Basic configuration
Protect the SNMP installation
The SNMP agent allows other computers on the network to connect to it and make requests for information. The SNMP agent is based on the NET-SNMP code base, which has been tested but not fully reviewed by Entrust. We strongly recommend that you deploy the SNMP agent only on a private network or a network protected from the global Internet by appropriate network protection systems, for example a firewall or a network Intrusion Detection/Prevention System.
The default nShield SNMP installation allows read-only access to the Management Information Base (MIB). There is no default write access to any part of the MIB.
Every effort has been taken to ensure the confidentiality of cryptographic keys even when the SNMP agent is enabled. In particular, the nShield module is designed to prevent the theft of keys even if the security of the host system is compromised, provided that the Administrator Cards are used only with trusted hosts. Care must be used when changing the configuration of the SNMP agent.
We strongly advise that you use the SNMP User-based Security Model (USM) with Authentication and Privacy protocols selected, to ensure only authorised users can obtain information from the SNMP agent and the confidentiality and data integrity of the transferred information is protected. |
Care has also been taken to ensure that malicious attackers are unable to inundate your module with requests by flooding your SNMP agent. Command results from administration or statistics commands are cached, and thus the maximum rate at which the SNMP agent sends commands to the module is throttled. For more information on setting the cache time-outs, see The SNMP configuration file: snmp.conf.
Configure the SNMP agent
The Security World Software package uses various configuration files to configure its applications. This section describes the overall nature of the configuration files for the SNMP agent.
If you are installing the SNMP agent to a host that has an existing SNMP agent installation, you may need to edit the SNMP configuration files (snmpd.conf
and snmp.conf
) associated with the SNMP agent to change the port on which the agent listens for SNMP requests.
For more information, see Do you already have an SNMP agent running?.
Make sure you protect access to the configuration files, since these contain information that defines the security parameters of the SNMP system.
The default location for the nShield SNMP configuration files is /opt/nfast/etc/snmp/ (Linux) or %NFAST_HOME%\etc\snmp\ (Windows).
|
Create the configuration files (Windows)
On Windows, the snmp.conf
and snmpd.conf
files are not created automatically by the installation.
Instead, example files (example.snmp.conf
and example.snmpd.conf
) are created in that location, which you can copy, rename (to snmp.conf
and snmpd.conf
), and edit with your desired configuration settings.
The sample snmpd.conf file includes agentuser and agentgroup directives, however these are inoperative in Windows.
|
You can override the default search path by setting the environment variable SNMPCONFPATH to a colon-separated (“:”) list of directories for which to search.
|
Re-read SNMP configuration files
The SNMP agent reads its configuration files on startup, and any changes made after this point will have no effect. If new directives are added and need to be applied, the SNMP agent can be forced to re-read its configuration files with:
-
An snmp
set
of integer(1) toenterprises.nCipher.reloadConfig.0(.1.3.6.1.4.1.7682.999.0)
-
kill
-HUP
signal sent to thesnmpd
agent process -
stop then restart the SNMP agent.
The SNMP configuration file: snmp.conf
The snmp.conf
configuration file contains directives that apply to all SNMP applications.
These directives can be configured to apply to specific applications.
The snmp.conf
configuration file is not required for the agent to operate and report MIB entries.
The SNMP agent configuration file: snmpd.conf
The snmpd.conf
configuration file defines how the SNMP agent operates.
It is required only if an agent is running.
The snmpd.conf
file can contain any of the directives available for use in the snmp.conf
file and may also contain the following Security World Software-specific directives:
Directive | Description |
---|---|
|
This directive specifies the length of time for which statistics commands are cached. The default is 5 seconds. |
|
This directive specifies the length of time for which administrative commands are cached. The default is 60 seconds. |
|
This directive sets the initial state of the key table to |
|
This directive appends the '.0' suffix to object identifiers (OIDs) for backward compatibility.
The default is |
|
This directive specifies the threshold (as a percentage) below which HSM memory usage is considered to be ok. The default is 0. See Memory usage monitoring for more details. |
|
This directive specifies the threshold (as a percentage) at which HSM memory usage is considered to be too high. The default is 0. See Memory usage monitoring for more details. |
There may be a tolerance gap between the memoryUsageOkThreshold and the memoryUsageHighThreshold values.
|
The timeouts should be set to values that achieve a balance between receiving up to date information whilst preventing excessive load. |
The SNMP agent persistent configuration file
On running the SNMP agent for the first time, the persist
directory will be created.
This contains configuration files that are maintained by the SNMP agent.
This directory will be created in /opt/nfast/etc/snmp/persist
(Linux) or %NFAST_HOME%\etc\snmp\persist
(Windows).
Modifications should only be made to the persist folder’s snmp.conf
file in order to create users.
The files within this directory should otherwise only be managed by the SNMP agent itself.
User creation can be performed with the createUser
directive.
See USM users.
On initialization of the agent the information is read from the file and the lines are removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it.
This key is a localised key, so that unlike the password, if it is stolen it can not be used to access other agents.
Do not modify the persistent snmpd.conf file while the agent is running.
The file is only read on initialization of the agent and it is overwritten when the SNMP agent terminates.
Any changes made to this file while the SNMP agent directives is running will be lost.
The SNMP agent should be stopped prior to adding createUser directories to the configuration file.
|
Agent Behaviour
There are a small number of directives that control the behaviour of the SNMP Agent when considering it as a daemon providing a network service.
agentaddress directive
The listening address(es) that the SNMP Agent will use are defined by the agentaddress
directive.
It takes a comma separated list of address specifiers where an address specifier consists of one or more of:
-
a transport specifier udp: or tcp
-
a hostname or IPv4 address
-
a port number (for example, :161 or :1161).
The default behaviour is to listen on UDP port 161 on all IPv4 interfaces (the equivalent to udp:161).
agentaddress localhost : 161,tcp:1161
agentaddress
will listen on UDP port 161, but only on the loopback interface (the port specification ":161" is not strictly necessary as this is the default port).
It will also listen on TCP port 1161 on all IPv4 interfaces.
agentgroup and agentuser directives (Linux)
The user and group that the SNMP Agent changes to after opening the listening port(s) are defined using the agentgroup
and agentuser
directives.
The following must be used:
agentgroup ncsnmpd
agentuser ncsnmpd
System information (Linux)
Most of the scalar objects in the .iso.org.dod.internet.mgmt.mib-2.system sub-tree can be configured.
sysLocation STRING
sysContact STRING
sysName STRING
The three directives above set the system location, contact or name for the SNMP Agent respectively. Ordinarily these objects are writable via a suitably authorised SNMP SET request, however, specifying one of these directives in the configuration file makes the corresponding object read-only.
sysServices INTEGER
Sets the value of the sysService.0 object. RFC1213 defines how the integer value is calculated.
sysDescr STRING
sysObjectID OID
The two directives above set the system description and object ID for the agent. These objects are not SNMP-writable, but these directives can be used by a network administrator to configure suitable values for them.