Академический Документы
Профессиональный Документы
Культура Документы
Description of SNMPv3 1
Communication Solutions
PowerLink 50/100 & Tele-
protection Signalling SWT
3000
>P3.5.120
C53000-X6076-C241-1
Note
Please observe safety notes and warnings for your own safety.
1 Description of SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
1.2 SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1.3 USM User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
1.3.1 Using the USM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
1.3.2 Example: Create New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
1.4 VACM Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.4.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.4.2 Example: Assign Access Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
1.5 Key Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
1.6 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
1.6.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
1.6.2 Example: Create Notification Entry through SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 3
C53000-X6076-C241-1, Edition 09.2012
Table of Contents
4 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
1 Description of SNMPv3
1.1 Introduction 6
1.6 Notification 17
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 5
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.1 Introduction
1.1 Introduction
.
Authentication in SNMP version 1 and version 2 is nothing more than a password (community string) which is
sent in plaintext between the network manager and the SNMP agent. It is easy for someone to intercept the
community string. Once the intercepter has the community string, he can read and modify the device configu-
ration or even shutdown the device.
The Simple Network Management Protocol Version 3 (SNMPv3) addresses the cryptographic security weak-
ness of SNMPv1 and SNMPv2 using following methods:
User-based Security Model (USM):
Each user has a name, authentication key and privacy key. MD5 or SHA-1 authentication protocol is used
to authentication SNMPv3 message. SNMPv3 agent authenticates the incoming request message with
authentication key, and rejects the access if the authentication has failed.
The SNMPv3 message data is encrypted and decrypted with privacy key using DES protocol.
View-based Access Control Model:
It is used to control the access of USM user to the managed object of MIB.
SNMPv3 is supported in both PowerLink and SWT 3000 (release P3.5.120). Additionally, the notification can
be sent out through both SNMP Trap and Inform.
The standard MIB modules are used for SNMPv3 and notification operation.
The private MIB modules are used to access PowerLink and SWT 3000 device configurations.
Table 1-2 Private MIB Modules of PowerLink and SWT 3000
MIB Comments
SIEMENS-POWERLINK-CSPI-MIB This MIB module provides mechanisms to access PowerLink
CSPi settings.
SIEMENS-POWERLINK-CSPI-IPCON- This MIB module provides mechanisms to access PowerLink
MIB CSPi IP related settings.
SIEMENS-POWERLINK-CSPI-VMUX-MIB This MIB module provides mechanisms to access PowerLink
vMux settings.
SIEMENS-POWERLINK-CSPI- This MIB module provides mechanisms to access integrated
ISWT3000R3_5-MIB SWT 3000 settings.
SIEMENS-SWT3000R35-MIB This MIB module provides mechanisms to access standalone
SWT 3000 settings.
It is possible to configure PowerLink and SWT 3000 via PowerSys application whether with SNMPv2 or
SNMPv3 (for more details, see chapter 1.2 SNMPv3 Configuration). If SNMPv3 is configured, the USM users,
VACM, and notification parameters are managed through SNMP GET/SET command instead of PowerSys or
Web server.
6 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.2 SNMPv3 Configuration
The SNMP version is configured in the form of PowerSys > SWT 3000 > Configuration - Net Configuration.
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 7
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.2 SNMPv3 Configuration
MIB Comments
SNMP version Configure SNMP version.
Disabled: Disable SNMP function
8 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.3 USM User Management
Network Management System (NMS) usually has a user management tool, which is used to easily manage
SNMPv3 USM user configuration on remote SNMPv3 agents, e.g. clone a new user, change the password etc.
USM needs to be configured in a SNMPv3 NMS client and configuration is sent and stored in the SNMPv3
agent (PowerLink or SWT 3000) afterwords.
3 initial users are provided in PowerLink and SWT 3000 devices for connection to SNMPv3 agent.
User Name Auth Protocol Auth Password Priv Protocol Priv Password
initial MD5 cssnmpv3auth DES cssnmpv3priv
templateMD5 MD5 cssnmpv3auth DES cssnmpv3priv
templateSHA SHA cssnmpv3auth DES cssnmpv3priv
After having been successfully connected to the SNMPv3 agent, the initial users are listed as follows:
By right-clicking the user in the user table, you can select following operations:
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 9
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.3 USM User Management
Operation Comments
Clone User Create new SNMPv3 users from existing one.
Enable User Enable a disabled SNMPv3 user.
Change Authentication Password Change the authentication password to a new one.
Change Privacy Password Change the privacy password to a new one.
Disable User Disable the active SNMPv3 user and change the row status from
active(1)" to notInService(2)".
Delete User Delete the existing SNMPv3 user.
Note
Because the initial user name and password are printed on paper and are well known for other people, you
must create at least one working user from the initial user template, change the default authentication, and the
privacy password as soon as possible. After all needed working users are created, the initial and template users
should be deleted.
This example shows the workflow of creating a new user testuser" using iReasoning MIB Browser.
1 - Open the SNMPv3 user management tool from MIB Browser.
2 - All users of the remote agent are listed in the user management tool.
3 - Select the user template you want to clone from:
templateMD5: user template with MD5 authentication protocol and DES privacy protocol
templateSHA: user template with SHA authentication protocol and DES privacy protocol.
4 - Click on clone user operation and enter a new user name in the text box.
10 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.3 USM User Management
5 - The new user testuser" is cloned from templateMD5, whose authentication and privacy passwords are
same as templateMD5.
6 - Change the authentication password and the privacy password. For example:
Auth password: testuser_auth"
Priv password: testuser_priv"
Note
7 - Assign access right for the new cloned user (see Chapter 1.4.2 Example: Assign Access Right)
Note
This step is not needed for the SWT 3000 standalone device. The new cloned user has full access right to com-
plete MIB modules and it cannot be changed by the user via VACM.
8 - Check if new working user can connect to SNMP agent. Remove initial and template users as soon as
all desired working users have been created.
9 - Store all the configurations to flash and restart system through SNMP by setting following MIB object:
For SWT 3000: SIEMENS-SWT3000R35-MIB::swtIpActivationReq.0 = storeToFlashAndRestart(1)
For PowerLink: SIEMENS-POWERLINK-CSPI-IPCON-MIB::ipSettingsActivationReq.0 = storeToFlas-
hAndRestart(1)
Note
For all detail operation steps, check the user manual of your MIB Browser.
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 11
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.4 VACM Management
1.4.1 Definition
.
VACM controls the access right of the user to the MIB object, which is accomplished through SNMP by setting
MIB module SNMP-VIEW-BASED-ACM-MIB.
Configure the VACM in a SNMPv3 NMS client. The configuration is sent and stored in the SNMPv3 agent (Pow-
erLink or SWT 3000) afterwards.
The initial user has the full access right to complete MIB modules by default.
Note
VACM is not supported in the SWT 3000 device. All SNMPv3 users in SWT 3000 have the full access right to
complete MIB modules by default. For PowerLink, a new cloned user has no access right until you assign it
via VACM.
12 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.4 VACM Management
This example shows the workflow of assigning full access rights for a new user testuser" using iReasoning
MIB Browser.
1 - Open SNMP-VIEW-BASED-ACM-MIB::vacmSecurityToGroupTable in MIB Browser table view
2 - Create a new row with the cloned user name testuser".
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 13
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.4 VACM Management
14 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.4 VACM Management
5 - Store all the configurations to flash and restart system through SNMP by setting following MIB object:
SIEMENS-POWERLINK-CSPI-IPCON-MIB::ipSettingsActivationReq.0 = storeToFlashAndRestart(1)
6 - Connect SNMPv3 agent with new user "testuser", and check if the user has full access right for private
and standard MIB modules.
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 15
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.5 Key Reset
In case of any security incident which has affected the SNMPv3 communication, a key reset should be execut-
ed. With the key reset operation the initial users can be retrieved in PowerSys application.
Note
After key reset operation, all created SNMPv3 users will be deleted from SNMP-USER-BASED-SM-MIB::us-
mUserTable MIB object.
The new working users have to be cloned again from the initial user template after key reset operation (see
chapter 1.3.2 Example: Create New User).
The key reset operation is as follow:
1 - Open SWT 3000 > Commands or PowerLink > Commands form
2 - Click the Reset SNMPv3 key button.
16 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.6 Notification
1.6 Notification
1.6.1 Definition
.
A notification is a way for an agent to inform the SNMP Master Agent, e.g. Network Manager System (NMS)
that some alarms occurred in the system.
Configure the notification in a SNMPv3 NMS client. The configuration is sent and stored in the SNMPv3 agent
(PowerLink or SWT 3000) afterwards.
There are 2 types of notification:
SNMP Trap
Agent sends traps to NMS if an alarm event occurs. No acknowledgement is sent from NMS to the agent.
So the agent has no possibility to know if the trap is received.
SNMP Inform
It is nothing more than an acknowledged trap. If the trap is not received and acknowledged by the NMS,
the agent will retransmit it until timeout.
Depending on the configured SNMP version by PowerSys (see Chapter 1.2 SNMPv3 Configuration), the noti-
fication is handled in different methods:
SNMPv1/2
Only SNMP Trap is supported, the function is the same as the former released version.
Trap destination is configured through web pages or SNMP by setting private MIB object SIEMENS-
SWT3000R35-MIB::swtIpSnmpTrapDestTable for SWT 3000 or SIEMENS-POWERLINK-CSPI-IPCON-
MIB::trapDestTable for PowerLink.
SNMPv3
Both SNMP Trap and Inform are supported. The notification parameters including trap addresses are
moved to standard MIB module SNMP-NOTIFICATION-MIB and SNMP-TARGET-MIB.
All configurations must be done through SNMP set operation.
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 17
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.6 Notification
This example shows the workflow of sending an SNMP Trap to 2 destinations through both SNMPv2c and
SNMPv3 protocols using iReasoning MIB Browser.
1 - Create a new row in the table SNMP-NOTIFICATION-MIB::snmpNotifyTable.
18 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.6 Notification
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 19
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.6 Notification
20 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.6 Notification
User Name Auth Protocol Auth Password Priv Protocol Priv Password
testuser MD5 testuser_auth DES testuser_priv
Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3 21
C53000-X6076-C241-1, Edition 09.2012
Description of SNMPv3
1.6 Notification
22 Smart Communication PowerLink 50/100 & Teleprotection Signalling SWT 3000, Application Notes for SNMPv3
C53000-X6076-C241-1, Edition 09.2012