Edit SNMP v3 Profiles Dialog
The Edit SNMP v3 Profiles dialog can be accessed by clicking Profiles in the Configuration tab in the Discovery Console or from the Create Model dialogs.
Edit SNMP v3 Profilesdialog can be accessed by clicking
Configurationtab in the
Discovery Consoleor from the
Configuring the SNMPv3 Profile
- To add/edit the SNMPv3 profile, do one of the following:
- From the OneClick Console > Explorer view, right-clickUtilities > Discovery Console> navigate to theConfigurationtab >SNMP Informationsection, the selectSNMP v3option, and click theProfilesbutton.
- From the OneClick Console >Contents > Topologytab, click the create a new model by IP icon .
- Select theSNMPv3option and click theProfilesbutton.
- Select the existing profile and clickModifyto modify a profile, or clickAddto add a profile.This procedure is for non-Diffie-Hellman (DH) profiles creation. For more information about how to create a DH profile on SNMPv3, see the separate section "Support for Diffie-Hellman (DH) Profile on SNMPv3" explained in this article.
- Enter a name in theProfile Namefield. This profile name should be unique, for example, for a multitenant configuration, the profile can be <tenantname>_profilename, and in a non-multitenant environment, the profile name can be <SDCIP>_profilename.
- Enter the same data that has been configured for full MIB access on the device in theUser IDfield.
- Chooseoneof the following SNMPv3 standard security options from theAuthentication Typedrop-down list:
By default, the MD5 encryption mode option is selected in theAuthentication Protocolfield. You can select the SHA encryption option.
- No Authentication:Data sent from theDX NetOps Spectrumhost system to the SNMPv3 device is not encrypted or authenticated.
- Authentication with no Privacy:Data sent from theDX NetOps Spectrumhost system to the SNMPv3 device is authenticated but it is not encrypted.
- Authentication with Privacy:Data sent from theDX NetOps Spectrumhost system to the SNMPv3 device is both encrypted and authenticated.
- Select one of the options in theAuthentication Protocolfield.
- Enter a relevant password in theAuthentication Passwordfield.
- Re-enter to confirm the password in theConfirm Authentication Passwordfield.By default, DES authentication option is selected in the Privacy Protocol field. You can select one of the following privacy encryption algorithm options.
- Select one of the following options in thePrivacy Protocolfield:
- In thePrivacy Passwordfield, enter the same data that has been configured for a full MIB access on the device.
- Re-enter to confirm the privacy password in theConfirm Privacy Passwordfields.
- ClickAdd/Modifyto update the profiles list with the new/updated profile you have created.10.3.1 introduces support for a secure domain option in the SNMP v3 profile creation dialog. This feature will ensure privacy and security by restricting v3 profile to the particular SDC specified in a secure domain option and preventing users from viewing device profiles belonging to other users. Users have to specify the IP address and configure the secure domain for their devices.
- ClickOKto save your changes and close theEdit SNMP v3 Profilesdialog.
Show Passwordscheckbox to view the authentication password and the privacy password entered for the selected profile.
If you modify the
User IDfield in the
Edit SNMP v3 Profilesdialog after your model has connected, you will lose contact with the SNMPv3 device. To regain management of the device, right-click the device model in the
Topologytab of the
Contentspane, and click
Reconfiguration, Reset SNMPv3 Authentication.
SNMPv3 Support for Diffie-Hellman (DH)
DX NetOps Spectrumnow supports the creation of DH profiles on SNMPv3. This ability provides more robust security mechanism during communication.
Create DH Profiles
To create a DH profile, enable the required option and then provide the relevant information. By default, the option to create a DH profile is not selected.
Unmanaged traps are not supported on DH profiles.
Follow these steps:
- In the OneClick Console, click theExplorertab.
- Right-click in the left pane and select theUtilities, Discovery Consoleoption from the context menu.
- Navigate to theConfigurationtab,SNMP Informationsection.
- Select theSNMP v3option and click theProfilesbutton.When the DH Profile option is enabled, the following fields are disabled and their values are changed automatically:
- Authentication Type:The value is changed toAuthentication with Privacy.
- Authentication Protocol:The value is changed toMD5.
- Privacy Protocol:The value is changed toDES.
- Enable theDH Profileoption. When this option is enabled, only the following fields are available for entering the information:
- Profile Name
- User ID
- DH Random NumberThe DH random number value must be 256 bits and must start with 0x. An example value is as follows:0x93ad4af59644b00e39daca2e9f38c059a7933f4770fdb648a7e3bcc9c7959c2804cd85f3b4f8a05d70386c2e403b4fdaed106857eb60e2cbffa717fd615e30fafe584182f8c03ebac3911f2b6b7385e8fe27cb0068dd6730efa8341887b9866acf984a9dc136e08dc8341d145cefa732c84fc26352719ee3f40abae1fbcc698a
- Secure Domain
- ClickAddto add the profile
The DH profile is successfully created on SNMP v3. The following screenshot shows a created DH profile:
After a DH profile device is modeled, the DH SNMPv3 community string will include the following parameters:
- Protocol type (DH)
- Authentication type (MD5)
- Authentication key
- Privacy protocol (DES)
- Privacy key
- User name
- DH random number
The following screenshot shows the required information:
If an agent on a device is restarted, then the authentication key and the privacy key will be changed because the public number of the device will get changed. In this case, SpectroSERVER automatically calculates the new authentication key and the privacy key to communicate with the device.
Edit G and P Values on a DH Profile
You can edit the G and P values on a DH profile based on your requirements.
Follow these steps:
- Access the OneClick console.
- Navigate to theLocatertab.
- Click theCreate a new searchicon and enter the information as follows:
- SelectModel Type Name (0x10000)from theAttributedrop-down list.
- Verify that the value in theComparison Typefield is set toEqual To.
- SelectGlobalConfigfrom theAttribute Valuedrop-down list.The following screenshot shows the required information:
- Save the new search.
- Launch the newly created search.
- Select the result that is displayed in theResultstab in the right pane.
- Click theAttributestab and search for DHParameter_g and DHParameter_p.The parameters are listed in the table. The following screenshot shows the required information:
- Double-click the required parameter (in the right pane) to edit its value and clickOKto save it. The following screenshot shows the required information:
The values are changed accordingly.
Secure Domain Option
10.3.1 introduces support for a 'Secure Domain' option in the SNMPv3 profile creation dialog. This feature will ensure privacy and security by restricting v3 profile to a particular SDC specified in the
Secure Domainoption and preventing users from viewing device profiles belonging to other users. Users have to specify the IP address and configure the secure domain for their devices. Here is a screenshot of the SNMPv3 profile creation dialog with the newly added
To create a v3 profile, specify the IP address of a secure domain along with the other v3 information. If you select
None, then the corresponding profile pushes all SDCs connected to the landscape. Otherwise, the profile will be unicasted to a secure domain mentioned in the v3 profile. To model a device with SNMPv3, the selected secure domain option in the CreateModelByIP/ Discovery Console panel should be the same as the secure domain specified in v3 profile.
If the selected v3 profile has a secure domain option
None, then the device can be modeled through any of the selected SDC.
If the SNMPV3 profiles are present in a prior version of the product, then after upgrading to 10.3.1, all these profiles are updated with the
Noneoption in the
Secure Domainfield. These profiles are broadcasted to all the connected SDCs.
Dump and Reset v3 Profiles at SDC
To dump local and remote profiles at SDC, 0x10337 action can be used on the SDC model handle. Profile details are dumped at “snmpv3profiledump.txt” in the SDConnector/bin folder under SDC. Similarly, to reset all remote profiles at SDC, 0x10336 action can be used.
- For unmanaged v3 trap processing, if the trap destination is SDC, then there must be a local profile created at SDC.