Jeff> 2. I observed that when configuring trapsess with -A and -X that the Jeff> configuration does not persist. There is no persistence for the Jeff> target address or for the security parameters associated with the Jeff> target address.
Dave> I don't quite follow. Dave> The agent will read the trap information from the "trapsess" entry. Dave> Every time you start the agent, it will re-read this directive, and Dave> set up a trap destination accordingly. Dave> How is that not persistent? I agree that as long as you lave trapsess in the snmpd.conf file that after restart the target will return complete with configuration but this is different than other user configuration. If I use a createUser it results in a usmUser entry in the /var/net-snmp/snmpd.conf file that fully hides the authentication and key. This is good because it allows me to remove the createUser directive so that I don't have the password and key in the clear. For trapsess, the user does not get written as a usmUser entry in /var/net-snmp/snmpd.conf. I believe this happens because the storage type associated with the entry is readOnly. This leaves me with keeping the trapsess line in snmpd.conf complete with password and key in the clear. I am still messing with the tutorial and the various snmpusm commands but my guess is that the security name specified via the trapsess will not allow for dynamic modifications to the password and keys (makes sense since most things configured with snmpd.conf are not changeable). If so, then changing something would entail changing snmpd.conf and then doing s SIGHUP or a restart but this is just a guess. Jeff> 3. If I use createUser and specify the engineID along with other Jeff> parameters associated with the remote trapd, the local snmpd seems to Jeff> want to use its engineID to look up the security name and this fails Jeff> because the security name has the remote engineID. Dave> If you're using informs (rather than traps), then you don't need Dave> to explicitly create the user within the agent. Yes, I agree. It is the trapsess directive that puts the user in the running usm table of snmpd rather then an explicit createUser directive. As I indicated above, this results in a readOnly entry that can not be modified (as you might expect since it came from a configuration table). I think this is correct behavior but I think you are right that I should explain more completely what I want to do below. Dave> Can you explain a little more precisely exactly what you're trying to Dave> do here. Dave> (I'm quite happy to believe that there may be problems, but I don't Dave> yet have a clear idea of the exact scenario you're working with). OK. I am trying to embed snmpd in a box that has a command line interface instead of a linux interface of editors and shell commands. I initially configured users and targets using snmpd.conf directives and then sent a SIGHUP to snmpd to realize the changes. I have already moved the target configuration from snmpd.conf to use the target and notification mibs instead and I am working toward doing the same with users. The users would of course use the USM/VACM mibs. With users in the USM mibs I can finally turn on secure trap/informs but this is when I noticed that I had usm security name collisions in the snmpd usm table. I have been using the config file directives to experiment but I believe I need to now move to direct manipulation of the usm and traget tables instead. I think this will resolve most of my issues with the exception of the security name collision. For the security name collision, I looked briefly at the code and it seems like some of it has the ability to take any list of usm entries while other interfaces assume the list associated with the global userList. It seems like it should be possible to have a targetUserList with some amount of rework but it would also impact the persistence and USM/VACM mib views in potentially ugly ways. Jeff ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Net-snmp-users mailing list [email protected] Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
