Re: Configuring TLS in net-snmp v5.6.1.1

Tue, 03 Dec 2013 13:26:04 -0800 

I added a trace into the agent.  The tokens that are currently recognized
by the agent when parsing the snmpd.conf file are below.  What do I need to
do to get the missing tokens to be recognized?

authtrapenable
pauthtrapenable
trapsink
trap2sink
informsink
trapsess
trapcommunity
v1trapaddress
agentuser
agentgroup
agentaddress
quit
leave_pidfile
dontLogTCPWrappersConnects
maxGetbulkRepeats
maxGetbulkResponses
injectHandler
table
add_row
com2sec
com2sec6
group
access
setaccess
view
vacmView
vacmGroup
vacmAccess
vacmAuthAccess
authcommunity
authuser
authgroup
authaccess
rwcommunity
rocommunity
rwcommunity6
rocommunity6
rwuser
rouser
usmUser
createUser
agentSecName
iquerySecName
iqueryVersion
iquerySecLevel
sysdescr
syslocation
syscontact
sysname
psyslocation
psyscontact
psysname
sysservices
sysobjectid

When I grep for serverCert in the net-snmp directory, I get

[user@centos net-snmp-5.6.1.1]$ grep -r serverCert * | grep -v Binary
ChangeLog:   and serverCert
ChangeLog:   and serverCert
man/snmpcmd.1.def:the serverCert specifier in a snmp.conf configuration
file.
man/snmpd.8.def:.IR serverCert,
man/snmpd.8.def:.IR serverCert
man/snmpd.conf.5.def:.IP "[snmp] serverCert <specifier>"
snmplib/transports/snmpTLSBaseDomain.c:
netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "serverCert",
testing/fulltests/tls/STlsServerSession:CONFIGAGENT '[snmp]' serverCert
$SNMPDFP
testing/fulltests/tls/STlsServer:CONFIGAGENT '[snmp]' serverCert $SNMPDFP
testing/fulltests/tls/SCipherTests:CONFIGAGENT '[snmp]' serverCert $SNMPDFP
testing/fulltests/tls/SCipherTests:CONFIGAPP   serverCert         $SNMPDFP
testing/fulltests/tls/STlsAgentTrap:CONFIGAGENT '[snmp]' serverCert
$SERVERFP
testing/fulltests/tls/STlsAgentTrap:CONFIGTRAPD '[snmp]' serverCert $TRAPDFP
testing/fulltests/tls/STsmPrefix:CONFIGAPP serverCert $SERVERFP
testing/fulltests/tls/STlsTrapdUser:CONFIGTRAPD '[snmp]' serverCert
$SERVERFP
testing/fulltests/tls/STlsTrapdUser:CONFIGAPP   serverCert        $SERVERFP
testing/fulltests/tls/STlsUsers:CONFIGAGENT '[snmp]' serverCert $SERVERFP
testing/fulltests/tls/STlsUsers:CONFIGAPP   serverCert            $SERVERFP
testing/fulltests/tls/SCrl:CONFIGAPP serverCert $SERVERFP
testing/fulltests/transports/Stlstests:CONFIGAPP serverCert $SERVERFP
[user@centos net-snmp-5.6.1.1]$




On Tue, Dec 3, 2013 at 11:47 AM, Tom stone <stone...@gmail.com> wrote:

> I am running net-snmp as an embedded application under CentOS.  I am using
> v5.6.1.1 instead of v5.7.x because I was unable to bring up v5.7.x as an
> embedded app.
>
> I am having difficulty configuring net-snmp v5.6.1.1 for TLS.  I have
> verified from the config.log that configure is being invoked with  the
> “--with-security-modules=tsm --with-transports=DTLSUDP,TLSTCP” options per
> the instructions at http://www.net-snmp.org/wiki/index.php/Using_DTLS.
> My snmpd.conf contains
>
>
>
> agentaddress udp:161
>
> agentaddress udp6:161
>
> agentaddress dtlsudp:10161
>
> agentaddress tlstcp:10161
>
> [snmp] serverCert /var/HSE/idevid_cert.pem
>
> [snmp] defX509ServerPub /var/HSE/idevid_cert.pem
>
> [snmp] defX509ServerPriv /var/HSE/idevid_key_pair.key
>
> [snmp] clientCert /var/HSE/allPubCerts.crt
>
> [snmp] defX509ClientPub /var/HSE/allPubCerts.crt
>
> [snmpd]
>
> setserialno 1681692777
>
> engineBoots 1
>
> oldEngineID 0x80001f888067458b6b9da39c52
>
> createUser xyz SHA -l 0xe8479ddd8eb5831281d1321ae86cc8946a95d6b8 AES -l
> 0xe8479ddd8eb5831281d1321ae86cc894
>
>
>
> But when I execvp snmpd I get the following output on stderr
>
>
>
> /tmp/snmpd.conf: line 35: Warning: Unknown token: serverCert.
>
> /tmp/snmpd.conf: line 36: Warning: Unknown token: defX509ServerPub.
>
> /tmp/snmpd.conf: line 37: Warning: Unknown token: defX509ServerPriv.
>
> /tmp/snmpd.conf: line 38: Warning: Unknown token: clientCert.
>
> /tmp/snmpd.conf: line 39: Warning: Unknown token: defX509ClientPub.
>
> getaddrinfo: dtlsudp Name or service not known
>
> getaddrinfo("dtlsudp", NULL, ...): Name or service not known
>
> Error opening specified endpoint "dtlsudp:10161"
>
>
>
> I have also tried removing the tlstcp:10161 and dtlsudp:10161 from the
> snmpd.conf and added it to the argument list in the execvp as tlstcp:10161
> and dtlsudp:10161 but I get the same stderr output.
>
>
>
> Are the instructions on the current web pages specific to net-snmp
> v5.7.x?  If so, what needs to be done to bring up tls support in 5.6.1.1?
>
>
> Thank you for your consideration
>
>
>
>
>
>

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Reply via email to