| Table of Contents |
|---|
THIS PAGE IS DEPRECATED AND ALL IMPORTANT CONTENT MOVED TO
Using SNMPv3 with NMIS for Secure Network Management
Installation and Getting Started
Please follow the instructions in Opmantek Virtual Machine: Installation and Getting Started to get your NMIS9 VM installed.
...
Crypt::Rijndael module needs to be installed for AES support - in this test the NMIS9 VM has this module already installed.
This is the command to install Crypt::Rijndael if this module is not already installed and will ensure we have the latest version:
| Code Block |
|---|
sudo cpanm Crypt::Rijndael --sudo |
...
Blumenthal implementation of SNMPv3 AES256 :
- AES128 now accepts the additional protocol string
...
- Since the object definitions have not been
standardized, they have been based on the Extended Security Options
Consortium MIB found at http://www.snmp.com/eso/esoConsortiumMIB.txt.
Cisco implementation of SNMPv3 AES256, which is introduced in this patch, accepts only one protocol string AES256C
- Reeder AES encryption with non-standard key localization algorithm
borrowed from Reeder 3DES draft:
http://tools.ietf.org/html/draft-blumenthal-aes-usm-04
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00AES128 (for OID 1.3.6.1.4.1.14832.1.2) - AES192 now accepts the additional protocol string AES192 (for OID 1.3.6.1.4.1.14832.1.3)
- AES256 now accepts the additional protocol string AES256 (for OID 1.3.6.1.4.1.14832.1.4)
- Since the object definitions have not been
standardized, they have been based on the Extended Security Options
Consortium MIB found at http://www.snmp.com/eso/esoConsortiumMIB.txt.
Cisco implementation of SNMPv3 AES256, which is introduced in this patch
- accepts only one protocol string AES192C (for OID 1.3.6.1.4.1.9.12.6.1.1)
- accepts only one protocol string AES256C (for OID 1.3.6.1.4.1.9.12.6.1.2)
- accepts only one protocol string AES192C2 (for OID 1.3.6.1.4.1.9.12.6.1.101)
- accepts only one protocol string AES256C2 (for OID 1.3.6.1.4.1.9.12.6.1.102)
- Reeder AES encryption with non-standard key localization algorithm
borrowed from Reeder 3DES draft:
http://tools.ietf.org/html/draft-blumenthal-aes-usm-04
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00
***Note***
For SNMPv3 SHA2 Support replace https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm with https://raw.githubusercontent.com/Napsty/scripts/master/perl-net-snmp-sha2/USM.pm
This is an updated USM.pm module for sha224, sha256, sha384, and sha512. Also includes AES256 support.
Steps to implement
| Code Block |
|---|
# ssh onto the VM and navigate to /tmp/ directory: ssh omkadmin@<FQDN_OR_IP> cd /tmp/# install your favourite text editor, if not installed: sudo yum install -y nano # we will be customising 'privprotocol' entry in Table-Nodes.nmis to add 'aes256' and 'aes256c' as values, CUSTOM_TABLE_NODES_FILE='/usr/local/nmis9/conf/Table-Nodes.nmis' # so we copy file 'Table-Nodes.nmis' from 'conf-default' to 'conf': cp /usr/local/nmis9/conf-default/Table-Nodes.nmis "${CUSTOM_TABLE_NODES_FILE}" # find the line we need to edit - here we get line 153156 returned: grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}" 153156: { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des'], # change "['des','aes','3des']" to "['des','aes','3des','aes256','aes256c']" in file '/usr/local/nmis9/conf/Table-Nodes.nmis' only editing line 153156: sed -i -e "153s156s/\['des','aes','3des'\]/['des','aes','3des','aes256','aes256c']/" "${CUSTOM_TABLE_NODES_FILE}" # check this has worked: grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}" 153156: { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des','aes256','aes256c'], # restart nmis9d daemon: sudo systemctl restart nmis9d # check nmis9d has restarted: sudo systemctl status nmis9d ● nmis9d.service - Opmantek NMIS9 Daemon Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-03-05 04:35:30 UTC; 15s ago Process: 5048 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS) Process: 5006 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS) Main PID: 5050 (nmisd.scheduler) CGroup: /system.slice/nmis9d.service ├─5050 nmisd.scheduler ├─5051 nmisd.fping ├─5053 nmisd.worker.<idle> ├─5055 nmisd.worker.<idle> ├─5057 nmisd.worker.<idle> ├─5059 nmisd.worker.<idle> ├─5064 nmisd.worker.<idle> ├─5066 nmisd.worker.<idle> ├─5068 nmisd.worker.<idle> ├─5072 nmisd.worker.<idle> ├─5079 nmisd.worker.<idle> └─5080 nmisd.worker.<idle> Mar 05 04:35:00 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon... Mar 05 04:35:30 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon. # fetch the patched version of Net::SNMP::Security::USM: wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm # sha512sum the file - we intend to validate the checksum: sha512sum USM.pm d0d8532195cca4fa37bc0bc26cd44dd46983e99746ba5cd5bca53d63938d94bbff558133fc403a4a89a3f53d472ffce5fbef22ff898f0a31f5703ba0a21b3ae856dcc308d3575d7cd8548d6cb7bd176f52f17a3991a4856ddc7fcd58da26376a80fe52fb4f815a03f51303148cd2ccd0a08415d5305fd1470a8147968f109790 USM.pm # fetch the sha512sum of USM.pm and cat it to check against the one we calculated above: wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm.sha512 cat USM.pm.sha512 d0d8532195cca4fa37bc0bc26cd44dd46983e99746ba5cd5bca53d63938d94bbff558133fc403a4a89a3f53d472ffce5fbef22ff898f0a31f5703ba0a21b3ae856dcc308d3575d7cd8548d6cb7bd176f52f17a3991a4856ddc7fcd58da26376a80fe52fb4f815a03f51303148cd2ccd0a08415d5305fd1470a8147968f109790 USM.pm # check that sha512 checksums match ... # once we are satisfied sha512 checksums do match, we find the copies of Net::SNMP::Security::USM to replace with the patched version: sudo find / -type f -name "USM.pm" 2>/dev/null|grep -F "Net/SNMP/Security/"|grep -Fv "/usr/local/omk" /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm # move the original copyfile aside and replace with the patched version sudo mv /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.orig sudo cp /tmp/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm # restart nmis9d daemon: sudo systemctl restart nmis9d # check nmis9d has restarted: sudo systemctl status nmis9d ● nmis9d.service - Opmantek NMIS9 Daemon Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-03-05 04:56:07 UTC; 4s ago Process: 7115 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS) Process: 7069 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS) Main PID: 7118 (nmisd.scheduler) CGroup: /system.slice/nmis9d.service ├─7118 nmisd.scheduler ├─7119 nmisd.fping ├─7121 nmisd.worker.<idle> ├─7123 nmisd.worker.<idle> ├─7125 nmisd.worker.<idle> ├─7126 nmisd.worker.<idle> ├─7129 nmisd.worker.<idle> ├─7131 nmisd.worker.<idle> ├─7134 nmisd.worker.<idle> ├─7136 nmisd.worker.<idle> ├─7141 nmisd.worker.<idle> └─7142 nmisd.worker.<idle> Mar 05 04:55:36 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon... Mar 05 04:56:07 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon. # Create a node that supports SNMPv3 AES256: Here we are creating a node that supports Cisco implementation 'aes256c' # Please read wiki page https://docs.community.opmantekfirstwave.com/wiki/x/XwB4r4qwv with particular reference to 'Creation of Nodes' paragraph. # # first we create an ' NMIS9 node create' template at /tmp/node_create_template.json: # /usr/local/nmis9/admin/node_admin.pl act=mktemplate placeholder=1|tee /tmp/node_create_template.json Created minimal template Please see https://docs.community.opmantekfirstwave.com/wiki/display/opCommon/Common+Node+Properties for detailed descriptions of the properties. { "activated" : { "NMIS" : "__REPLACE_ACTIVATED.NMIS__" }, "cluster_id" : "__REPLACE_CLUSTER_ID__", "configuration" : { "authkey" : "__REPLACE_CONFIGURATION.AUTHKEY__", "authpassword" : "__REPLACE_CONFIGURATION.AUTHPASSWORD__", "authprotocol" : "__REPLACE_CONFIGURATION.AUTHPROTOCOL__", "collect" : "__REPLACE_CONFIGURATION.COLLECT__", "community" : "__REPLACE_CONFIGURATION.COMMUNITY__", "group" : "__REPLACE_CONFIGURATION.GROUP__", "host" : "__REPLACE_CONFIGURATION.HOST__", "location" : "__REPLACE_CONFIGURATION.LOCATION__", "model" : "__REPLACE_CONFIGURATION.MODEL__", "netType" : "__REPLACE_CONFIGURATION.NETTYPE__", "notes" : "__REPLACE_CONFIGURATION.NOTES__", "ping" : "__REPLACE_CONFIGURATION.PING__", "port" : "__REPLACE_CONFIGURATION.PORT__", "privkey" : "__REPLACE_CONFIGURATION.PRIVKEY__", "privpassword" : "__REPLACE_CONFIGURATION.PRIVPASSWORD__", "privprotocol" : "__REPLACE_CONFIGURATION.PRIVPROTOCOL__", "roleType" : "__REPLACE_CONFIGURATION.ROLETYPE__", "threshold" : "__REPLACE_CONFIGURATION.THRESHOLD__", "username" : "__REPLACE_CONFIGURATION.USERNAME__", "version" : "__REPLACE_CONFIGURATION.VERSION__" }, "name" : "__REPLACE_NAME__", "uuid" : "__REPLACE_UUID__" } # Edit the information inside the template (i.e. change "__REPLACE_ACTIVE__" to "true") to correspond with the node you want to create then save it as a .json file. # For the purposes of this example we have created /tmp/new_midgard.json cp /tmp/node_create_template.json /tmp/new_midgard.json # Now we edit and save our file, here /tmp/new_midgard.json, with our text editor: nano /tmp/new_midgard.json # Here is the json we've saved for new_midgard.json - we've replaced secure values with '<...>' - please ensure these values are completed appropriately in your case: cat /tmp/new_midgard.json cat new_midgard.json { "activated" : { "NMIS" : "1" }, "cluster_id" : "", "configuration" : { "authkey" : "", "authpassword" : "<AN_AUTH_PASSWORD>", "authprotocol" : "<sha_OR_md5>", "collect" : "1", "community" : "<A_COMMUNITY_STRING>", "group" : "HeadOffice", "host" : "<NODE_IP_ADDRESS>", "location" : "Cloud", "model" : "automatic", "netType" : "wan", "notes" : "Testing SNMPv3 AES256C Secure Network Management", "ping" : "true", "port" : "161", "privkey" : "", "privpassword" : "<A_PRIV_PASSWORD>", "privprotocol" : "aes256c", "roleType" : "distribution", "threshold" : "true", "username" : "<A_USERNAME>", "version" : "snmpv3" }, "name" : "<A_NODE_NAME>", "uuid" : "" }# Create our node: /usr/local/nmis9/admin/node_admin.pl act=create node=midgard file=new_midgard.json Successfully created node 73932a61-0492-41ed-882b-af113de74fd4 (midgard) # Wait about 1 minute for the changes to take effecfteffect, then open NMIS9 GUI and check whether your new node is displaying 'nodestatus reachable' |
...