Skip to end of banner
Go to start of banner

Opmantek Virtual Machine: Implementing SNMPv3 AES256 in the NMIS9 VM for Secure Network Management

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »



Installation and Getting Started

Please follow the instructions in Opmantek Virtual Machine: Installation and Getting Started to get your NMIS9 VM installed.


Technical Details

Crypt::Rijndael module needs to be installed for AES support - in this test the NMIS9 VM has this module already installed.
This is the command to install Crypt::Rijndael if this module is not already installed:

sudo cpanm Crypt::Rijndael --sudo


Net::SNMP module needs to be up to date - currently v6.0.1 - this command will ensure we have the latest version:

sudo cpanm Net::SNMP --sudo


We will use a patched Net::SNMP::Security::USM, for Net::SNMP v6.0.1, which is backwards compatible with all snmp protocol strings used in the original Net::SNMP::Security::USM module.
All protocol strings are case-insensitive.

Blumenthal implementation of SNMPv3 AES256 now accepts the additional protocol string AES256

Cisco implementation of SNMPv3 AES256, which is introduced in this patch, accepts only one protocol string AES256C


Steps to implement

# ssh onto the VM and navigate to /tmp/ directory:
ssh omkadmin@<FQDN_OR_IP>

cd /tmp/# install your favourite text editor, if not installed:
sudo yum install -y nano
# we will be customising 'privprotocol' entry in Table-Nodes.nmis to add 'aes256' and 'aes256c' as values,
CUSTOM_TABLE_NODES_FILE='/usr/local/nmis9/conf/Table-Nodes.nmis'
#	so copy file 'Table-Nodes.nmis' from 'conf-default' to 'conf':
cp /usr/local/nmis9/conf-default/Table-Nodes.nmis "${CUSTOM_TABLE_NODES_FILE}"

# find the line we need to edit - here we get line 153 returned:
grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}"
153:	 { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des'],

# change "['des','aes','3des']" to "['des','aes','3des','aes256','aes256c']" in file '/usr/local/nmis9/conf/Table-Nodes.nmis' only editing line 153:
sed -i -e "153s/\['des','aes','3des'\]/['des','aes','3des','aes256','aes256c']/" "${CUSTOM_TABLE_NODES_FILE}"

# check this has worked:
grep -nF "privprotocol" "${CUSTOM_TABLE_NODES_FILE}"
153:	 { privprotocol => { header => 'SNMP Priv Proto',display => 'popup',value => ['des','aes','3des','aes256','aes256c'],

# restart nmis9d daemon:
sudo systemctl restart nmis9d

# check nmis9d has restarted:
sudo systemctl status nmis9d
● nmis9d.service - Opmantek NMIS9 Daemon
   Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-03-05 04:35:30 UTC; 15s ago
  Process: 5048 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS)
  Process: 5006 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS)
 Main PID: 5050 (nmisd.scheduler)
   CGroup: /system.slice/nmis9d.service
           ├─5050 nmisd.scheduler
           ├─5051 nmisd.fping
           ├─5053 nmisd.worker.<idle>
           ├─5055 nmisd.worker.<idle>
           ├─5057 nmisd.worker.<idle>
           ├─5059 nmisd.worker.<idle>
           ├─5064 nmisd.worker.<idle>
           ├─5066 nmisd.worker.<idle>
           ├─5068 nmisd.worker.<idle>
           ├─5072 nmisd.worker.<idle>
           ├─5079 nmisd.worker.<idle>
           └─5080 nmisd.worker.<idle>

Mar 05 04:35:00 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon...
Mar 05 04:35:30 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon.

# fetch the patched version of Net::SNMP::Security::USM:
wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm

# sha512sum the file - we intend to validate the checksum:
sha512sum USM.pm
d0d8532195cca4fa37bc0bc26cd44dd46983e99746ba5cd5bca53d63938d94bbff558133fc403a4a89a3f53d472ffce5fbef22ff898f0a31f5703ba0a21b3ae8  USM.pm

# fetch the sha512sum of USM.pm and cat it to check against the one we calculated above:
wget https://dl-nmis.opmantek.com/nmis9/jira/Net_SNMP_Security_USM_v4_0_1_patch/USM.pm.sha512
cat USM.pm.sha512
d0d8532195cca4fa37bc0bc26cd44dd46983e99746ba5cd5bca53d63938d94bbff558133fc403a4a89a3f53d472ffce5fbef22ff898f0a31f5703ba0a21b3ae8  USM.pm

# check that sha512 checksums match ...
# once we are satisfied sha512 checksums do match, we find the copies of Net::SNMP::Security::USM to replace with the patched version:
sudo find / -type f -name "USM.pm" 2>/dev/null|grep -F "Net/SNMP/Security/"|grep -Fv "/usr/local/omk"
/usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

# move the original copy aside and replace with the patched version
sudo mv /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.orig
sudo cp /tmp/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

# restart nmis9d daemon:
sudo systemctl restart nmis9d

# check nmis9d has restarted:
sudo systemctl status nmis9d
● nmis9d.service - Opmantek NMIS9 Daemon
   Loaded: loaded (/etc/systemd/system/nmis9d.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-03-05 04:56:07 UTC; 4s ago
  Process: 7115 ExecStart=/usr/local/nmis9/bin/nmisd (code=exited, status=0/SUCCESS)
  Process: 7069 ExecStartPre=/bin/sh -c sleep 30 (code=exited, status=0/SUCCESS)
 Main PID: 7118 (nmisd.scheduler)
   CGroup: /system.slice/nmis9d.service
           ├─7118 nmisd.scheduler
           ├─7119 nmisd.fping
           ├─7121 nmisd.worker.<idle>
           ├─7123 nmisd.worker.<idle>
           ├─7125 nmisd.worker.<idle>
           ├─7126 nmisd.worker.<idle>
           ├─7129 nmisd.worker.<idle>
           ├─7131 nmisd.worker.<idle>
           ├─7134 nmisd.worker.<idle>
           ├─7136 nmisd.worker.<idle>
           ├─7141 nmisd.worker.<idle>
           └─7142 nmisd.worker.<idle>

Mar 05 04:55:36 omk-vm9-centos7 systemd[1]: Starting Opmantek NMIS9 Daemon...
Mar 05 04:56:07 omk-vm9-centos7 systemd[1]: Started Opmantek NMIS9 Daemon.

# Create a node that supports SNMPv3 AES256: Here we are creating a node that supports Cisco implementation 'aes256c'
# Please read wiki page https://community.opmantek.com/x/XwB4 with particular reference to 'Creation of Nodes' paragraph.
#
# first we create an ' NMIS9 node create' template at /tmp/node_create_template.json:
#
/usr/local/nmis9/admin/node_admin.pl act=mktemplate placeholder=1|tee /tmp/node_create_template.json
Created minimal template 
Please see https://community.opmantek.com/display/opCommon/Common+Node+Properties for detailed descriptions of the properties.
{
   "activated" : {
      "NMIS" : "__REPLACE_ACTIVATED.NMIS__"
   },
   "cluster_id" : "__REPLACE_CLUSTER_ID__",
   "configuration" : {
      "authkey" : "__REPLACE_CONFIGURATION.AUTHKEY__",
      "authpassword" : "__REPLACE_CONFIGURATION.AUTHPASSWORD__",
      "authprotocol" : "__REPLACE_CONFIGURATION.AUTHPROTOCOL__",
      "collect" : "__REPLACE_CONFIGURATION.COLLECT__",
      "community" : "__REPLACE_CONFIGURATION.COMMUNITY__",
      "group" : "__REPLACE_CONFIGURATION.GROUP__",
      "host" : "__REPLACE_CONFIGURATION.HOST__",
      "location" : "__REPLACE_CONFIGURATION.LOCATION__",
      "model" : "__REPLACE_CONFIGURATION.MODEL__",
      "netType" : "__REPLACE_CONFIGURATION.NETTYPE__",
      "notes" : "__REPLACE_CONFIGURATION.NOTES__",
      "ping" : "__REPLACE_CONFIGURATION.PING__",
      "port" : "__REPLACE_CONFIGURATION.PORT__",
      "privkey" : "__REPLACE_CONFIGURATION.PRIVKEY__",
      "privpassword" : "__REPLACE_CONFIGURATION.PRIVPASSWORD__",
      "privprotocol" : "__REPLACE_CONFIGURATION.PRIVPROTOCOL__",
      "roleType" : "__REPLACE_CONFIGURATION.ROLETYPE__",
      "threshold" : "__REPLACE_CONFIGURATION.THRESHOLD__",
      "username" : "__REPLACE_CONFIGURATION.USERNAME__",
      "version" : "__REPLACE_CONFIGURATION.VERSION__"
   },
   "name" : "__REPLACE_NAME__",
   "uuid" : "__REPLACE_UUID__"
}

# Edit the information inside the template (i.e. change "__REPLACE_ACTIVE__" to "true") to correspond with the node you want to create then save it as a .json file.
# For the purposes of this example we have created /tmp/new_midgard.json
cp /tmp/node_create_template.json /tmp/new_midgard.json

# Now we edit and save our file, here /tmp/new_midgard.json, with our text editor:
nano /tmp/new_midgard.json

# Here is the json we've saved for new_midgard.json - we've replaced secure values with '<...>' - please ensure these values are completed appropriately in your case:
cat /tmp/new_midgard.json
cat new_midgard.json
{
   "activated" : {
      "NMIS" : "1"
   },
   "cluster_id" : "",
   "configuration" : {
      "authkey" : "",
      "authpassword" : "<AN_AUTH_PASSWORD>",
      "authprotocol" : "<sha_OR_md5>",
      "collect" : "1",
      "community" : "<A_COMMUNITY_STRING>",
      "group" : "HeadOffice",
      "host" : "<NODE_IP_ADDRESS>",
      "location" : "Cloud",
      "model" : "automatic",
      "netType" : "wan",
      "notes" : "Testing SNMPv3 AES256C Secure Network Management",
      "ping" : "true",
      "port" : "161",
      "privkey" : "",
      "privpassword" : "<A_PRIV_PASSWORD>",
      "privprotocol" : "aes256c",
      "roleType" : "distribution",
      "threshold" : "true",
      "username" : "<A_USERNAME>",
      "version" : "snmpv3"
   },
   "name" : "<A_NODE_NAME>",
   "uuid" : ""
}# Create our node:
/usr/local/nmis9/admin/node_admin.pl act=create node=midgard file=new_midgard.json
Successfully created node 73932a61-0492-41ed-882b-af113de74fd4 (midgard)
# Wait about 1 minute for the changes to take effecft, then open NMIS9 GUI and check whether your new node is displaying 'nodestatus reachable'



Using node_admin.pl to edit an existing node and convert that node to using SNMPv3 AES256C

/usr/local/nmis9/admin/node_admin.pl node=midgard act=set \
entry.configuration.version=snmpv3 \
entry.configuration.privprotocol=aes256c \
entry.configuration.username=ZZZZZ \
entry.configuration.privpassword=XXXXXXX \
entry.configuration.authprotocol=sha \
entry.configuration.authpassword=YYYYYYY




  • No labels