How to use Net-SNMP v3 with encryption

Sometimes people still rely heavily on SNMP to get performance metrics and status information.

The main topic of security is often not considered. SNMP version 1 and 2c transmit everything in plain text over the wire. There is also no user, password authentication method, just a shared community string that gives access to the information. To address these problems SNMP v3 was introduced.

The Linux Net-SNMP agent supports SNMP v3 and OpenNMS supports it as well. There is not much - besides weird vendor implementation cough cough

  • preventing us from using encryption and user authentication.

:biohazard: Net-SNMP earlier than 5.8 uses SHA-1 which is not secure enough these days. You need Net-SNMP 5.8+ to get strong security.

Here some guidance on how to configure Net-SNMP v3 together with OpenNMS Horizon and Meridian.

Make your Net-SNMP configuration modular

Today, people running configuration management tools rolling out configurations to a lot of systems. Net-SNMP gives you the possibility to use an include drop-in folder to extend the default configuration, which is very handy to include device-dependent configuration snippets.

All you have to do is to add the following line in your snmpd.conf

includeDir /etc/snmp/conf.d

All files in this directory that need to be included should be prefixed with

.conf

This makes it using configuration management tools to add a device-dependent disk, process, or log monitoring directives without mangling one large snmpd.conf file with variables.

How to configure Net-SNMP with SNMP v3

The first step, create a user with a password and tell the agent what methods for encryption and signature should be used with:

createUser monitor SHA 0p3nnm5423 AES opennmsopennms rouser monitor priv .1.3.6.1.2.1

The command creates a user named

monitor

and uses SHA as Message Authentication Code. For encryption you have the choice between DES and AES , I would recommend the newer AES encryption method. I can recommend using something like apg to create better passwords.

Once you added the configuration you have to restart the Net-SNMP daemon and you can test it with the following command:

snmpget -v 3 -u monitor -l authPriv -a SHA -A 0p3nnm5423 -x AES -X opennmsopennms localhost .1.3.6.1.2.1.1.6.0

You should be able to get the system location. Next, you can configure OpenNMS to use SNMP v3 for your IP address or a whole range in the Web UI by going to “Admin -> Configure SNMP Community by IP”. Switch from version 2c to version 3 and set the v3 specific configurations in the Web UI.

That’s it – happy monitoring.

:woman_facepalming: You can fix me, I’m a wiki post.