Credentials

NetObserv SNMP Trap makes it simple to securely add credentials for the trap listener to use.

The directory of the listener credential files is specified by EF_INPUT_TRAP_LISTENER_CREDENTIALS_DIRECTORY_PATH in the trapcoll configuration options. The default location is /etc/elastiflow/snmp/traps/credentials. See credentials.yml for a template.

Currently, credentials only work for SNMP v3 Traps. Community strings are not enforced.

Trap SNMP v3 Credential File Example

Example File Structure:

credentials:
  users:
    - username: myuser1
      authentication_protocol: md5
      authentication_passphrase: mypassword1
      privacy_protocol: aes
      privacy_passphrase: myprivacy1
      authoritative_engine_id: authoritative_engine_id
    - username: myuser2
      authentication_protocol: md5
      authentication_passphrase: mypassword2
      privacy_protocol: aes
      privacy_passphrase: myprivacy2
      authoritative_engine_id: authoritative_engine_id

Configuration Attributes

Currently, there are no default values for these fields and all fields are required.

username

The username of the listener credential.

EXAMPLE: myuser1

authentication_protocol

The authentication protocol used to authenticate the username with the incoming device Trap using SNMPv3.

• Valid Values

  • noauth, md5, sha, sha224, sha256, sha384, sha512

authentication_passphrase

The authentication passphrase used to authenticate the username with the device using SNMPv3.

Currently only device-level polling intervals are supported. A future enhancement will include support for object-level interval override of the device-level value.

privacy_protocol

The privacy protocol used to encrypt SNMPv3 traffic between the SNMP device and the Trap listener.

• Valid Values

  • nopriv, des, aes, aes192, aes256, aes192c, aes256c

privacy_passphrase

The privacy passphrase used to encrypt SNMPv3 traffic between the SNMP input and the device.

authoritative_engine_id

The authoritative engine ID used to make an SNMP request with SNMPv3.

The authoritative_engine_id used in each credential must exactly match the authoritative_engine_id set for the Trap listener via the EF_INPUT_TRAP_LISTENER_AUTHORITATIVE_ENGINE_ID setting.

Credential File Encryption

Credential files located in the directory specified by EF_INPUT_TRAP_LISTENER_CREDENTIALS_DIRECTORY_PATH can be encrypted using industry standard AGE encryption by setting EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_ENABLE to true.

Please visit Trap Listener Credentials Encryption to learn more.