TUT:Using_TLS - fenner/net-snmp-wiki-experiment GitHub Wiki
"SNMP over DTLS over UDP" and "SNMP over TLS over TCP" (RFC5953) are supported in Net-SNMP 5.6 and beyond. This page describes how to use DTLS or TLS for the end user. For information on the administering and configuring the agent with DTLS/TLS support, see Using_DTLS.
TLS and DTLS make use of the Transport Security Model (TSM) security model, defined in RFC5591 which was created as an alternative to the USM security model (which is discussed in the SNMPv3 Options tutorial.
DTLS vs TLS
TLS and DTLS are both protocols that protect packets in transit. The first runs over TCP porto 10161 and the second over UDP port 10161, which both have unique advantages (and a discussion of those advantages is beyond scope of this tutorial).
Below you'll find examples that use both the dtlsudp: prefix and the tlstcp: prefix. Our test.net-snmp.org server will respond to both transports so you can try them both out.
Required Build Options
You must have added these options when configure was run to make the following tutorial work:
--with-security-modules=tsm --with-transports="DTLSUDP TLSTCP"
Zero-config Example
Importing the tutorial certificates
You must download and install the certificates you will use to connect to the agent (tutorial-joecool), the certificate that the agent will present for verification (tutorial-agent) and the certificate authority that signed the agent's certificate (tutorial-CA). The net-snmp-cert utility can import the certificate and put them in the proper locations for you.
$
net-snmp-cert`` ``-t`` ``tutorial-joecool`` ``import
\
http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-joecool.crt
\
http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-joecool.key
$
net-snmp-cert`` ``-t`` ``tutorial-agent`` ``import
\
http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-agent.crt
$
net-snmp-cert`` ``-t`` ``tutorial-CA`` ``import
\
http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-CA.crt
Querying the Net-SNMP test server
In these examples, test.net-snmp.org is the host name of the agent to
query, using version 3 of the SNMP protocol and the transport security
model, and an authPriv message protected a dtls connection using the
certificates identified by the given certificate tags. The OID being
requested is sysUpTime.0
from the MIB module SNMPv2-MIB
.
First we directly specify both our identity and the identity we expect the agent to present:
$
snmpget`` ``-T`` ``our_identity=tutorial-joecool
\
-T`` ``their_identity=tutorial-agent
\
-t`` ``10`` ``tls:test.net-snmp.org`` ``sysUpTime.0
You can also specify a trusted certificate authority (CA) for the agent, instead of a specific certificate:
$
snmpget`` ``-T`` ``our_identity=tutorial-joecool
\
-T`` ``trust_cert=tutorial-CA
\
-t`` ``10`` ``tls:test.net-snmp.org`` ``sysUpTime.0
Once you add certificate options to your configuration files, you no longer need to specify certificate on the command line:
$
echo`` ``trustCert`` ``tutorial-CA`` ``>>`` ``$HOME/.snmp/snmp.conf
$
echo`` ``clientCert`` ``tutorial-joecool`` ``>>`` ``$HOME/.snmp/snmp.conf
$
snmpget`` ``-t`` ``10`` ``tls:test.net-snmp.org`` ``sysUpTime.0
Obtaining and using test.net-snmp.org certificates
You will need the certificates for the Net-SNMP test server and test user for this tutorial. A compressed tarball is avaialable here, along with its gpg signature. Or you can download the individual files as well:
The net-snmp-cert command is able to pull these certificates directly from a URL, as shown in the previous example.
Extracting the tarball
If you retrieved the entire certificate tar-ball, extract it as follows:
Once you have the tutorial-.snmp
tarball, uncompress it in your home
directory:
$ tar xvfz tutorial-.snmp.tar.gz
.snmp/
.snmp/snmp.conf.tutorial
.snmp/tls/
.snmp/tls/newcerts/
.snmp/tls/private/
.snmp/tls/private/tutorial-joecool.key
.snmp/tls/ca-certs/
.snmp/tls/ca-certs/tutorial-CA.crt
.snmp/tls/certs/
.snmp/tls/certs/tutorial-joecool.crt
.snmp/tls/certs/tutorial-agent.crt
You can use net-snmp-cert to show you the certificates (and their fingerprints):
$ net-snmp-cert showcert
/home/dummy/.snmp/tls:
certs/tutorial-agent.crt:
subject= /C=US/ST=California/O=Net-SNMP Developers/OU=SNMP-TLS/CN=tutorial-agent/[email protected]
certs/tutorial-joecool.crt:
subject= /C=US/ST=California/O=Net-SNMP Developers/OU=SNMP-TLS/CN=Joe Cool/[email protected]
$ net-snmp-cert showcert --fingerprint
/home/dummy/.snmp/tls:
certs/tutorial-agent.crt:
SHA1 Fingerprint=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B
certs/tutorial-joecool.crt:
SHA1 Fingerprint=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43
Querying the demo agent
Querying using filenames for keys
Now that you have the certificates, you can query the test agent using the file names:
snmpget -T our_identity=tutorial-joecool \
-T their_identity=tutorial-agent \
tlstcp:test.net-snmp.org sysContact.0
Querying using fingerprints for keys
or the fingerprints:
snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \
-T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \
tls:test.net-snmp.org sysContact.0
Querying using a trusted CA certificate and their properly encoded hostname
You can also specify that you trust the host CA and expect the remote certificate to have it's host name in its certificate file that matches your command line:
snmpget -T our_identity=tutorial-joecool \
-T trustCert=tutorial-CA \
tlstcp:test.net-snmp.org sysContact.0
(this won't work if their presented certificate doesn't contain "test.net-snmp.org")
Setting up configuration
Those are long ugly command lines, so you might want to add some defaults in your configuration file, snmp.conf. There is an included snmp.conf file, but to ensure that we don't overwrite any existing snmp.conf it must be appended to your existing configuration file.
$ cat $HOME/.snmp/snmp.conf.tutorial >> $HOME/.snmp/snmp.conf
Now try this much simpler query:
$ snmpget tls:test.net-snmp.org sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders <[email protected]>
Getting tutorial certificates into a Java Keystore
If you need to use a Java client for testing, you have to jump through a few hoops to get Java to use the tutorial certificates.
Public Certificates
Importing certificates is pretty easy.
keytool -import -keystore net-snmp.jks -alias tutorial-ca -file ca-certs/tutorial-CA.crt
Keytool doesn't like the text expansion of the certificate, so copy the agent certificate and delete everything before '-----BEGIN CERTIFICATE-----'.
cp certs/tutorial-agent.crt /tmp/tutorial-agent.crt
vi /tmp/tutorial-agent.crt
keytool -import -keystore net-snmp.jks -alias tutorial-agent -file /tmp/tutorial-agent.crt
Private Keys
Private keys, not so easy.
First convert them to DER:
openssl x509 -in certs/tutorial-joecool.crt -inform PEM -out joecool-cert.der -outform DER
openssl pkcs8 -topk8 -nocrypt -in private/tutorial-joecool.key -inform PEM -out joecool-key.der -outform DER
Java's keytool can't import private keys, so we have to rely on the kindness of strangers. In this case, Neal Groothuis. Head over to http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ and cut-and-paste his KeyStoreImport.java code to a local file. WARNING: KeyStoreImport will echo your password!
javac KeyStoreImport.java
java KeyStoreImport net-snmp.jks joecool-cert.der joecool-key.der joecool
Check your work:
keytool -list -keystore net-snmp.jks