Opmantek Virtual Machine: Implementing SNMPv3 AES256 in the NMIS9 VM for Secure Network Management

THIS PAGE IS DEPRECATED AND ALL IMPORTANT CONTENT MOVED TO 

Using SNMPv3 with NMIS for Secure Network Management

Installation and Getting Started

Please follow the instructions in Opmantek Virtual Machine: Installation and Getting Started to get your NMIS9 VM installed.


Technical Details

Crypt::Rijndael module needs to be installed for AES support - in this test the NMIS9 VM has this module already installed.
This is the command to install Crypt::Rijndael if this module is not already installed and will ensure we have the latest version:

sudo cpanm Crypt::Rijndael --sudo


Net::SNMP module needs to be up to date - currently v6.0.1 - this command will ensure we have the latest version:

sudo cpanm Net::SNMP --sudo


We will use a patched Net::SNMP::Security::USM, for Net::SNMP v6.0.1, which is backwards compatible with all snmp protocol strings used in the original Net::SNMP::Security::USM module.
All protocol strings are case-insensitive.

Blumenthal implementation of SNMPv3:

  • AES128 now accepts the additional protocol string AES128 (for OID 1.3.6.1.4.1.14832.1.2)
  • AES192 now accepts the additional protocol string AES192 (for OID 1.3.6.1.4.1.14832.1.3)
  • AES256 now accepts the additional protocol string AES256 (for OID 1.3.6.1.4.1.14832.1.4)

  • Since the object definitions have not been
    standardized, they have been based on the Extended Security Options
    Consortium MIB found at http://www.snmp.com/eso/esoConsortiumMIB.txt.

Cisco implementation of SNMPv3 AES256, which is introduced in this patch

***Note***

For SNMPv3 SHA2 Support replace https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm with https://raw.githubusercontent.com/Napsty/scripts/master/perl-net-snmp-sha2/USM.pm

This is an updated USM.pm module for sha224, sha256, sha384, and sha512. Also includes AES256 support.

Steps to implement

# ssh onto the VM and navigate to /tmp/ directory:
ssh omkadmin@<FQDN_OR_IP>

cd /tmp/# install your favourite text editor, if not installed:
sudo yum install -y nano
# we will be customising 'privprotocol' entry in Table-Nodes.nmis to add 'aes256' and 'aes256c' as values,
CUSTOM_TABLE_NODES_FILE='/usr/local/nmis9/conf/Table-Nodes.nmis'
# so we copy file 'Table-Nodes.nmis' from 'conf-default' to 'conf':
cp /usr/local/nmis9/conf-default/Table-Nodes.nmis "${CUSTOM_TABLE_NODES_FILE}"

# find the line we need to edit - here we get line 156 returned:
grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}"
156:	 { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des'],

# change "['des','aes','3des']" to "['des','aes','3des','aes256','aes256c']" in file '/usr/local/nmis9/conf/Table-Nodes.nmis' only editing line 156:
sed -i -e "156s/\['des','aes','3des'\]/['des','aes','3des','aes256','aes256c']/" "${CUSTOM_TABLE_NODES_FILE}"

# check this has worked:
grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}"
156:	 { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des','aes256','aes256c'],

# restart nmis9d daemon:
sudo systemctl restart nmis9d

# check nmis9d has restarted:
sudo systemctl status nmis9d
● nmis9d.service - Opmantek NMIS9 Daemon
   Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-03-05 04:35:30 UTC; 15s ago
  Process: 5048 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS)
  Process: 5006 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS)
 Main PID: 5050 (nmisd.scheduler)
   CGroup: /system.slice/nmis9d.service
           ├─5050 nmisd.scheduler
           ├─5051 nmisd.fping
           ├─5053 nmisd.worker.<idle>
           ├─5055 nmisd.worker.<idle>
           ├─5057 nmisd.worker.<idle>
           ├─5059 nmisd.worker.<idle>
           ├─5064 nmisd.worker.<idle>
           ├─5066 nmisd.worker.<idle>
           ├─5068 nmisd.worker.<idle>
           ├─5072 nmisd.worker.<idle>
           ├─5079 nmisd.worker.<idle>
           └─5080 nmisd.worker.<idle>

Mar 05 04:35:00 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon...
Mar 05 04:35:30 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon.

# fetch the patched version of Net::SNMP::Security::USM:
wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm

# sha512sum the file - we intend to validate the checksum:
sha512sum USM.pm
56dcc308d3575d7cd8548d6cb7bd176f52f17a3991a4856ddc7fcd58da26376a80fe52fb4f815a03f51303148cd2ccd0a08415d5305fd1470a8147968f109790  USM.pm

# fetch the sha512sum of USM.pm and cat it to check against the one we calculated above:
wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm.sha512
cat USM.pm.sha512
56dcc308d3575d7cd8548d6cb7bd176f52f17a3991a4856ddc7fcd58da26376a80fe52fb4f815a03f51303148cd2ccd0a08415d5305fd1470a8147968f109790  USM.pm

# check that sha512 checksums match ...
# once we are satisfied sha512 checksums do match, we find the copies of Net::SNMP::Security::USM to replace with the patched version:
sudo find / -type f -name "USM.pm" 2>/dev/null|grep -F "Net/SNMP/Security/"|grep -Fv "/usr/local/omk"
/usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

# move the original file aside and replace with the patched version
sudo mv /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.orig
sudo cp /tmp/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

# restart nmis9d daemon:
sudo systemctl restart nmis9d

# check nmis9d has restarted:
sudo systemctl status nmis9d
● nmis9d.service - Opmantek NMIS9 Daemon
   Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-03-05 04:56:07 UTC; 4s ago
  Process: 7115 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS)
  Process: 7069 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS)
 Main PID: 7118 (nmisd.scheduler)
   CGroup: /system.slice/nmis9d.service
           ├─7118 nmisd.scheduler
           ├─7119 nmisd.fping
           ├─7121 nmisd.worker.<idle>
           ├─7123 nmisd.worker.<idle>
           ├─7125 nmisd.worker.<idle>
           ├─7126 nmisd.worker.<idle>
           ├─7129 nmisd.worker.<idle>
           ├─7131 nmisd.worker.<idle>
           ├─7134 nmisd.worker.<idle>
           ├─7136 nmisd.worker.<idle>
           ├─7141 nmisd.worker.<idle>
           └─7142 nmisd.worker.<idle>

Mar 05 04:55:36 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon...
Mar 05 04:56:07 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon.

# Create a node that supports SNMPv3 AES256: Here we are creating a node that supports Cisco implementation 'aes256c'
# Please read wiki page https://docs.community.firstwave.com/wiki/x/r4qwv with particular reference to 'Creation of Nodes' paragraph.
#
# first we create an ' NMIS9 node create' template at /tmp/node_create_template.json:
#
/usr/local/nmis9/admin/node_admin.pl act=mktemplate placeholder=1|tee /tmp/node_create_template.json
Created minimal template 
Please see https://docs.community.firstwave.com/wiki/display/opCommon/Common+Node+Properties for detailed descriptions of the properties.
{
   "activated" : {
      "NMIS" : "__REPLACE_ACTIVATED.NMIS__"
   },
   "cluster_id" : "__REPLACE_CLUSTER_ID__",
   "configuration" : {
      "authkey" : "__REPLACE_CONFIGURATION.AUTHKEY__",
      "authpassword" : "__REPLACE_CONFIGURATION.AUTHPASSWORD__",
      "authprotocol" : "__REPLACE_CONFIGURATION.AUTHPROTOCOL__",
      "collect" : "__REPLACE_CONFIGURATION.COLLECT__",
      "community" : "__REPLACE_CONFIGURATION.COMMUNITY__",
      "group" : "__REPLACE_CONFIGURATION.GROUP__",
      "host" : "__REPLACE_CONFIGURATION.HOST__",
      "location" : "__REPLACE_CONFIGURATION.LOCATION__",
      "model" : "__REPLACE_CONFIGURATION.MODEL__",
      "netType" : "__REPLACE_CONFIGURATION.NETTYPE__",
      "notes" : "__REPLACE_CONFIGURATION.NOTES__",
      "ping" : "__REPLACE_CONFIGURATION.PING__",
      "port" : "__REPLACE_CONFIGURATION.PORT__",
      "privkey" : "__REPLACE_CONFIGURATION.PRIVKEY__",
      "privpassword" : "__REPLACE_CONFIGURATION.PRIVPASSWORD__",
      "privprotocol" : "__REPLACE_CONFIGURATION.PRIVPROTOCOL__",
      "roleType" : "__REPLACE_CONFIGURATION.ROLETYPE__",
      "threshold" : "__REPLACE_CONFIGURATION.THRESHOLD__",
      "username" : "__REPLACE_CONFIGURATION.USERNAME__",
      "version" : "__REPLACE_CONFIGURATION.VERSION__"
   },
   "name" : "__REPLACE_NAME__",
   "uuid" : "__REPLACE_UUID__"
}

# Edit the information inside the template (i.e. change "__REPLACE_ACTIVE__" to "true") to correspond with the node you want to create then save it as a .json file.
# For the purposes of this example we have created /tmp/new_midgard.json
cp /tmp/node_create_template.json /tmp/new_midgard.json

# Now we edit and save our file, here /tmp/new_midgard.json, with our text editor:
nano /tmp/new_midgard.json

# Here is the json we've saved for new_midgard.json - we've replaced secure values with '<...>' - please ensure these values are completed appropriately in your case:
cat /tmp/new_midgard.json
cat new_midgard.json
{
   "activated" : {
      "NMIS" : "1"
   },
   "cluster_id" : "",
   "configuration" : {
      "authkey" : "",
      "authpassword" : "<AN_AUTH_PASSWORD>",
      "authprotocol" : "<sha_OR_md5>",
      "collect" : "1",
      "community" : "<A_COMMUNITY_STRING>",
      "group" : "HeadOffice",
      "host" : "<NODE_IP_ADDRESS>",
      "location" : "Cloud",
      "model" : "automatic",
      "netType" : "wan",
      "notes" : "Testing SNMPv3 AES256C Secure Network Management",
      "ping" : "true",
      "port" : "161",
      "privkey" : "",
      "privpassword" : "<A_PRIV_PASSWORD>",
      "privprotocol" : "aes256c",
      "roleType" : "distribution",
      "threshold" : "true",
      "username" : "<A_USERNAME>",
      "version" : "snmpv3"
   },
   "name" : "<A_NODE_NAME>",
   "uuid" : ""
}# Create our node:
/usr/local/nmis9/admin/node_admin.pl act=create node=midgard file=new_midgard.json
Successfully created node 73932a61-0492-41ed-882b-af113de74fd4 (midgard)
# Wait about 1 minute for the changes to take effect, then open NMIS9 GUI and check whether your new node is displaying 'nodestatus reachable'



Using node_admin.pl to edit an existing node and convert that node to using SNMPv3 AES256C

/usr/local/nmis9/admin/node_admin.pl node=midgard act=set \
entry.configuration.version=snmpv3 \
entry.configuration.privprotocol=aes256c \
entry.configuration.username="<A_USERNAME>" \
entry.configuration.privpassword="<A_PRIV_PASSWORD>" \
entry.configuration.authprotocol=sha \
entry.configuration.authpassword="<AN_AUTH_PASSWORD>"


Related Topics