Basic configuration

Protect the SNMP installation

The SNMP agent allows other computers on the network to connect to it and make requests for information. The SNMP agent is based on the NET-SNMP code base, which has been tested but not fully reviewed by Entrust. We strongly recommend that you deploy the SNMP agent only on a private network or a network protected from the global Internet by appropriate network protection systems, for example a firewall or a network Intrusion Detection/Prevention System.

The default nShield SNMP installation allows read-only access to the Management Information Base (MIB). There is no default write access to any part of the MIB.

Every effort has been taken to ensure the confidentiality of cryptographic keys even when the SNMP agent is enabled. In particular, the nShield module is designed to prevent the theft of keys even if the security of the host system is compromised, provided that the Administrator Cards are used only with trusted hosts. Care must be used when changing the configuration of the SNMP agent.

We strongly advise that you use the SNMP User-based Security Model (USM) with Authentication and Privacy protocols selected, to ensure only authorised users can obtain information from the SNMP agent and the confidentiality and data integrity of the transferred information is protected.

Care has also been taken to ensure that malicious attackers are unable to inundate your module with requests by flooding your SNMP agent. Command results from administration or statistics commands are cached, and thus the maximum rate at which the SNMP agent sends commands to the module is throttled. For more information on setting the cache time-outs, see The SNMP configuration file: snmp.conf.

Configure the SNMP agent

The Security World Software package uses various configuration files to configure its applications. This section describes the overall nature of the configuration files for the SNMP agent.

If you are installing the SNMP agent to a host that has an existing SNMP agent installation, you may need to edit the SNMP configuration files (snmpd.conf and snmp.conf) associated with the SNMP agent to change the port on which the agent listens for SNMP requests. For more information, see Do you already have an SNMP agent running?.

Make sure you protect access to the configuration files, since these contain information that defines the security parameters of the SNMP system. The default location for the nShield SNMP configuration files is /opt/nfast/etc/snmp/ (Linux) or %NFAST_HOME%\etc\snmp\ (Windows).

Create the configuration files (Windows)

On Windows, the snmp.conf and snmpd.conf files are not created automatically by the installation. Instead, example files (example.snmp.conf and example.snmpd.conf) are created in that location, which you can copy, rename (to snmp.conf and snmpd.conf), and edit with your desired configuration settings.

The sample snmpd.conf file includes agentuser and agentgroup directives, however these are inoperative in Windows.
You can override the default search path by setting the environment variable SNMPCONFPATH to a colon-separated (“:”) list of directories for which to search.

Re-read SNMP configuration files

The SNMP agent reads its configuration files on startup, and any changes made after this point will have no effect. If new directives are added and need to be applied, the SNMP agent can be forced to re-read its configuration files with:

  • An snmp set of integer(1) to enterprises.nCipher.reloadConfig.0(.1.3.6.1.4.1.7682.999.0)

  • kill -HUP signal sent to the snmpd agent process

  • stop then restart the SNMP agent.

The SNMP configuration file: snmp.conf

The snmp.conf configuration file contains directives that apply to all SNMP applications. These directives can be configured to apply to specific applications. The snmp.conf configuration file is not required for the agent to operate and report MIB entries.

The SNMP agent configuration file: snmpd.conf

The snmpd.conf configuration file defines how the SNMP agent operates. It is required only if an agent is running.

The snmpd.conf file can contain any of the directives available for use in the snmp.conf file and may also contain the following Security World Software-specific directives:

Directive Description

statstimeout

This directive specifies the length of time for which statistics commands are cached. The default is 5 seconds.

admintimeout

This directive specifies the length of time for which administrative commands are cached. The default is 60 seconds.

keytable

This directive sets the initial state of the key table to none, all, or query. See listKeys in Administration sub-tree overview.

enable_trap_zero_suffix

This directive appends the '.0' suffix to object identifiers (OIDs) for backward compatibility. The default is 0 (disabled): the directive can be set to 1 to restore the suffix. Valid values are 0 and 1.

memoryUsageOkThreshold

This directive specifies the threshold (as a percentage) below which HSM memory usage is considered to be ok. The default is 0. See Memory usage monitoring for more details.

memoryUsageHighThreshold

This directive specifies the threshold (as a percentage) at which HSM memory usage is considered to be too high. The default is 0. See Memory usage monitoring for more details.

There may be a tolerance gap between the memoryUsageOkThreshold and the memoryUsageHighThreshold values.
The timeouts should be set to values that achieve a balance between receiving up to date information whilst preventing excessive load.

The SNMP agent persistent configuration file

On running the SNMP agent for the first time, the persist directory will be created. This contains configuration files that are maintained by the SNMP agent. This directory will be created in /opt/nfast/etc/snmp/persist (Linux) or %NFAST_HOME%\etc\snmp\persist (Windows).

Modifications should only be made to the persist folder’s snmp.conf file in order to create users. The files within this directory should otherwise only be managed by the SNMP agent itself.

User creation can be performed with the createUser directive. See USM users. On initialization of the agent the information is read from the file and the lines are removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it. This key is a localised key, so that unlike the password, if it is stolen it can not be used to access other agents.

Do not modify the persistent snmpd.conf file while the agent is running. The file is only read on initialization of the agent and it is overwritten when the SNMP agent terminates. Any changes made to this file while the SNMP agent directives is running will be lost. The SNMP agent should be stopped prior to adding createUser directories to the configuration file.

Agent Behaviour

There are a small number of directives that control the behaviour of the SNMP Agent when considering it as a daemon providing a network service.

agentaddress directive

The listening address(es) that the SNMP Agent will use are defined by the agentaddress directive. It takes a comma separated list of address specifiers where an address specifier consists of one or more of:

  • a transport specifier udp: or tcp

  • a hostname or IPv4 address

  • a port number (for example, :161 or :1161).

The default behaviour is to listen on UDP port 161 on all IPv4 interfaces (the equivalent to udp:161).

agentaddress localhost : 161,tcp:1161

agentaddress will listen on UDP port 161, but only on the loopback interface (the port specification ":161" is not strictly necessary as this is the default port). It will also listen on TCP port 1161 on all IPv4 interfaces.

agentgroup and agentuser directives (Linux)

The user and group that the SNMP Agent changes to after opening the listening port(s) are defined using the agentgroup and agentuser directives. The following must be used:

agentgroup ncsnmpd
agentuser ncsnmpd

System information (Linux)

Most of the scalar objects in the .iso.org.dod.internet.mgmt.mib-2.system sub-tree can be configured.

sysLocation STRING
sysContact STRING
sysName STRING

The three directives above set the system location, contact or name for the SNMP Agent respectively. Ordinarily these objects are writable via a suitably authorised SNMP SET request, however, specifying one of these directives in the configuration file makes the corresponding object read-only.

sysServices INTEGER

Sets the value of the sysService.0 object. RFC1213 defines how the integer value is calculated.

sysDescr STRING
sysObjectID OID

The two directives above set the system description and object ID for the agent. These objects are not SNMP-writable, but these directives can be used by a network administrator to configure suitable values for them.