OKV 21.9 snmp with sha256 and aes256 vs without support for them?
YouTube Video:
Error: when your monitoring tool’s snmp version doesn’t support sha256 and aes256, your expected to hit the below error.
root@ubuntu-bionic:~# snmpwalk -v 3 192.168.194.122 -u snmpuser -a SHA -A User_Snmp_54321 -x AES -X User_Snmp_54321 -l authPriv
snmpwalk: Authentication failure (incorrect password, community or key)
root@ubuntu-bionic:~#
root cause: Oracle Key Vault uses SHA256 for authentication protocol and AES256 for privacy protocol. Client below doesnt support 256 base algorithm.
root@ubuntu-bionic:~# snmpwalk --help
USAGE: snmpwalk [OPTIONS] AGENT [OID]
Version: 5.7.3
Web: http://www.net-snmp.org/
Email: net-snmp-coders@lists.sourceforge.net
OPTIONS:
-h, --help display this help message
-H display configuration file directives understood
-v 1|2c|3 specifies SNMP version to use
-V, --version display package version number
SNMP Version 1 or 2c specific
-c COMMUNITY set the community string
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA) <<<
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES|AES) <<<
-X PASSPHRASE set privacy protocol pass phrase
Validate if this is true?
Step 1) Login as support user on the OKV machine
Step 2) su - root
Step 3) Backup the below config file
cp /usr/local/dbfw/templates/template-snmpd.conf /usr/local/dbfw/templates/template-snmpd.conf.bkp.21jan2025
Step 4)
Modify the file /usr/local/dbfw/templates/template-snmpd.conf
pre:
createUser <%= @username %> SHA-256 "<%= @dapassword %>" AES256 "<%= @depassword %>"
box was shipped with:
[root@voracle8x-oracle-key-vault2 ~]# grep createUser /usr/local/dbfw/templates/template-snmpd.conf.bkp.21jan2025
createUser <%= @username %> SHA-256 "<%= @dapassword %>" AES256 "<%= @depassword %>"
[root@voracle8x-oracle-key-vault2 ~]#
post:
createUser <%= @username %> SHA "<%= @dapassword %>" AES "<%= @depassword %>"
Step 5)
To let this snmp change come into effect
>> new setup, then create snmp user
>> old setup, just reset snmp user password <<=our case
Step 6) Perform snmpwalk
Ex. Commands:
snmpwalk -v 3 192.168.194.122 -u snmpuser -a SHA -A User_Snmp_54321 -x AES -X User_Snmp_54321 -l authPriv
snmpwalk -v 3 192.168.194.122 -u snmpuser -a SHA -A User_Snmp_54321 -x AES -X User_Snmp_54321 -l authPriv iso.3.6.1.4.1.2021.2.1.2
snmpwalk -v 3 192.168.194.122 -u snmpuser -a SHA -A User_Snmp_54321 -x AES -X User_Snmp_54321 -l authPriv 1.3.6.1.2.1.25.1.1
Client machine ---> OKV (both should use same auth & protocol)
Post fix:
Validate if with sha/aes when 256 bit enabled at OKV end the error we were receiving before is reproducing or not
root@ubuntu-bionic:~# snmpwalk -v 3 192.168.194.122 -u snmpuser -a SHA -A User_Snmp_54321 -x AES -X User_Snmp_54321 -l authPriv
snmpwalk: Authentication failure (incorrect password, community or key)
root@ubuntu-bionic:~#
No comments:
Post a Comment