Configuring Trap Notification

Once you have traps configured and enabled on a SafeNet Luna Network HSM appliance, you can test that you can successfully receive a trap notification. The description that follows explains how to configure a CentOS Linux virtual machine to test trap notifications. Although your test environment is likely different, these instructions should provide enough information to assist you in your efforts.

To configure trap notification:

1.You need an SNMP trap daemon to receive trap notifications if you follow the test process used herein. Use yum to install net-snmp:

>yum install net-snmp

If you intend to do development, you should also install:

>yum install net-snmp-utils

>yum install net-snmp-devel

2.Create a trap handler to determine what to do with trap notifications. Consider the shell script example from the net-snmp tutorial to create a trap handler. Here is the URL for the tutorial:

http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap.html

Here is an example shell script trap handler. You can cut-and-paste this text into a file that you save as /etc/snmp/traps to align with subsequent instructions.

#!/bin/sh
 
read host
read ip
vars=
count=1
 
while read oid val
do
count=$[count+1]
  if [ "$vars" = "" ]
  then
    vars="$oid = $val"
  else
    vars="$vars, $oid = $val"
  fi
done
 
echo a $1 trap from host=$host at IP $ip vars=$vars>>/var/log/messages

3.Configure the snmptrapd.conf file.

a.Navigate to /etc/snmp to locate snmptrapd.conf.

b.Use your favorite editor to modify this file. Cut and paste in the following lines after the commented-out traphandle. Note that the example assumes that you are using pete for the SNMP user and that it only supports three of the SNMP trap types of lsta.

traphandle SAFENET-APPLIANCE-MIB::fanAttentionNotify /etc/snmp/traps Fan
traphandle SAFENET-APPLIANCE-MIB::powerSupplyAttentionNotify /etc/snmp/traps PSU
traphandle SAFENET-APPLIANCE-MIB::motherboardAttentionNotify /etc/snmp/traps Motherboard
 
###########################################################################
# SECTION: Runtime options
#
#   Runtime options
 
disableAuthorization no
 
createUser -e 1234567890 pete SHA "PASSWORD" AES "PASSWORD"
authUser log,execute,net pete

4.Copy the required MIBs to /usr/share/snmp/mibs.

a.The following Thales MIBs are provided with the SafeNet Luna HSM Client installation package, in the snmp directory:

CHRYSALIS-UTSP-MIB.txt
SAFENET-APPLIANCE-MIB.txt
SAFENET-GLOBAL-MIB.txt
SAFENET-HSM-MIB.txt

b.The Thales MIBs depend on the following standard MIBs, which are included in a standard net-snmp installation:

SNMPv2-SMI.txt
SNMPv2-TC.txt

5.On your Linux virtual machine, iptables may block SNMP trap packets by default. Perform the following steps to overcome this restriction:

a.Stop iptables.

>/etc/init.d/iptables stop

or, if your platform uses systemd, then stop with

>systemctl stop firewalld

b.Edit /etc/sysconfig/iptables and add the following two lines before the first REJECT directive in the file:

 ######## Allow SNMP trap packets.
-A INPUT -p udp --dport 162 -j ACCEPT

You do not need to include the comment. For reference, the first REJECT directive in the file on the example VM is:

-A INPUT -j REJECT --reject-with icmp-host-prohibited

Note that the order of specification is important.

c.Start iptables.

>/etc/init.d/iptables start

or, if your platform uses systemd, then restart the service with

>systemctl start firewalld

6.SELinux may be enabled on your Linux virtual machine. You need to disable SELinux to start the snmptrapd in a subsequent step. To disable SELinux, type the following at a terminal prompt:

echo 0 >/selinux/enforce

7.Test the SNMP trap daemon.

a.Start the SNMP trap daemon in debug mode to see the packets are received:

>snmptrapd -Dusm -d -f -Le

NOTE   If you choose not to start snmptrapd in debug mode, you must start snmptrapd twice (i.e., start, stop, start). This first invocation constructs the snmptrapd.conf file on the appliance; the second invocation opens and uses this configuration file.

b.Generate a trap on the appliance (see Testing Trap Events on SafeNet Luna Network HSM) and receive the trap packet and a message logged to /var/log/messages.

c.Stop the daemon and start it again, this time as a service:

>service snmptrapd start

d.Generate a trap on the appliance and note a message written to /var/log/messages as an indication of a successful trap notification.

NOTE   Either the snmptrap command on the appliance or snmptrapd appears to compress multiple spaces to a single space. If you attempt to do exact pattern matching in a script, keep this point in mind. By way of an example, the following appliance message:

2014 Apr  3 15:47:30 myLUT  daemon notice  ipmievd: ***TEST : SEQNO_10000 : Fan sensor Fan1A          . Lower Critical going low  (Reading 
2000 .lt Threshold 2000 RPM)

results in a traplog message:

a Fan trap from host=<UNKNOWN> at IP UDP: [xxx.xxx.xxx.xxxx]:47478->[xxx.xxx.xxx.xxx]:162 vars=system.sysUpTime.sysUpTimeInstance = 
0:0:28:12.33, .iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTrap.snmpTrapOID.0 = 
enterprises.safenet-inc.safenetRoot.luna.appliance.ssTraps.fanAttentionNotify, 
enterprises.safenet-inc.safenetRoot.luna.appliance.ssTraps.ssLogReference = 
[myLUT:xxx.xxx.xxx.xxx / messages / 2014 Apr  3 15:47:30 / ipmievd / 1]

Only a single space separates “Apr” and ‘3’ in the latter message, while two spaces do so in the former message.