test

Sun Management Center 3.6.1 User's Guide

SNMP Encryption (Privacy)

Sun Management Center supports encryption of SNMP communications between server and agent components of Sun Management Center. SNMP encryption support uses the CBC-DES symmetric encryption algorithm.

You can enable SNMP encryption on Sun Management Center servers using the es-config script. By using this script, you can turn on or off the auto-negotiate feature. For details, see Enabling SNMP Encryption.

Encryption on Solaris 9 or Earlier

For systems running Solaris 9 or earlier, encryption is based on the package SUNWcry.

Note the following conditions for systems that run Solaris 9:

Encryption on Solaris 10

For systems running Solaris 10, encryption is based on Public Key Cryptographic Standard (PKCS#11).

PKCS#11 specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. For more information on the RSA defined PKCS#11, see http://www.rsasecurity.com/rsalabs.

Note the following conditions for systems that run Solaris 10:

Encryption on Linux

For systems running Linux, encryption is based on Public Key Cryptographic Standard (PKCS#11).

SNMP encryption depends on the PKCS11_API.so encryption library. This library is not installed by default. You must provide this library in /usr/lib/pkcs11 and enable the pkcs_slot daemon to enable encryption.

Auto-Negotiate Feature

Sun Management Center 3.6.1 servers that support encryption can be set up to support agents dynamically regardless of whether those agents support encryption. This feature is called auto-negotiate and can be set to on or off.

When you set the auto-negotiate feature to off, you ensure that the server always uses encryption when initiating communication with agents. Environments with strict security policies might prefer this set up. If you set auto-negotiate to off:

When you set the auto-negotiate feature to on, the server encrypts its SNMP communication with an agent only if the agent supports encryption. As a result, one of the following events occurs:

Enabling SNMP Encryption

To find the current state of SNMP encryption, run the es-config command with no arguments.

ProcedureTo Enable SNMP Encryption for Server Installations

  1. Check whether the package is installed.

    • (For systems running Solaris 9 or earlier) Make sure the SUNWcry package, which contains the /usr/lib/libcrypt_d.so encryption library, is installed on the system by typing:


      % pkginfo | grep SUNWcry

      If the package is installed, the system shows:


      application SUNWcry
      Note –

      The SUNWcry package is part of the Solaris Encryption Kit. To obtain the Solaris Encryption Kit, see your Sun sales representative. For important information about administering secure systems, see your Solaris system administration documentation.

    • (For systems running Solaris 10) Make sure the SUNWcsl package, which contains the /usr/lib/libpkcs11.so encryption library, is installed on the system by typing:


      % pkginfo | grep SUNWcsl

      If the package is installed, the system shows:


      application SUNWcsl

    • (For systems running Linux) Make sure you provide the PKCS11_API.so encryption library in /usr/lib/pkcs11 and enable the pkcs_slot daemon.

  2. Type the following command as superuser from the server host:


    # es-config -r

    The system detects the presence of the appropriate package and automatically stops all Sun Management Center components. The script then asks for the security seed.

  3. Type the security seed.

    The script asks for the SNMPv1 community string.

  4. When asked whether you want to initiate encrypted communication, type y to initiate encrypted communication or n to decline.

  5. When asked whether you want to enable the auto-negotiate feature, type y to enable or n to decline.

    For details on the auto-negotiate feature, see Auto-Negotiate Feature.