integrationguide - utimaco · integrationguide:snmptrapsmonitoringwithopennms imprint copyright2014...
TRANSCRIPT
.
Integration Guide
.
SNMP Traps monitoring withOpenNMSUbuntu 10.4.3
.Integration Guide: SNMP Traps monitoring with OpenNMS
Imprint
copyright 2014 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany
phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail [email protected] version 1.2.0date June 2014author System Engineering HSMdocument no. SGCS_IG_SNMP_OpenNMS
all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.
.
Contents1 Introduction 4
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Requirements 5
3 Installation 6
3.1 Configure APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Install and prepare a database for OpenNMS . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3 Install JDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.4 Install OpenNMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.5 Install mib2opennms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Configuration 8
4.1 Configure JAVA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2 Create the events database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3 Run mib2opennms and parse SafeGuard CryptoServer LAN MIB . . . . . . . . . . . . . 9
4.4 Enable SNMP/SNMP Traps on SafeGuard CryptoServer LAN . . . . . . . . . . . . . . . 10
5 Run OpenNMS 10
6 Scan SafeGuard CryptoServer LAN for services 11
7 Further Information 13
.Integration Guide: SNMP Traps monitoring with OpenNMS
1 IntroductionThe present document provides an integration guide for monitoring SNMP and SNMP Traps on Safe-
Guard CryptoServer LAN with OpenNMS, a JAVA based network management application platform.
1.1 OverviewOpenNMS is a management and monitoring tool which unlike other tools is focusing on the services
that network resources provide and not so on the resources themselves. The collection of data can
be performed in either an active or a passivemode. When in activemode, OpenNMS is collecting data
by polling the monitored nodes for the services they provide. On the contrary when in passive mode
the monitoring station running OpenNMS is receiving notifications from the nodes, in case of SNMP
these notifications are SNMP Traps which are forwarded tothe monitoring station. In both cases
unexpected behavior leads to the creation of "events". Events are used by OpenNMS to generate
both statistics (on the long term) about the behavior of the services offered by a resource but also
to generate customized notifications in real time for notifying the system administrator about the
behavior of the monitored devices. The steps that we are going to describe in detail in the following
sections for setting up anOpenNMSmonitoring station andmonitoring SafeGuard CryptoServer LAN,
include in short the following:
• Enabling SNMP and SNMP Traps on SafeGuard CryptoServer LAN (On CryptoServer's side).
• Specifying the IP address of the OpenNMS monitoring station for the Traps to be sent to (On
CryptoServer's side).
• Parsing the SafeGuard CryptoServer LANMIB file into an XML type of file which will allow Open-
NMS to translate the received Traps into meaningful events (On monitoring station's side).
• Adding the created events definition file to the events directory of the OpenNMS installation (On
monitoring station's side).
• Adding the events file name to the "eventconf.xml" file of OpenNMS (On monitoring station's
side).
• Scanning the target SafeGuard CryptoServer LAN for available services (Onmonitoring station's
side).
Page 4
.
2 RequirementsEnsure that SNMP and SNMP Traps are activated and configured on the SafeGuard CryptoServer
LAN. The configuration involves deciding which SNMP Traps to be send and the destination IP ad-
dress of theSNMPmanager. More information about SNMPconfiguration onSafeGuardCryptoServer
LAN can be found in the document SGCryptoServerLAN_Manual_Systemadministrators.
Software- and Hardware Requirements
HSMModel SafeGuard CryptoServer CS-Series/S-Series/Se-Series LAN
HSM Firmware SafeGuard SecurityServer 2.60.0
Software OpenNMS 1.10.0-2
mib2opennms
PostgreSQL
Page 5
.Integration Guide: SNMP Traps monitoring with OpenNMS
3 InstallationThe steps that have to be taken for setting an OpenNMS monitoring stations are described in this
chapter.
3.1 Configure APTIn order for the APT (Advanced Packaging Tool) to be able to find and download the OpenNMS pack-
age, one first has to create a .list file called opennms.list with the content of List 1 and store it
under /etc/apt/sources.list.d.
# contents of /etc/apt/sources.list.d/opennms.list
deb http://debian.opennms.org stable main
deb-src http://debian.opennms.org stable main
Listing 1: opennms.list
To ensure the integrity of the package that is going to be downloaded it is recommended to also down-
load the PGP key for verifying the signature over the OpenNMS package. To do so open a terminal
window and execute the command:
wget -O - http://debian.opennms.org/OPENNM-GPG-KEY | '
sudo apt-key add -
Listing 2: Download PGP key
When done, the OpenNMS package is ready to be downloaded but before proceeding we will install
the rest of the software components which are independent of OpenNMS but necessary for running
it.
3.2 Install and prepare a database for OpenNMSOpenNMS requires a database for storing all the events collected from the monitored devices. The
default database for OpenNMS and the one we also use in the present intergration guide is Post-
greSQL. Downloading and installing PostgreSQL is done by executing the two commands depicted
in List 3 in a terminal window.
sudo apt-get update
sudo apt-get install postgresql
Listing 3: opennms.list
Page 6
.
Due to the fact that PostgreSQL allows connections only to the user account linked to the PostgreSQL
user and OpenNMS runs under the root user account, one has to apply a few changes to the postgres
configuration file for OpenNMS to be allowed to connect to the database. This is done by editing
(List 4) the file pg_hba.conf which can be found under /etc/postgresql/$PGVERSION/main. For
applying these changes root privileges are required.
Change lines:
local all all ident sameuser
host all all 127.0.0.1/32 ident sameuser
host all all ::1/128 ident sameuser
to:
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
Listing 4: PostgreSQL configuration
The database needs then to be restarted for the changes to become effective.
3.3 Install JDKThe JDK used in the present integration guide was open JDK. To download and install it one needs
to execute as root user in a terminal window the commands listed in List 5.
# sudo apt-get update
# sudo apt-get install openjdk-6-jdk
Listing 5: Install Java JDK
3.4 Install OpenNMSNow that all the components are in place, one can move on and download/install OpenNMS. This is
done by typing the command listed in List 6 in a terminal window.
sudo apt-get install opennms
Listing 6: Install OpenNMS
Page 7
.Integration Guide: SNMP Traps monitoring with OpenNMS
3.5 Install mib2opennmsAs alreadymentioned OpenNMS is able of receiving SNMP Traps and translating them intomeaning-
ful events. In order for the interpretation of the OIDs of the Traps received to be meaningful for the
system administrator and device specific and not some general acknowledgements, one has first to
process the MIB files of the monitored devices withthe aim of defining a list of device specific events
which will be generated when a respective SNMP Trap's received. The tool that is used to parse the
device specific MIB files and create and XML type of file which can then be referred to by OpenNMS
is mib2opennms. To download mib2opennms one needs to execute the commands given in List 7 in a
terminal window.
# git clone git://opennms.git.sourceforge.net/gitroot/opennms/ '
mib2opennms
# cd mib2opennms
# git submodule init
# git submodule update
Listing 7: Download mib2opennms file
When the download is complete one need to move to the home directory of mib2opennms and run
the configuration file (List 8).
# ./configure
When done, execute a make install command like:
# make install
This finishes the installation of mib2opennms and all other components necessary to runOpenNMS.In
the next section we are going to see how to configure all the components and parse the SafeGuard
CryptoServer LAN MIB to create a list of meaningfulevents linked to the CryptoServer's SNMP Traps.
4 ConfigurationThe configuration steps for running OpenNMS and monitoring SNMP Traps received from the Cryp-
toServer LAN are described in this chapter.
Page 8
.
4.1 Configure JAVAThe Java environment for OpenNMS is configured by executing the command given in List 8 in a
terminal window.
# sudo /usr/share/opennms/bin/runjava -S /usr/lib/jvm/ '
java-6-openjdk/bin/java
Listing 8: Configuring Java JDK
4.2 Create the events databaseThe next step is to create the database that OpenNMS is going to use for storing the collected data
from themonitored devices. To do so one need to open a terminal window and execute the command
given in List 9.
# sudo /usr/share/opennms/bin/ install -dis
Listing 9: Creating OpenNMS database
4.3 Runmib2opennmsandparse SafeGuardCryptoServerLAN MIB
Parsing the MIB file of the CryptoServer with mib2opennms is done by executing the command de-
picted in List 10 in a terminal window.
mib2opennms -6 UTIMACO-CSLAN3-Mib.mib > UTIMACO-CSLAN3-MIB.events.xml
Listing 10: Parsing UTIMACO-CSLAN3-Mib.mib
The file UTIMACO-CSLAN3-Mib.mib can be retrieved from the directory /etc/snmp/mibs of the Cryp-
toServer LANappliance. In the present guidewehave created the fileUTIMACO-CSLAN3-MIB.events.xml
which we then added to the events directory of the OpenNMS installation. Before adding the file to
this directory one must edit it by adding tags <events> and </events> at the beginning and the end
of the file respectively. When the changes have been applied, one needs to save them close the file
and open the file eventconf.xml which can be found under /opennms/etc. To the end of this file
the line (List 13) is added.
...
<event-file>events/UTIMACO-CSLAN3-MIB.events.xml</event-file>
Page 9
.Integration Guide: SNMP Traps monitoring with OpenNMS
4.4 Enable SNMP/SNMPTraps onSafeGuardCryptoServerLAN
After having the monitoring tool and all its components up and running, SNMP and SNMP Traps can
be enabled on the side of the SafeGuard CryptoServer LAN appliance and the server can start sending
SNMPTraps towards themonitoring station. SNMPand SNMPTraps are enabled in two stages in the
SafeGuard CryptoServer LAN appliance. In order to direct SNMP Traps to the monitoring station one
must first and foremost specify the IP address towards the generated Trapswill be send. This is done
by editing the configuration file snmpd.conf which can be found in the /etc/snmp directory of the
LAN appliance. There, under the field Notification Handling is an entry of the form: trap2sink
IP where IP stands for the destination IP under which the monitor exits on the network (Figure 1).
For a detail description of how to enable SNMP and SNMP Traps on the CryptoServer side and how
to fine-grain which Traps one want to monitor please read section 4.4 of the SafeGuard CryptoServer
LAN System Administration manual.
Figure 1: snmpd.conf
5 Run OpenNMSTo start OpenNMS and connect to the web interface one executes the service command like in next
listing in a terminal window.
sudo /usr/sbin/service opennms start
Listing 11: Start OpenNMS
This will start OpenNMS and make the web login interface available with http://IP ADDRESS:
8980/opennms/ where IP ADDRESS is the IP address of the OpenNMS host (Figure 2). The default
credentials are admin, admin for username and password respectivly.
Page 10
.
Figure 2: OpenNMS Logon
6 ScanSafeGuardCryptoServer LAN for ser-vices
After we are done with the installation of OpenNMS and all its components the first thing to do when
OpenNMS has started, is to verify that the discovery and capability scanning is working as expected
on the monitoring station. To detect available services on devices OpenNMS is using the Capsd dae-
mon. Once the presence of a new node is detected by Capsd (discovery), it is used by other daemons
tomonitor availability and collect data (capability). Capsd is listening for so called new suspect events
Figure 3: OpenNMS Operations
which operate as triggers for executing a series of pluggins and scanning a specific IP address for the
Page 11
.Integration Guide: SNMP Traps monitoring with OpenNMS
services it is offering. Every new suspect event that is received is triggering the creation of a node and
interface which is associated to the scanned IP address. Each service discovered on this IP is written
to the database together with the node and interface it was discovered on. This allows OpenNMS to
keep track of every single node and the services it is offering. With respect to SNMP OpenNMS will
Figure 4: Configure SNMP by IP
scan using the default public SNMP community string. This community string is operating as a form
of authentication providing access to SNMP on the scanned device. To allow OpenNMS to detect
SNMP as an offered service on SafeGuard CryptoServer LAN, one needs to replace the public string
by the string CryptoServer before scanning the SafeGuard CryptoServer LAN for supported services.
This is done by clicking the CONFIGURE SNMP COMMUNITY NAMES BY IP, under the section OPERATIONS
Figure 3.
After submitting this information OpenNMS is ready to scan SafeGuard CryptoServer LAN for the
SNMPservice. WhenSNMPhas been detected on the server as an offered service, every future SNMP
Trap generated will trigger the generation of an event with detailed information about the respective
Trap and register it in the OpenNMS events database.
Page 12
.
7 Further InformationThis document forms a part of the information and support which is provided by the Utimaco Safe-
ware. Additional documentation can be found on the product CD in the documentation directory.
All SafeGuard CryptoServer product documentation is also available at the Utimaco Safeware web-
site: http://hsm.utimaco.com
Page 13
.Integration Guide: SNMP Traps monitoring with OpenNMS
Page 14
.
Page 15
.
Contact
Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany
phone +49 241 1696 - 200fax +49 241 1696 - 199
web http://hsm.utimaco.comemail [email protected]
.