Adding new users to the configuration file

To create a new user, add a line to the non-persistent configuration file.

Using the automatic detection facility

The probe can detect changes to the non-persistent configuration file and automatically load them without any interruption to the processing of traps and informs. The non-persistent configuration file is named mttrapd.conf and is in the directory specified by the value of the ConfPath property.

To add users to mttrapd.conf, use the following procedure:

  1. If you have not already done so, edit the probe's property file and set the value of the SnmpConfigChangeDetectionInterval property to the interval (in minutes) that the probe checks for changes to the configuration file.
  2. Edit mttrapd.conf in the directory specified by the ConfPath property and add the following line for each new user:
    createUser -e engineId username authtype password privtype privpassword

    Replace the arguments and option values as follows:

    Table 1. Arguments and options for the createUser command

    engineId

    Provide the engine ID of the trap source associated with the user. The engine ID is required for traps but optional for informs.

    username

    Provide the security name of the user.

    authtype

    Provide an authentication type (MD5, SHA, or SHA256). When running in FIPS 140-2 mode, use the value SHA for this option.

    password

    Provide the password (must be at least eight characters).

    privtype

    Optional: Provide the type of privacy (either DES, AES, AES192 or AES256). When running the probe in FIPS 140-2 mode, use the value AES for this option.

    Note: DES uses a 16 byte key. The probe truncates the encrypted 20 byte key to 16 bytes to use it as the DES key.

    privpassword

    Optional: Provide the privacy password (if different from password).

Two properties determine the locations of the mttrapd.conf file and the automatically generated non-persistent configuration file:

  • ConfPath defines the location of mttrapd.conf file.
  • PersistentDir defines the location of the hashed file.

It is best practice to use separate directories to hold these files. For an example of this, see Example configuration.

Implementation notes:

  • You cannot change the value of SnmpConfigChangeDetectionInterval while the probe is running. To change the interval, stop the probe, change the value and restart the probe.
  • The probe refreshes the entire list of users each time it detects a change in the non-persistent configuration file.
  • The probe uses the non-persistent configuration file's last modified date to detect changes. So if the only change has been the addition or removal of whitespace the probe still loads the entire list of users.
  • If the non-persistent configuration file is missing from either directory or has incorrect syntax, updates to the list of users held by the probe do not occur.
  • If the non-persistent configuration file is present, but has no content, the probe deletes all user/engine credentials that it holds.

Manually updating the non-persistent configuration file

You can manually load a new mttrapd.conf file into the probe, in either a stand-alone or failover pair configuration.

Note: To be able to manually load the configuration file, ensure that the UsmUserBase property has the value 0 or 2.

Stand-alone probe

To add users to mttrapd.conf use the following procedure:

  1. Stop the probe.
  2. Add the new users to the configuration file as shown in step 2 of Using the automatic detection facility.
  3. Start the probe again.

Failover pair

A failover pair consists of a master and a slave probe. The master probe is the one that is set up to process traps and informs from the SNMP endpoint while the slave lies idle. If the master probe fails for any reason, the slave probe takes over processing of traps and informs. When the master probe becomes available once again, it resumes processing of traps and informs, taking control back from the slave probe. This configuration ensures continuity of processing.

Unlike a stand-alone probe you can update the list of users for a failover pair without interrupting the processing of traps and informs from the SNMP endpoint. You update each probe in turn, leaving the other probe in the pair running to process traps and informs. The procedure has two parts:

  1. Set up the failover pair to use separate configuration file directories that contain identical copies of the mttrapd.conf file.
  2. Add users to the configuration by updating the slave probe and then the master probe.

Set up the failover pair

Set up the failover the pair as follows:

  1. Create separate properties files for the master and slave probes. Set up each file with the same values for all properties except for the following:
    • ConfPath
    • PersistentDir

    Ensure that for each probe these properties reference separate directories. For example:

    Master probe:
    ConfPath: $NCHOME/omnibus/var/mttrapd/master/snmpv3
PersistentDir: $NCHOME/omnibus/var/mttrapd/master
    Slave probe:
    ConfPath: $NCHOME/omnibus/var/mttrapd/slave/snmpv3
PersistentDir: $NCHOME/omnibus/var/mttrapd/slave
    Note: In the remainder of this procedure, the directories that these properties map to are referred to as ConfPath and PersistentDir.
  2. Create the four directories specified in the two pairs of ConfPath and PersistentDir properties.
  3. Create a copy of the mttrapd.conf file in each of the ConfPath directories.
  4. Start the master and slave probes.

Add users to the configuration

Add users to the configuration as follows:

Table 2. Adding users to the configuration file and updating the failover pair of probes
Step Action

1.

Update the slave probe.
  1. Ensure that the master probe is running and then stop the slave probe.
  2. Delete mttarpd.conf from the slave probe's PersistentDir directory.
  3. Add the new users to the slave probe's configuration file in the ConfPath directory as shown in step 2 of Using the automatic detection facility.
  4. Start the slave probe.

2.

Update the master probe.
  1. Ensure that the slave probe is running and then stop the master probe.
  2. Delete mttrapd.conf from the master probe's ConfPath and PersistentDir directories.
  3. Copy mttrapd.conf from the slave probe's ConfPath directory to the master probe's ConfPath directory.
  4. Copy mttrapd.conf from the slave probe's PersistentDir directory to the master probe's PersistentDir directory.
  5. Start the master probe.