Opmantek Virtual Machine: Implementing SNMPv3 AES256 in the NMIS9 VM for Secure Network Management
THIS PAGE IS DEPRECATED AND ALL IMPORTANT CONTENT MOVED TO
Using SNMPv3 with NMIS for Secure Network Management
Installation and Getting Started
Please follow the instructions in Opmantek Virtual Machine: Installation and Getting Started to get your NMIS9 VM installed.
Technical Details
Crypt::Rijndael module needs to be installed for AES support - in this test the NMIS9 VM has this module already installed.
This is the command to install Crypt::Rijndael if this module is not already installed and will ensure we have the latest version:
sudo cpanm Crypt::Rijndael --sudo
Net::SNMP module needs to be up to date - currently v6.0.1 - this command will ensure we have the latest version:
sudo cpanm Net::SNMP --sudo
We will use a patched Net::SNMP::Security::USM, for Net::SNMP v6.0.1, which is backwards compatible with all snmp protocol strings used in the original Net::SNMP::Security::USM module.
All protocol strings are case-insensitive.
Blumenthal implementation of SNMPv3:
- AES128 now accepts the additional protocol string AES128 (for OID 1.3.6.1.4.1.14832.1.2)
- AES192 now accepts the additional protocol string AES192 (for OID 1.3.6.1.4.1.14832.1.3)
- AES256 now accepts the additional protocol string AES256 (for OID 1.3.6.1.4.1.14832.1.4)
- Since the object definitions have not been
standardized, they have been based on the Extended Security Options
Consortium MIB found at http://www.snmp.com/eso/esoConsortiumMIB.txt.
Cisco implementation of SNMPv3 AES256, which is introduced in this patch
- accepts only one protocol string AES192C (for OID 1.3.6.1.4.1.9.12.6.1.1)
- accepts only one protocol string AES256C (for OID 1.3.6.1.4.1.9.12.6.1.2)
- accepts only one protocol string AES192C2 (for OID 1.3.6.1.4.1.9.12.6.1.101)
- accepts only one protocol string AES256C2 (for OID 1.3.6.1.4.1.9.12.6.1.102)
- Reeder AES encryption with non-standard key localization algorithm
borrowed from Reeder 3DES draft:
http://tools.ietf.org/html/draft-blumenthal-aes-usm-04
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00
***Note***
For SNMPv3 SHA2 Support replace https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm with https://raw.githubusercontent.com/Napsty/scripts/master/perl-net-snmp-sha2/USM.pm
This is an updated USM.pm module for sha224, sha256, sha384, and sha512. Also includes AES256 support.
Steps to implement
# ssh onto the VM and navigate to /tmp/ directory: ssh omkadmin@<FQDN_OR_IP> cd /tmp/# install your favourite text editor, if not installed: sudo yum install -y nano # we will be customising 'privprotocol' entry in Table-Nodes.nmis to add 'aes256' and 'aes256c' as values, CUSTOM_TABLE_NODES_FILE='/usr/local/nmis9/conf/Table-Nodes.nmis' # so we copy file 'Table-Nodes.nmis' from 'conf-default' to 'conf': cp /usr/local/nmis9/conf-default/Table-Nodes.nmis "${CUSTOM_TABLE_NODES_FILE}" # find the line we need to edit - here we get line 156 returned: grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}" 156: { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des'], # change "['des','aes','3des']" to "['des','aes','3des','aes256','aes256c']" in file '/usr/local/nmis9/conf/Table-Nodes.nmis' only editing line 156: sed -i -e "156s/\['des','aes','3des'\]/['des','aes','3des','aes256','aes256c']/" "${CUSTOM_TABLE_NODES_FILE}" # check this has worked: grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}" 156: { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des','aes256','aes256c'], # restart nmis9d daemon: sudo systemctl restart nmis9d # check nmis9d has restarted: sudo systemctl status nmis9d ● nmis9d.service - Opmantek NMIS9 Daemon Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-03-05 04:35:30 UTC; 15s ago Process: 5048 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS) Process: 5006 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS) Main PID: 5050 (nmisd.scheduler) CGroup: /system.slice/nmis9d.service ├─5050 nmisd.scheduler ├─5051 nmisd.fping ├─5053 nmisd.worker.<idle> ├─5055 nmisd.worker.<idle> ├─5057 nmisd.worker.<idle> ├─5059 nmisd.worker.<idle> ├─5064 nmisd.worker.<idle> ├─5066 nmisd.worker.<idle> ├─5068 nmisd.worker.<idle> ├─5072 nmisd.worker.<idle> ├─5079 nmisd.worker.<idle> └─5080 nmisd.worker.<idle> Mar 05 04:35:00 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon... Mar 05 04:35:30 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon. # fetch the patched version of Net::SNMP::Security::USM: wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm # sha512sum the file - we intend to validate the checksum: sha512sum USM.pm 56dcc308d3575d7cd8548d6cb7bd176f52f17a3991a4856ddc7fcd58da26376a80fe52fb4f815a03f51303148cd2ccd0a08415d5305fd1470a8147968f109790 USM.pm # fetch the sha512sum of USM.pm and cat it to check against the one we calculated above: wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm.sha512 cat USM.pm.sha512 56dcc308d3575d7cd8548d6cb7bd176f52f17a3991a4856ddc7fcd58da26376a80fe52fb4f815a03f51303148cd2ccd0a08415d5305fd1470a8147968f109790 USM.pm # check that sha512 checksums match ... # once we are satisfied sha512 checksums do match, we find the copies of Net::SNMP::Security::USM to replace with the patched version: sudo find / -type f -name "USM.pm" 2>/dev/null|grep -F "Net/SNMP/Security/"|grep -Fv "/usr/local/omk" /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm # move the original file aside and replace with the patched version sudo mv /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.orig sudo cp /tmp/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm # restart nmis9d daemon: sudo systemctl restart nmis9d # check nmis9d has restarted: sudo systemctl status nmis9d ● nmis9d.service - Opmantek NMIS9 Daemon Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-03-05 04:56:07 UTC; 4s ago Process: 7115 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS) Process: 7069 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS) Main PID: 7118 (nmisd.scheduler) CGroup: /system.slice/nmis9d.service ├─7118 nmisd.scheduler ├─7119 nmisd.fping ├─7121 nmisd.worker.<idle> ├─7123 nmisd.worker.<idle> ├─7125 nmisd.worker.<idle> ├─7126 nmisd.worker.<idle> ├─7129 nmisd.worker.<idle> ├─7131 nmisd.worker.<idle> ├─7134 nmisd.worker.<idle> ├─7136 nmisd.worker.<idle> ├─7141 nmisd.worker.<idle> └─7142 nmisd.worker.<idle> Mar 05 04:55:36 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon... Mar 05 04:56:07 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon. # Create a node that supports SNMPv3 AES256: Here we are creating a node that supports Cisco implementation 'aes256c' # Please read wiki page https://docs.community.firstwave.com/wiki/x/r4qwv with particular reference to 'Creation of Nodes' paragraph. # # first we create an ' NMIS9 node create' template at /tmp/node_create_template.json: # /usr/local/nmis9/admin/node_admin.pl act=mktemplate placeholder=1|tee /tmp/node_create_template.json Created minimal template Please see https://docs.community.firstwave.com/wiki/display/opCommon/Common+Node+Properties for detailed descriptions of the properties. { "activated" : { "NMIS" : "__REPLACE_ACTIVATED.NMIS__" }, "cluster_id" : "__REPLACE_CLUSTER_ID__", "configuration" : { "authkey" : "__REPLACE_CONFIGURATION.AUTHKEY__", "authpassword" : "__REPLACE_CONFIGURATION.AUTHPASSWORD__", "authprotocol" : "__REPLACE_CONFIGURATION.AUTHPROTOCOL__", "collect" : "__REPLACE_CONFIGURATION.COLLECT__", "community" : "__REPLACE_CONFIGURATION.COMMUNITY__", "group" : "__REPLACE_CONFIGURATION.GROUP__", "host" : "__REPLACE_CONFIGURATION.HOST__", "location" : "__REPLACE_CONFIGURATION.LOCATION__", "model" : "__REPLACE_CONFIGURATION.MODEL__", "netType" : "__REPLACE_CONFIGURATION.NETTYPE__", "notes" : "__REPLACE_CONFIGURATION.NOTES__", "ping" : "__REPLACE_CONFIGURATION.PING__", "port" : "__REPLACE_CONFIGURATION.PORT__", "privkey" : "__REPLACE_CONFIGURATION.PRIVKEY__", "privpassword" : "__REPLACE_CONFIGURATION.PRIVPASSWORD__", "privprotocol" : "__REPLACE_CONFIGURATION.PRIVPROTOCOL__", "roleType" : "__REPLACE_CONFIGURATION.ROLETYPE__", "threshold" : "__REPLACE_CONFIGURATION.THRESHOLD__", "username" : "__REPLACE_CONFIGURATION.USERNAME__", "version" : "__REPLACE_CONFIGURATION.VERSION__" }, "name" : "__REPLACE_NAME__", "uuid" : "__REPLACE_UUID__" } # Edit the information inside the template (i.e. change "__REPLACE_ACTIVE__" to "true") to correspond with the node you want to create then save it as a .json file. # For the purposes of this example we have created /tmp/new_midgard.json cp /tmp/node_create_template.json /tmp/new_midgard.json # Now we edit and save our file, here /tmp/new_midgard.json, with our text editor: nano /tmp/new_midgard.json # Here is the json we've saved for new_midgard.json - we've replaced secure values with '<...>' - please ensure these values are completed appropriately in your case: cat /tmp/new_midgard.json cat new_midgard.json { "activated" : { "NMIS" : "1" }, "cluster_id" : "", "configuration" : { "authkey" : "", "authpassword" : "<AN_AUTH_PASSWORD>", "authprotocol" : "<sha_OR_md5>", "collect" : "1", "community" : "<A_COMMUNITY_STRING>", "group" : "HeadOffice", "host" : "<NODE_IP_ADDRESS>", "location" : "Cloud", "model" : "automatic", "netType" : "wan", "notes" : "Testing SNMPv3 AES256C Secure Network Management", "ping" : "true", "port" : "161", "privkey" : "", "privpassword" : "<A_PRIV_PASSWORD>", "privprotocol" : "aes256c", "roleType" : "distribution", "threshold" : "true", "username" : "<A_USERNAME>", "version" : "snmpv3" }, "name" : "<A_NODE_NAME>", "uuid" : "" }# Create our node: /usr/local/nmis9/admin/node_admin.pl act=create node=midgard file=new_midgard.json Successfully created node 73932a61-0492-41ed-882b-af113de74fd4 (midgard) # Wait about 1 minute for the changes to take effect, then open NMIS9 GUI and check whether your new node is displaying 'nodestatus reachable'
Using node_admin.pl to edit an existing node and convert that node to using SNMPv3 AES256C
/usr/local/nmis9/admin/node_admin.pl node=midgard act=set \ entry.configuration.version=snmpv3 \ entry.configuration.privprotocol=aes256c \ entry.configuration.username="<A_USERNAME>" \ entry.configuration.privpassword="<A_PRIV_PASSWORD>" \ entry.configuration.authprotocol=sha \ entry.configuration.authpassword="<AN_AUTH_PASSWORD>"