000026541 - Configuring an SNMP v3 trap receiver to receive SNMP traps from Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026541
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
IssueThis article provides information on how to configure SNMP traps from Authentication Manager 8.1
ResolutionSNMP v3 is different from SNMP v2. If your system is configured for SNMP v2 traps this does not mean that it will automatically accept SNMP v3 traps.
On the SNMP trap receiver do a tcpdump to get the EngineID.  The command is as follows:
tcpdump -i eth0 -vv -s 1500 host and port 162 -w /tmp/snmptrap.cap

The EngineID can be found by expanding opening te snmptrap.cap file in Wireshark or another packet capture software.  Look at the the section for the msgAuthoratitiveEngineID under Simple Network Management Protocol.  As an example, the output would be:  msgAuthoritativeEngineID: 313737353038303631.
Alternatively, login as root and run this command:
cat /var/lib/net-snmp/snmpd.conf | grep EngineID
oldEngineID 0x80001f888085b7826f1b91215400000000

It is then necessary to configure the SNMP trap receiver to accept SNMP traps from the Authentication Manager 8.1 instance.  For example, if you are using the Linux snmptrap service, then add the following to your snmptrapd.conf and restart the service:
createUser -e 0x<engineID> <Security Name> <Authentication Protocol> <Authentication Password> 
<Privacy Protocol> <Privacy Password>

As an example,
createUser -e 0x313737353037363035 public MD5 password! DES password!
/etc/init.d/snmpd start

The settings for the Security Name, Authentication Protocol, Authentication Password, Privacy Protocol and Privacy Password are defined in the Security Console.  To access these settings,
  1. Select Setup > System Settings
  2. Under Advanced Settings, click on Network Monitoring (SNMP).  
  3. Select the instance and click Next. Note that if you choose the primary instance any changes you make here can be replicated to the other Authentication Manager servers in the deployment based on settings on the next page.  
  4. Under Basics, turn on Network Monitoring using SNMP v3.  
  5. Define the required information and the passwords and protocols, if desired.  
  6. Download the MIB.  
  7. Scroll to the bottom of the page and if desired, choose the option to apply these settings to the replica server(s).  
  8. Click Save.
NotesAuthentication Manager 8.1 uses SNMP v3, and by default it will encrypt the SNMP information, which will make it incompatible with SNMP v1 and SNMP v2 servers.  It has been made partially compatible with older SNMP servers at some customer sites by following a few steps:
  1. Apply Authentication Manager 8.1-SP1-Patch 1 (or higher) to address an issue (AM-27995) where the MIBs won't work with certain third-party applications.   However, check the release notes for other known issues (AM-28597 AM-28380).
  2. There is a known issue (AM-28648) with certain platforms where the MIBs are double-zipped.
  3. When configuring SNMP v3 on the Authentication Manager 8.1 server, the default Security Level is Authentication and Privacy, this is not compatible with SNMP v2.  Select either No Authentication or Authentication, no Privacy.
Please note that these changes have not been tested or qualified by RSA Security and that RSA cannot provide support for using Authentication Manager 8.1 with either an SNMP v1 or SNMP v2 server.
See also article 
000030259 on determining the RSA Authentication Manager 8.1 SNMP EngineID.
Legacy Article IDa60943