Credentials
NetObserv SNMP Trap makes it simple to securely add credentials for the trap listener to use.
The directory of the listener credential files is specified by EF_INPUT_TRAP_LISTENER_CREDENTIALS_DIRECTORY_PATH in the trapcoll configuration options. The default location is /etc/elastiflow/snmp/traps/credentials. See credentials.yml for a template.
Currently, credentials only work for SNMP v3 Traps. Community strings are not enforced.
Trap SNMP v3 Credential File Example
Example File Structure:
credentials:
  users:
    - username: myuser1
      authentication_protocol: md5
      authentication_passphrase: mypassword1
      privacy_protocol: aes
      privacy_passphrase: myprivacy1
      authoritative_engine_id: authoritative_engine_id
    - username: myuser2
      authentication_protocol: md5
      authentication_passphrase: mypassword2
      privacy_protocol: aes
      privacy_passphrase: myprivacy2
      authoritative_engine_id: authoritative_engine_id
Configuration Attributes
Currently, there are no default values for these fields and all fields are required.
username
The username of the listener credential.
EXAMPLE: myuser1
authentication_protocol
The authentication protocol used to authenticate the username with the incoming device Trap using SNMPv3.
- Valid Values
- noauth,- md5,- sha,- sha224,- sha256,- sha384,- sha512
 
authentication_passphrase
The authentication passphrase used to authenticate the username with the device using SNMPv3.
Currently only device-level polling intervals are supported. A future enhancement will include support for object-level interval override of the device-level value.
privacy_protocol
The privacy protocol used to encrypt SNMPv3 traffic between the SNMP device and the Trap listener.
- Valid Values
- nopriv,- des,- aes,- aes192,- aes256,- aes192c,- aes256c
 
privacy_passphrase
The privacy passphrase used to encrypt SNMPv3 traffic between the SNMP input and the device.
authoritative_engine_id
The authoritative engine ID used to make an SNMP request with SNMPv3.
The authoritative_engine_id used in each credential must exactly match the authoritative_engine_id set for the Trap listener via the EF_INPUT_TRAP_LISTENER_AUTHORITATIVE_ENGINE_ID setting.
Credential File Encryption
Credential files located in the directory specified by EF_INPUT_TRAP_LISTENER_CREDENTIALS_DIRECTORY_PATH can be encrypted using industry standard AGE encryption by setting EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_ENABLE to true.
Please visit Trap Listener Credentials Encryption to learn more.