Configuring Trap Notification
Once you have traps configured and enabled on a SafeNet Luna Network HSM appliance, you can test that you can successfully receive a trap notification. The description that follows explains how to configure a CentOS Linux virtual machine to test trap notifications. Although your test environment is likely different, these instructions should provide enough information to assist you in your efforts.
To configure trap notification:
1.You need an SNMP trap daemon to receive trap notifications if you follow the test process used herein. Use yum to install net-snmp:
>yum install net-snmp
If you intend to do development, you should also install:
>yum install net-snmp-utils
>yum install net-snmp-devel
2.Create a trap handler to determine what to do with trap notifications. Consider the shell script example from the net-snmp tutorial to create a trap handler. Here is the URL for the tutorial:
http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap.html
Here is an example shell script trap handler. You can cut-and-paste this text into a file that you save as /etc/snmp/traps to align with subsequent instructions.
#!/bin/sh read host read ip vars= count=1 while read oid val do count=$[count+1] if [ "$vars" = "" ] then vars="$oid = $val" else vars="$vars, $oid = $val" fi done echo a $1 trap from host=$host at IP $ip vars=$vars>>/var/log/messages
3.Configure the snmptrapd.conf file.
a.Navigate to /etc/snmp to locate snmptrapd.conf.
b.Use your favorite editor to modify this file. Cut and paste in the following lines after the commented-out traphandle. Note that the example assumes that you are using pete for the SNMP user and that it only supports three of the SNMP trap types of lsta.
traphandle SAFENET-APPLIANCE-MIB::fanAttentionNotify /etc/snmp/traps Fan traphandle SAFENET-APPLIANCE-MIB::powerSupplyAttentionNotify /etc/snmp/traps PSU traphandle SAFENET-APPLIANCE-MIB::motherboardAttentionNotify /etc/snmp/traps Motherboard ########################################################################### # SECTION: Runtime options # # Runtime options disableAuthorization no createUser -e 1234567890 pete SHA "PASSWORD" AES "PASSWORD" authUser log,execute,net pete
4.Copy the required MIBs to /usr/share/snmp/mibs.
a.The following Thales MIBs are provided with the SafeNet Luna HSM Client installation package, in the snmp directory:
CHRYSALIS-UTSP-MIB.txt SAFENET-APPLIANCE-MIB.txt SAFENET-GLOBAL-MIB.txt SAFENET-HSM-MIB.txt
b.The Thales MIBs depend on the following standard MIBs, which are included in a standard net-snmp installation:
SNMPv2-SMI.txt SNMPv2-TC.txt
5.On your Linux virtual machine, iptables may block SNMP trap packets by default. Perform the following steps to overcome this restriction:
a.Stop iptables.
>/etc/init.d/iptables stop
or, if your platform uses systemd, then stop with
>systemctl stop firewalld
b.Edit /etc/sysconfig/iptables and add the following two lines before the first REJECT directive in the file:
######## Allow SNMP trap packets. -A INPUT -p udp --dport 162 -j ACCEPT
You do not need to include the comment. For reference, the first REJECT directive in the file on the example VM is:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Note that the order of specification is important.
c.Start iptables.
>/etc/init.d/iptables start
or, if your platform uses systemd, then restart the service with
>systemctl start firewalld
6.SELinux may be enabled on your Linux virtual machine. You need to disable SELinux to start the snmptrapd in a subsequent step. To disable SELinux, type the following at a terminal prompt:
echo 0 >/selinux/enforce
7.Test the SNMP trap daemon.
a.Start the SNMP trap daemon in debug mode to see the packets are received:
>snmptrapd -Dusm -d -f -Le
NOTE If you choose not to start snmptrapd in debug mode, you must start snmptrapd twice (i.e., start, stop, start). This first invocation constructs the snmptrapd.conf file on the appliance; the second invocation opens and uses this configuration file.
b.Generate a trap on the appliance (see Testing Trap Events on SafeNet Luna Network HSM) and receive the trap packet and a message logged to /var/log/messages.
c.Stop the daemon and start it again, this time as a service:
>service snmptrapd start
d.Generate a trap on the appliance and note a message written to /var/log/messages as an indication of a successful trap notification.
NOTE Either the snmptrap command on the appliance or snmptrapd appears to compress multiple spaces to a single space. If you attempt to do exact pattern matching in a script, keep this point in mind. By way of an example, the following appliance message:
2014 Apr 3 15:47:30 myLUT daemon notice ipmievd: ***TEST : SEQNO_10000 : Fan sensor Fan1A . Lower Critical going low (Reading 2000 .lt Threshold 2000 RPM)
results in a traplog message:
a Fan trap from host=<UNKNOWN> at IP UDP: [xxx.xxx.xxx.xxxx]:47478->[xxx.xxx.xxx.xxx]:162 vars=system.sysUpTime.sysUpTimeInstance = 0:0:28:12.33, .iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTrap.snmpTrapOID.0 = enterprises.safenet-inc.safenetRoot.luna.appliance.ssTraps.fanAttentionNotify, enterprises.safenet-inc.safenetRoot.luna.appliance.ssTraps.ssLogReference = [myLUT:xxx.xxx.xxx.xxx / messages / 2014 Apr 3 15:47:30 / ipmievd / 1]
Only a single space separates “Apr” and ‘3’ in the latter message, while two spaces do so in the former message.