integrationguide - utimaco · integrationguide:snmptrapsmonitoringwithopennms imprint copyright2014...

.

Integration Guide

.

SNMP Traps monitoring withOpenNMSUbuntu 10.4.3

.Integration Guide: SNMP Traps monitoring with OpenNMS

Imprint

copyright 2014 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany

phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail [email protected] version 1.2.0date June 2014author System Engineering HSMdocument no. SGCS_IG_SNMP_OpenNMS

all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.

http://hsm.utimaco.com

mailto:[email protected]

.

Contents1 Introduction 4

1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Requirements 5

3 Installation 6

3.1 Configure APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.2 Install and prepare a database for OpenNMS . . . . . . . . . . . . . . . . . . . . . . . . 6

3.3 Install JDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.4 Install OpenNMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.5 Install mib2opennms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Configuration 8

4.1 Configure JAVA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.2 Create the events database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.3 Run mib2opennms and parse SafeGuard CryptoServer LAN MIB . . . . . . . . . . . . . 9

4.4 Enable SNMP/SNMP Traps on SafeGuard CryptoServer LAN . . . . . . . . . . . . . . . 10

5 Run OpenNMS 10

6 Scan SafeGuard CryptoServer LAN for services 11

7 Further Information 13


1 IntroductionThe present document provides an integration guide for monitoring SNMP and SNMP Traps on Safe-

Guard CryptoServer LAN with OpenNMS, a JAVA based network management application platform.

1.1 OverviewOpenNMS is a management and monitoring tool which unlike other tools is focusing on the services

that network resources provide and not so on the resources themselves. The collection of data can

be performed in either an active or a passivemode. When in activemode, OpenNMS is collecting data

by polling the monitored nodes for the services they provide. On the contrary when in passive mode

the monitoring station running OpenNMS is receiving notifications from the nodes, in case of SNMP

these notifications are SNMP Traps which are forwarded tothe monitoring station. In both cases

unexpected behavior leads to the creation of "events". Events are used by OpenNMS to generate

both statistics (on the long term) about the behavior of the services offered by a resource but also

to generate customized notifications in real time for notifying the system administrator about the

behavior of the monitored devices. The steps that we are going to describe in detail in the following

sections for setting up anOpenNMSmonitoring station andmonitoring SafeGuard CryptoServer LAN,

include in short the following:

• Enabling SNMP and SNMP Traps on SafeGuard CryptoServer LAN (On CryptoServer's side).

• Specifying the IP address of the OpenNMS monitoring station for the Traps to be sent to (On

CryptoServer's side).

• Parsing the SafeGuard CryptoServer LANMIB file into an XML type of file which will allow Open-

NMS to translate the received Traps into meaningful events (On monitoring station's side).

• Adding the created events definition file to the events directory of the OpenNMS installation (On

monitoring station's side).

• Adding the events file name to the "eventconf.xml" file of OpenNMS (On monitoring station's

side).

• Scanning the target SafeGuard CryptoServer LAN for available services (Onmonitoring station's

side).

.

2 RequirementsEnsure that SNMP and SNMP Traps are activated and configured on the SafeGuard CryptoServer

LAN. The configuration involves deciding which SNMP Traps to be send and the destination IP ad-

dress of theSNMPmanager. More information about SNMPconfiguration onSafeGuardCryptoServer

LAN can be found in the document SGCryptoServerLAN_Manual_Systemadministrators.

Software- and Hardware Requirements

HSMModel SafeGuard CryptoServer CS-Series/S-Series/Se-Series LAN

HSM Firmware SafeGuard SecurityServer 2.60.0

Software OpenNMS 1.10.0-2

mib2opennms

PostgreSQL


3 InstallationThe steps that have to be taken for setting an OpenNMS monitoring stations are described in this

chapter.

3.1 Configure APTIn order for the APT (Advanced Packaging Tool) to be able to find and download the OpenNMS pack-

age, one first has to create a .list file called opennms.list with the content of List 1 and store it

under /etc/apt/sources.list.d.

# contents of /etc/apt/sources.list.d/opennms.list

deb http://debian.opennms.org stable main

deb-src http://debian.opennms.org stable main

Listing 1: opennms.list

To ensure the integrity of the package that is going to be downloaded it is recommended to also down-

load the PGP key for verifying the signature over the OpenNMS package. To do so open a terminal

window and execute the command:

wget -O - http://debian.opennms.org/OPENNM-GPG-KEY | '

sudo apt-key add -

Listing 2: Download PGP key

When done, the OpenNMS package is ready to be downloaded but before proceeding we will install

the rest of the software components which are independent of OpenNMS but necessary for running

it.

3.2 Install and prepare a database for OpenNMSOpenNMS requires a database for storing all the events collected from the monitored devices. The

default database for OpenNMS and the one we also use in the present intergration guide is Post-

greSQL. Downloading and installing PostgreSQL is done by executing the two commands depicted

in List 3 in a terminal window.

sudo apt-get update

sudo apt-get install postgresql

Listing 3: opennms.list

.

Due to the fact that PostgreSQL allows connections only to the user account linked to the PostgreSQL

user and OpenNMS runs under the root user account, one has to apply a few changes to the postgres

configuration file for OpenNMS to be allowed to connect to the database. This is done by editing

(List 4) the file pg_hba.conf which can be found under /etc/postgresql/$PGVERSION/main. For

applying these changes root privileges are required.

Change lines:

local all all ident sameuser

host all all 127.0.0.1/32 ident sameuser

host all all ::1/128 ident sameuser

to:

local all all trust

host all all 127.0.0.1/32 trust

host all all ::1/128 trust

Listing 4: PostgreSQL configuration

The database needs then to be restarted for the changes to become effective.

3.3 Install JDKThe JDK used in the present integration guide was open JDK. To download and install it one needs

to execute as root user in a terminal window the commands listed in List 5.

# sudo apt-get update

# sudo apt-get install openjdk-6-jdk

Listing 5: Install Java JDK

3.4 Install OpenNMSNow that all the components are in place, one can move on and download/install OpenNMS. This is

done by typing the command listed in List 6 in a terminal window.

sudo apt-get install opennms

Listing 6: Install OpenNMS


3.5 Install mib2opennmsAs alreadymentioned OpenNMS is able of receiving SNMP Traps and translating them intomeaning-

ful events. In order for the interpretation of the OIDs of the Traps received to be meaningful for the

system administrator and device specific and not some general acknowledgements, one has first to

process the MIB files of the monitored devices withthe aim of defining a list of device specific events

which will be generated when a respective SNMP Trap's received. The tool that is used to parse the

device specific MIB files and create and XML type of file which can then be referred to by OpenNMS

is mib2opennms. To download mib2opennms one needs to execute the commands given in List 7 in a

terminal window.

# git clone git://opennms.git.sourceforge.net/gitroot/opennms/ '

mib2opennms

# cd mib2opennms

# git submodule init

# git submodule update

Listing 7: Download mib2opennms file

When the download is complete one need to move to the home directory of mib2opennms and run

the configuration file (List 8).

# ./configure

When done, execute a make install command like:

# make install

This finishes the installation of mib2opennms and all other components necessary to runOpenNMS.In

the next section we are going to see how to configure all the components and parse the SafeGuard

CryptoServer LAN MIB to create a list of meaningfulevents linked to the CryptoServer's SNMP Traps.

4 ConfigurationThe configuration steps for running OpenNMS and monitoring SNMP Traps received from the Cryp-

toServer LAN are described in this chapter.

.

4.1 Configure JAVAThe Java environment for OpenNMS is configured by executing the command given in List 8 in a

terminal window.

# sudo /usr/share/opennms/bin/runjava -S /usr/lib/jvm/ '

java-6-openjdk/bin/java

Listing 8: Configuring Java JDK

4.2 Create the events databaseThe next step is to create the database that OpenNMS is going to use for storing the collected data

from themonitored devices. To do so one need to open a terminal window and execute the command

given in List 9.

# sudo /usr/share/opennms/bin/ install -dis

Listing 9: Creating OpenNMS database

4.3 Runmib2opennmsandparse SafeGuardCryptoServerLAN MIB

Parsing the MIB file of the CryptoServer with mib2opennms is done by executing the command de-

picted in List 10 in a terminal window.

mib2opennms -6 UTIMACO-CSLAN3-Mib.mib > UTIMACO-CSLAN3-MIB.events.xml

Listing 10: Parsing UTIMACO-CSLAN3-Mib.mib

The file UTIMACO-CSLAN3-Mib.mib can be retrieved from the directory /etc/snmp/mibs of the Cryp-

toServer LANappliance. In the present guidewehave created the fileUTIMACO-CSLAN3-MIB.events.xml

which we then added to the events directory of the OpenNMS installation. Before adding the file to

this directory one must edit it by adding tags <events> and </events> at the beginning and the end

of the file respectively. When the changes have been applied, one needs to save them close the file

and open the file eventconf.xml which can be found under /opennms/etc. To the end of this file

the line (List 13) is added.

...

<event-file>events/UTIMACO-CSLAN3-MIB.events.xml</event-file>


4.4 Enable SNMP/SNMPTraps onSafeGuardCryptoServerLAN

After having the monitoring tool and all its components up and running, SNMP and SNMP Traps can

be enabled on the side of the SafeGuard CryptoServer LAN appliance and the server can start sending

SNMPTraps towards themonitoring station. SNMPand SNMPTraps are enabled in two stages in the

SafeGuard CryptoServer LAN appliance. In order to direct SNMP Traps to the monitoring station one

must first and foremost specify the IP address towards the generated Trapswill be send. This is done

by editing the configuration file snmpd.conf which can be found in the /etc/snmp directory of the

LAN appliance. There, under the field Notification Handling is an entry of the form: trap2sink

IP where IP stands for the destination IP under which the monitor exits on the network (Figure 1).

For a detail description of how to enable SNMP and SNMP Traps on the CryptoServer side and how

to fine-grain which Traps one want to monitor please read section 4.4 of the SafeGuard CryptoServer

LAN System Administration manual.

Figure 1: snmpd.conf

5 Run OpenNMSTo start OpenNMS and connect to the web interface one executes the service command like in next

listing in a terminal window.

sudo /usr/sbin/service opennms start

Listing 11: Start OpenNMS

This will start OpenNMS and make the web login interface available with http://IP ADDRESS:

8980/opennms/ where IP ADDRESS is the IP address of the OpenNMS host (Figure 2). The default

credentials are admin, admin for username and password respectivly.

.

Figure 2: OpenNMS Logon

6 ScanSafeGuardCryptoServer LAN for ser-vices

After we are done with the installation of OpenNMS and all its components the first thing to do when

OpenNMS has started, is to verify that the discovery and capability scanning is working as expected

on the monitoring station. To detect available services on devices OpenNMS is using the Capsd dae-

mon. Once the presence of a new node is detected by Capsd (discovery), it is used by other daemons

tomonitor availability and collect data (capability). Capsd is listening for so called new suspect events

Figure 3: OpenNMS Operations

which operate as triggers for executing a series of pluggins and scanning a specific IP address for the


services it is offering. Every new suspect event that is received is triggering the creation of a node and

interface which is associated to the scanned IP address. Each service discovered on this IP is written

to the database together with the node and interface it was discovered on. This allows OpenNMS to

keep track of every single node and the services it is offering. With respect to SNMP OpenNMS will

Figure 4: Configure SNMP by IP

scan using the default public SNMP community string. This community string is operating as a form

of authentication providing access to SNMP on the scanned device. To allow OpenNMS to detect

SNMP as an offered service on SafeGuard CryptoServer LAN, one needs to replace the public string

by the string CryptoServer before scanning the SafeGuard CryptoServer LAN for supported services.

This is done by clicking the CONFIGURE SNMP COMMUNITY NAMES BY IP, under the section OPERATIONS

Figure 3.

After submitting this information OpenNMS is ready to scan SafeGuard CryptoServer LAN for the

SNMPservice. WhenSNMPhas been detected on the server as an offered service, every future SNMP

Trap generated will trigger the generation of an event with detailed information about the respective

Trap and register it in the OpenNMS events database.

.

7 Further InformationThis document forms a part of the information and support which is provided by the Utimaco Safe-

ware. Additional documentation can be found on the product CD in the documentation directory.

All SafeGuard CryptoServer product documentation is also available at the Utimaco Safeware web-

site: http://hsm.utimaco.com


.

Contact

Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany

phone +49 241 1696 - 200fax +49 241 1696 - 199

web http://hsm.utimaco.comemail [email protected]

.


mailto:[email protected]

integrationguide - utimaco · integrationguide:snmptrapsmonitoringwithopennms imprint copyright2014...

Documents