Technical Blog Post
Abstract
SNMP Probe: Procedure to update SNMP v3 User Credentials in Peer-to-peer failover mode
Body
SNMP Probe: Procedure to update SNMP v3 User Credentials in Peer-to-peer failover mode
Objective
Update SNMP v3 user credentials in mttrapd probe without disrupting its production data streams, i.e. SNMP traps and ObjectServer events.
To achieve this, mttrapd probe shall have two runtime instances as master and slave. While probes running, user credential update, which requires restarting probe, can be performed in turn onto the two probes, firstly slave probe, and then master probe, leveraging on peer-to-peer failover mechanism that keeps data flowing between probe and the systems it communicates with.
Setup
(1) In each propsfile of master probe and slave probe, ConfPath and PersistentDir properties can be set to this configuration.
Master probe and slave probe each has its own ConfPath and PersistentDir.
e.g.
ConfPath : '$OMNIHOME/var/mttrapd/<master> or <slave>/snmpv3'
PersistentDir : '$OMNIHOME/var/mttrapd/<master> or <slave>/'
(2) Create directories as specified in these properties.
(3)* Generate encrypted mttrapd.conf:
| (a) | Update/create mttrapd.conf in slave's ConfPath. |
| (b) | If there is a mttrapd.conf in slave probe's PersistentDir, edit the file: (i) Preserve the engineBoot and oldEngineID entries, (ii) Remove all usmUser entries. |
| (c) | Start slave probe. |
| (d) | Stop slave probe (after the encrypted mttrapd.conf is in slave probe's PersistentDir is filled with new usmUser entries). |
| (e) | Copy slave probe's ConfPath mttrapd.conf to master probe’s ConfPath. |
| (f) | Back up master probe's PersistentDir mttrapd.conf, if any. |
| (g) | Copy slave probe's PersistentDir mttrapd.conf to master probe’s PersistentDir. |
| (h) | Edit the new encrypted mttrapd.conf in master probe’s PersistentDir: (i) Preserve all usmUser entries, (ii) Remove the engineBoot and oldEngineID entries. (iii) If there is a backup mttrapd.conf from (f), copy its engineBoot and oldEngineID entries, and paste them unto the file. |
| * Note: As long as master and slave probes are not yet in production mode (ie. running), if any changes to snmp v3 user credentials in ConfPath’s mttrapd.conf, please repeat Step (3) in Setup. |
Production Phase
Pre-requisite:
Master probe’s encrypted mttrapd.conf and slave probe’s encrypted mttrapd.conf have the same usmUser credentials.
Start master probe and slave probe.
Updating SNMPv3 user credentials in Production Phase
Pre-requisite:
Master probe and slave probe are running.
(1) Update user credentials for slave probe:
| (a) | Stop slave probe. (Before doing this, please ensure master probe is still running, otherwise incoming traps will be lost.) |
| (b) | Edit slave probe’s encrypted mttrapd.conf in PersistentPath: (i) Remove all usmUser entries, (ii) Preserve the engineBoot and oldEngineID in the file. |
| (c) | Update credentials to slave probe's ConfPath mttrapd.conf. |
| (d) | Start slave probe. |
| (e) | Stop slave probe (after the encrypted mttrapd.conf is filled with new usmUser entries). |
| ^(f) | Start slave probe again. |
| ^ Note: Restarting mttrapd probe after encrypted mttrapd.conf came into existence is necessary in order for updated credentials (essentially true for engineID in usmUser entry) to take effect, because only after parsing available encrypted mttrapd.conf will probe register all engine IDs into its runtime engineID list. Skipping this step will result in probe rejecting v3 traps because of unrecognized engineID. |
(2) Synchronize updated user credentials to master probe:
| (a) | Stop master probe. (Before doing this, please ensure slave probe is still running, otherwise incoming traps will be lost.) |
| (b) | Edit master probe’s encrypted mttrapd.conf in PersistentPath: (i) Preserve the engineBoot and oldEngineID in the file, (ii) Remove all usmUser entries, (iii) Copy slave probe’s PersistentPath mttrapd.conf’s usmUser entries, and paste them unto the file. |
| (c) | Copy slave probe's ConfPath mttrapd.conf to master probe’s ConfPath |
| (d) | Start master probe. |
UID
ibm11082091