Using the Simple Network Management Protocol (SNMP) with CA PAM
search cancel

Using the Simple Network Management Protocol (SNMP) with CA PAM

book

Article ID: 77726

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

CA PAM supports SNMP versions 2c and 3.  This document will show how to configure CA PAM to use both, and will demonstrate how it works with a simple network management program called ireasoning, and from the unix or Windows command line.

Simple Network Management Protocol is an internet standard protocol used to manage network devices.  The device vendor defines the data available for the device in a file called a Management Information Base(MIB).  The MIB describes the data that is available by polling the device and the data that is communicated out from the device via alerts(traps). 

Environment

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution

There are two parts of SNMP to configure, Poll and Trap.  When the Poll Server is configured the network management server can retrieve data from CA PAM.  The data that can be retrieved is defined by the CA PAM MIB.  In order to see the details of the MIB, or to upload it into the Network Management tool, retrieve it from the CA PAM Community, https://communities.ca.com/docs/DOC-231177436-ca-pam-283-and-301-mib.  The community name is essentially a password.  The Read-Only Community must be supplied by the network management server, or system, in order for the poll to work.  The default PAM Read-Only Community is xcdgkpub.  With the configuration below PAM will respond to SNMP Poll requests using either SNMP version 2c or 3.  Notice that there is no Write Community string.  Although the SNMP protocol allows for the modification of data on the managed device PAM does not.


In order to for PAM to accept Poll requests using SNMP version 3 users must be SNMP users must be added into PAM.  The username, authentication passphrase and Private Passphrase must then be used in the Poll request from the network management software or system making the request.

 

The Trap community and SNMP version must match the setting on the network management server in order for Traps sent by CA PAM to be received.  The Trap Destination is the IP address or Fully Qualified Domain Name of the system to which CA PAM is to send the Traps.  If the network management system requires SNMP version 3 then the PAM configuration must specify the Username, Passphrase and Private Passphrase, as configured on the network management system.

Now for polling.  With Polling configured as described above PAM will allow the contents of its MIB to be retrieved.  This can be done with any Network Management Server that supports SNMP.  It can also be done with a command called snmpwalk, which is available on unix and Windows systems.  Below is an example of the snmpwalk command for version 2c, along with a portion of its output:

support@support-virtual-machine:~$ snmpwalk -v 2c -c xcdgkpub 192.168.21.2 | more
iso.3.6.1.2.1.1.1.0 = STRING: "Xceedium GateKeeper"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.10449.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (3570265) 9:55:02.65
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "Support04-XS2449-02"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP." 

Here is an example of using snmpwalk with version 3:
support@support-virtual-machine:~$ snmpwalk -Os -v3 -l authPriv -u "evogel" -a SHA -A "passphrase" -x AES -X "privpass" 192.168.21.2 | more
iso.3.6.1.2.1.1.1.0 = STRING: "Xceedium GateKeeper"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.10449.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (95563) 0:15:55.63
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "Support04-XS2449-02"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."

There is a lot more data to be seen than is shown here.  It is also possible to specify that the MIB be used to display the information in a manner specific to the device, rather than the default.  The same task may be performed with most any network management server.  Below can be seen the result of the snmpwalk done in a program called iReasoning.

 



iReasoning also has a trap receive function.  An easy test to perform is to perform a failed login to CA PAM.  Below are the trap and details that result.

 



Traps are sent for many other things, which can be found in the MIB.  A few are cluster status change, syslog status change, nfs status change, and many more.  Check the CA PAM MIB to find them all.  When SNMP version 3 it is necessary to specify a user and its corresponding Authentication and Private passphrases.  Below is a screen capture of such a user configured on the Trap Server page.  The user and passphrases must be provided when polling CA PAM using version 3.  CA PAM must be configured with the same information defined in the Network Management Server, when version 3 is used for Traps.
 

 


This is probably enough to begin use of SNMP with PAM.  Please open a ticket if any problems are encountered.



 

Powered by Wolken Software