Everyone,
in the ongoing debate and the lack of support thereof,
I thought I would pass some information a co-worker
passed to me in an attempt to to bridge the NetView --
SNMPv3 gap. Perhaps with all the expertise on this
list, someone could get it to work. Attached is the
response from SNMP Research (support@snmp.com).
>>>Email from SNMP Research
> > > Here are the issues/questions I have regarding
using SNMP
> Security Pack (SSP)
> > > with NetView: SSP requires the IP address of the
target in the
> community name. There is no way that I know of to
tell NetView to
> include the IP address in the community name, other
than hard-coding it.
> That is, we can't say something like community name
= "$IP/3P...".
> This means that we have to specify a different
community name for each
and every IP address in our address space. We can do
this, but it will
mean potentially millions of entries in the xsnmpconf
configuration
database/table (assuming an address space like
10.*.*.*). For example,
> the entry for host 10.1.100.253 would look something
> like this:
10.1.100.253:10.1.100.253/3P:localhost:20:3:300:4747::::::1:1:1
> If there is a way in NetView to variablize the
target
> IP address within community names, we could do
something like:
>
10.*.*.*:${IPADDR}/3P:localhost:20:3:300:4747::::::1:1:1
> but from what I know currently, this is not
possible.
>
> The IP address at the front of the community string,
> needs to be unique as the SNMP packet is sent out.
If, within
> NetView, you implement some mechanism that stores
the community string with the
> variable and fills this in before the SNMP packet
is sent out, this is
> doable without any modifications to the Security
Pack. Another option,
> and I believe this is the way that OpenView's
Network Node Manager works with
> the Security Pack, is to add the target IP address
as an extra varbind in the
> SNMP packet. The brassagt can then be modified to
look for your
> specific object in the VarBind list and retrieve the
IP address where the packet
> should be forwarded, from that VarBind (removing the
additional VarBind before
> forwarding the packet). This option would take code
modification in the brassagt
> process but it would allow you to remove the IP
prefix from the community string.
> The community name format use by SSP conflicts with
> NetView's SNMP configuration entry format. That is,
they both use a
> colon as a delimiter. SSP uses the colon to delimit
the authKey and privKey
> from the version pecifier within the community name.
> NetView uses the colon to delimit field values
within
> the ovsnmp.conf file.
> > >
> > > NetView will not let you enter a colon in the
community name.
> If NetView allows the user to enter a "semicolon"
';'
> in the community name, the colon delimiter can be
replaced with a semicolon.
> One way to get around this is to avoid having to
specify the authKey and
> privKey in the community name or the ovsnmp.conf
> file. To do this, we have to perform at least one
successfull SNMP Get
> operation to a target using the required
username/authKey/privKey
> combination with the "/KEEP" option so that Brass
saves the keys. After this, the
> community names do not have to contain the keys, so
we don't need any colons.
> > >
> > > I think the manual Get operation only has to be
done
> once for each username.
> > >
> > > A question for SNMP research is, "is this
assumption
> correct, or does the SNMP contextEngineID also
matter?"
>
> The contextEngineID would only matter if the SNMP
> request being made were being proxied to some other
device than the node running
> the SNMP agent. If NetView does allow the semicolon,
then you could use
> the semicolon in place of the colon, for the
contextEngineID also.
>
> > > I notice that the engineID is stored in the
username
> entries in mgr.cnf. >
> The engineID is used to generate the SNMPv3
localized
> keys that are used for secure v3 transations. Each
snmpEngineID is
> unique so it is important, with SNMPv3, to have
individual entries for each
> username/host which will be queried.
..good luck
eric
__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
|