that gives access to the information. To address these problems SNMP v3 was introduced.
The Linux Net-SNMP agent supports SNMP v3 and OpenNMS supports it as well. There is not much - besides weird vendor implementation cough cough
- preventing us from using encryption and user authentication.
Here some guidance on how to configure Net-SNMP v3 together with OpenNMS Horizon and Meridian.
Make your Net-SNMP configuration modular
Today, people running configuration management tools rolling out configurations to a lot of systems. Net-SNMP gives you the possibility to use an include drop-in folder to extend the default configuration, which is very handy to include device-dependent configuration snippets.
All you have to do is to add the following line in your
All files in this directory that need to be included should be prefixed with
This makes it using configuration management tools to add a device-dependent disk, process, or log monitoring directives without mangling one large
snmpd.conf file with variables.
How to configure Net-SNMP with SNMP v3
The first step, create a user with a password and tell the agent what methods for encryption and signature should be used with:
createUser monitor SHA 0p3nnm5423 AES opennmsopennms rouser monitor priv .126.96.36.199.2.1
The command creates a user named
and uses SHA as Message Authentication Code. For encryption you have the choice between DES and AES , I would recommend the newer AES encryption method. I can recommend using something like apg to create better passwords.
Once you added the configuration you have to restart the Net-SNMP daemon and you can test it with the following command:
snmpget -v 3 -u monitor -l authPriv -a SHA -A 0p3nnm5423 -x AES -X opennmsopennms localhost .188.8.131.52.184.108.40.206.0
You should be able to get the system location. Next, you can configure OpenNMS to use SNMP v3 for your IP address or a whole range in the Web UI by going to “Admin -> Configure SNMP Community by IP”. Switch from version 2c to version 3 and set the v3 specific configurations in the Web UI.
That’s it – happy monitoring.
You can fix me, I’m a wiki post.