Designing and Managing Behavior Models - NerveCenter Support for SNMP v3 - Overview of NerveCenter SNMP v3 Support -
NerveCenter Support for SNMP v3      SNMP v3 Operations Log

Overview of NerveCenter SNMP v3 Support

NerveCenter support for SNMP v2c (community-based SNMP v2) and v3 includes new data types and enhanced security for communication. SNMP v1 and v2c rely on community names for authentication. SNMP v3 enhances authentication and expands its services to include privacy. SNMP v3 expands on the earlier concept of MIB views to control access to management information. SNMP v3 uses a View-based Access Control Model (VACM) to determine the level of access a user has for viewing MIB data.

Following are highlights of NerveCenter support for SNMP v2c/v3:

• Before NerveCenter can discover SNMP v3 agents on nodes, the nodes must have an initial user configured for discovery.

  For details, refer to the book Managing NerveCenter.

  See Using the SNMP Test Version Poll for information about testing communication with a node.

• NerveCenter communicates (sends polls) with an SNMP v3 agent on behalf of a specified NerveCenter user in a defined context. Before NerveCenter can poll SNMP v3 agents, the agents must be configured to support the NerveCenter user and context. By default, the user name is NCUser and the context is NCContext, though you can change both in NerveCenter.

  For details, refer to the book Managing NerveCenter.

• NerveCenter supports three security levels for communicating with SNMP v3 agents. By default, NerveCenter sets the security level to noAuthNoPriv, which means the v3 agent sends and receives messages without authentication or encryption.

  See Changing the Security Level of an SNMP v3 Node on page 110.

  See NerveCenter support for SNMP v3 security for details about security.

• The authentication and privacy protocols require specialized keys, called authentication and privacy keys. These keys are generated from corresponding passwords. You can change these passwords in NerveCenter, thereby changing the keys. When changing keys in NerveCenter, you can command NerveCenter to update the key changes on all nodes.

  See NerveCenter Support for SNMP v3 Digest Keys and Passwords.

  Refer to the book Managing NerveCenter for details about changing SNMP v3 keys and passwords.

• NerveCenter supports either HMAC-MD5-96 (MD5) or HMAC-SHA-96 (SHA) as authentication protocol on a per-node basis and CBC-DES as the privacy protocol. The default authentication protocol for NerveCenter is MD5. If you change the authentication protocol on an SNMP v3 agent, you must likewise change the protocol used by NerveCenter to manage the corresponding node in its database.

  See Changing the Authentication Protocol for an SNMP v3 Node on page 112.

• A node must have SNMP version information before NerveCenter can poll the node or process a trap from the node. NerveCenter can discover the version of a node automatically or manually. If auto-classification is enabled, then a newly added node (discovered from a trap, added from a platform such as HP OpenView, imported from another NerveCenter) will be classified at the highest level possible.

  ---

     Auto-classification is disabled when you install NerveCenter. You must enable this feature before NerveCenter can classify nodes added to its database.

  ---

  See Classifying the SNMP Version Configured on Nodes on page 114.

  Refer to the book Managing NerveCenter for details about auto-classification.

• The trap source specified during installation can be changed to MSTrap, OVTrapD or NerveCenter. Changing the trap source requires stopping and starting the related applications (e.g., OVTrapD) and restarting the NerveCenter Server.

  Refer to the book Managing NerveCenter for details about changing the trap source.

• SNMP v3 operations are logged to a file so that you can follow the progress of v3 activities. The log includes information about activities (e.g., a key change initiated by the user) as well as errors that occur while NerveCenter attempts to perform the activities.

  See SNMP v3 Operations Log.

  See SNMP v3 error status for information about SNMP v3 errors.

• NerveCenter ships with behavior models that provide the status of various applications monitored by the SNMP Research CIAgent.

  For complete details about these and all behavior models, refer to the Behavior Models Cookbook.

NerveCenter Support for SNMP v3 Security

SNMP v3 specifications enable any two devices to communicate in a completely secure fashion using message authentication to validate users and encryption to ensure the secrecy of the communication. SNMP v3 provides a User-based Security Model (USM) to establish authentication and secrecy.

NerveCenter supports three security levels for communicating with an SNMP v3 agent:

• NoAuth/NoPriv: Passwords for authorization and privacy are not required to communicate with the agent. NerveCenter still requires the user name and context for polling.
• Auth/NoPriv: The authorization protocol and password are required to communicate with the agent. NerveCenter requires the user name, context, and authentication password for polling.
• Auth/Priv: All security parameters are required to communicate with the agent. NerveCenter requires the user name, context, and the privacy and authentication passwords for polling.

Communication between any two SNMP v3 entities takes place on behalf of a uniquely identified user within the management domain. The security level used for this communication defines the kind of security services -- message authentication and encryption -- used while exchanging data. NerveCenter communicates with SNMP v3 nodes on behalf of the NerveCenter poll user in the poll context. By default, the user name is NCUser and the context is NCContext, though you can change both in NerveCenter.

If you do not specify a security level for an SNMP v3 node, NerveCenter uses a default security level of NoAuthNoPriv, which means that message authentication and encryption services are not used for data exchange with the node. You can later change the security level in NerveCenter.

---

   The NerveCenter poll user, context, authentication password, and privacy password can be changed in NerveCenter Administrator. If you change the passwords, you can update this information on all nodes directly from the NerveCenter Administrator.

The security level used by NerveCenter while polling SNMP v3 nodes is configured for each node in NerveCenter Client. Information specific to nodes, such as version, security level, and authentication protocol, are entered in NerveCenter Client for the node.

---

NerveCenter Support for SNMP v3 Digest Keys and Passwords

SNMPv3 protocols allow any two devices to communicate in a completely secure fashion using message authentication and message encryption to ensure the secrecy of the communication. In any SNMP v3 communication, one of the two communicating entities plays a role of authoritative entity for the communication, and communication is performed on behalf of a unique user within the management domain.

The sender of a secure message attaches a code, called a digest, for authentication and encrypts the message to ensure privacy. To generate this digest, the sender uses an authentication key at the authoritative entity of the user on whose behalf communication takes place. Similarly, to encrypt a message, the sender uses a privacy key at the authoritative entity of the user on whose behalf communication takes place. These keys are generated from the authentication password and privacy password, respectively, for the user.

SNMP v3 specifications have defined a localized key-generation scheme. For every user, the authentication key at every SNMP v3 entity is a function of the snmpEngineID of that entity, the user's authentication password, and the authentication protocol. For every user, the privacy key at every SNMP v3 entity is a function of the snmpEngineID of that entity, the user's privacy password, and the privacy protocol. NerveCenter supports this localized key-generation scheme.

NerveCenter communicates with SNMP v3 nodes on behalf of the NerveCenter poll user (by default, NCUser for MD5 authentication and NCUserSHA1 for SHA-1 authentication) in the poll context (NCContext by default). NerveCenter needs to know the authentication and privacy passwords for this user in order to generate the keys required for secure communication. Whenever NerveCenter learns the snmpEngineID of a newly discovered SNMP v3 agent with a security level other than NoAuthNoPriv, NerveCenter generates these keys for the NerveCenter poll user on that agent. By default, the passwords are NCUserAuthPwd (authentication) and NCUserPrivPwd (privacy), though you can change both in NerveCenter Administrator. These passwords are used for all nodes that NerveCenter manages.

When the message is sent, if authentication is required (a security level of AuthNoPriv is specified for the node), the sender uses the authentication key to generate the digest for the message. This digest is appended to the message.

If encryption is required (a security level of AuthPriv is specified for the node), the sender uses the privacy key to generate the digest for the message. For this security level, only the privacy digest is required; privacy assumes authentication, and you cannot have encryption without authentication.

On receipt of a secure message, a receiver does the following

• Separates the message from the digest (authentication or privacy).
• Uses the corresponding key available in its local store to generate its local copy of the digest from the message.
• Compares the two digests (i.e. one received in the message and one generated locally). If both digests are the same, the recipient authenticates or decrypts the message using the corresponding local key. If the digests are not the same (indicating a lack of authentication), the recipient discards the message.
• The recipient reads and processes the message.