Difference between revisions of "TUT:Using TLS"

From Net-SNMP Wiki
Jump to: navigation, search
(Obtaining and using test.net-snmp.org certificates)
Line 2: Line 2:
 
to use [[DTLS]] or [[TLS]] for the end user. For information on the administering and configuring the agent with DTLS/TLS support,
 
to use [[DTLS]] or [[TLS]] for the end user. For information on the administering and configuring the agent with DTLS/TLS support,
 
see [[Using_DTLS]].
 
see [[Using_DTLS]].
 +
 +
== DTLS vs TLS ==
 +
 +
[[TLS]] and [[DTLS]] are both protocols that protect packets in transit.  The first runs over [[TCP]] and the second over [[UDP]], which both have unique advantages (and a discussion of those advantages is beyond scope of this tutorial). 
 +
 +
Below you'll find examples that use both the ''dtlsudp:'' prefix and the ''tlstcp:'' prefix.  Our ''test.net-snmp.org'' server will respond to both transports so you can try them both out.
  
 
== Required Build Options ==
 
== Required Build Options ==
Line 20: Line 26:
  
 
In this example, ''test.net-snmp.org'' is the host name of the agent to query, using version 3 of the SNMP protocol and the transport security model, and an authPriv message protected a dtls connection using the certificates identified by the given fingerprints.  The OID being requested is <tt>sysUpTime.0</tt> from the MIB module <tt>SNMPv2-MIB</tt>.
 
In this example, ''test.net-snmp.org'' is the host name of the agent to query, using version 3 of the SNMP protocol and the transport security model, and an authPriv message protected a dtls connection using the certificates identified by the given fingerprints.  The OID being requested is <tt>sysUpTime.0</tt> from the MIB module <tt>SNMPv2-MIB</tt>.
 
== DTLS vs TLS ==
 
 
[[TLS]] and [[DTLS]] are both protocols that protect packets in transit.  The first runs over [[TCP]] and the second over [[UDP]], which both have unique advantages (and a discussion of those advantages is beyond scope of this tutorial). 
 
 
Below you'll find examples that use both the ''dtlsudp:'' prefix and the ''tlstcp:'' prefix.  Our ''test.net-snmp.org'' server will respond to both transports so you can try them both out.
 
  
 
== Obtaining and using test.net-snmp.org certificates ==
 
== Obtaining and using test.net-snmp.org certificates ==

Revision as of 16:14, 14 May 2010

"SNMP over DTLS over UDP" and "SNMP over TLS over TCP" are supported in Net-SNMP 5.6 and beyond. This page describes how to use DTLS or TLS for the end user. For information on the administering and configuring the agent with DTLS/TLS support, see Using_DTLS.

DTLS vs TLS

TLS and DTLS are both protocols that protect packets in transit. The first runs over TCP and the second over UDP, which both have unique advantages (and a discussion of those advantages is beyond scope of this tutorial).

Below you'll find examples that use both the dtlsudp: prefix and the tlstcp: prefix. Our test.net-snmp.org server will respond to both transports so you can try them both out.

Required Build Options

You must have added these options when configure was run to make the following tutorial work:

 --with-security-modules=tsm --with-transports="DTLSUDP TLSTCP"

Zero-config Example

This section assumes you already have your certificate(s) in place and know the fingerprints for your identity and that of the remote server. More information on obtaining and setting up that information is discussed below.

snmpget -t 10 -T my_fingerprint=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \
        -T their_fingerprint=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \
        -v 3 -l authPriv dtlsudp:test.net-snmp.org:9161 sysUpTime.0

In this example, test.net-snmp.org is the host name of the agent to query, using version 3 of the SNMP protocol and the transport security model, and an authPriv message protected a dtls connection using the certificates identified by the given fingerprints. The OID being requested is sysUpTime.0 from the MIB module SNMPv2-MIB.

Obtaining and using test.net-snmp.org certificates

You will need the certificates for the Net-SNMP test server and test user for this tutorial. A compressed tarball is avaialable here, along with its gpg signature.

Once you have the tutorial-.snmp tarball, uncompress it in your home directory:

$ tar xvfz tutorial-.snmp.tar.gz

.snmp/
.snmp/snmp.conf.tutorial
.snmp/tls/
.snmp/tls/newcerts/
.snmp/tls/private/
.snmp/tls/private/tutorial-joecool.key
.snmp/tls/ca-certs/
.snmp/tls/ca-certs/tutorial-CA.crt
.snmp/tls/openssl.conf
.snmp/tls/certs/
.snmp/tls/certs/tutorial-joecool.crt
.snmp/tls/certs/tutorial-agent.crt

You can use net-snmp-cert to show you the certificates (and their fingerprints):

$ net-snmp-cert showcert
/home/dummy/.snmp/tls:

certs/tutorial-agent.crt:
subject= /C=US/ST=California/O=Net-SNMP Developers/OU=SNMP-TLS/CN=tutorial-agent/emailAddress=tutorial-agent@test.net-snmp.org


certs/tutorial-joecool.crt:
subject= /C=US/ST=California/O=Net-SNMP Developers/OU=SNMP-TLS/CN=Joe Cool/emailAddress=joe.cool@test.net-snmp.org
$ net-snmp-cert showcert --fingerprint
/home/dummy/.snmp/tls:

certs/tutorial-agent.crt:
SHA1 Fingerprint=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B


certs/tutorial-joecool.crt:
SHA1 Fingerprint=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43

Now that you have the certificates, you can query the test agent:

snmpget -T my_fingerprint=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \
        -T their_fingerprint=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \
        -v 3 tlstcp:test.net-snmp.org:10161 sysContact.0

That's a long ugly command line, so you might want to add some defaults in your configuration file, snmp.conf. There is an included snmp.conf file, but to ensure that we don't overwrite any existing snmp.conf it must be appended to your existing configuration file.

$ cat $HOME/.snmp/snmp.conf.tutorial >> $HOME/.snmp/snmp.conf

Now try this much simpler query:

$ snmpget -v 3 tlstcp:test.net-snmp.org:10161 sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders <net-snmp-coders@lists.sourceforge.net>

Tutorial Sections

About the SNMP Protocol

These tutorial links talk about SNMP generically and how the protocol itself works. They are good introductory reading material and the concepts are important to understand before diving into the later tutorials about Net-SNMP itself.

Net-SNMP Command Line Applications

These tutorial pages discuss the command line tools provided in the Net-SNMP suite of tools. Nearly all the example commands in these tutorials works if you try it yourself, as they're all examples that talk to our online Net-SNMP test agent. Given them a shot!

Application Configuration

All of our applications support configuration to allow you to customize how they behave.

Net-SNMP Daemons

Net-SNMP comes with two long-running daemons: a SNMP agent (snmpd) for responding to management requests and a notification receiver (snmptrapd) for receiving SNMP notifications.

Coding Tutorials

Net-SNMP comes with a highly flexible and extensible API. The API allows you to create your own commands, add extensions to the agent to support your own MIBs and perform specialized processing of notifications.

Debugging SNMP Applications and Agents

All our tools and applications have extensive debugging output. These tutorials talk about how the debugging system works and how you can add your own debugging statements to you code:

Operating System Specific Tutorials