Configuring SNMP

The watcher service monitors all watchable services on the local host. Optionally, you can configure the watcher to send traps to an SNMP manager when the watchable services generate alarms.

In a multi-host environment, you configure the watcher service on each host to communicate with your SNMP manager. (Nuance recommends that all watchers connect to one SNMP manager.) For example:

Follow these steps:

  1. Recommended. Configure security on incoming requests from SNMP trap managers. This step is not required but is strongly recommended. The procedure depends on your version of SNMP:
  2. Configure how the watcher service sends traps. See one of these:
  3. Start your SNMP trap manager and configure it to receive traps from the watcher. See Configuring traps with your SNMP manager.
  4. Optional. Configure additional watcher parameters for initialization during startup. The instructions are different for each operating system:

Configuring SNMP community strings

This section applies to SNMPv1 and v2c. For SNMPv3, see Configuring SNMP user authentication.

There are two different and independent meanings of the term, community string: one controls read/write access to the MIB on incoming requests, and the other controls which SNMP managers receive outgoing traps (with possible limitations to one or more particular severity levels).

The Nuance MIB (Management Information Base) file describes all available data objects (variables). To access these variables, SNMP managers use object identifiers (OIDs):

Request

Action

Snmpget

Retrieves the values of specified OIDs.

Snmpset

Modifies the values for the specified OIDs.

Snmpwalk

Walks through the MIB tree.

Optionally, you can restrict access to the MIB. By default, the watcher service allows unrestricted access by SNMP managers, and this poses a potentially security risk. You can control access via the MIB access state, which determines whether SNMP managers can only read it ("public") or also modify it ("private"). To control access, define "community string" properties on every host that is running the watcher service and apply them to specific SNMP hosts:

  1. On all hosts running the watcher service, open $NUANCE/config/SwmAgent.conf in any text editor. The environment variable, NUANCE, is set to:
    • On Linux: /usr/local/Nuance/Common/config
    • On Windows:C:\Program Files (x86)\Common Files\Nuance\Common\config
  2. Set the rocommunity (read only) and rwcommunity (read/write) parameters to public and private strings. The syntax is:

    Parameter community_string [source]

    Where source can be the hostname, IP address, or IP address with a bit map of SNMP managers making requests to the Nuance MIB. For example:

    rocommunity  ReadOnlyNuance bluebird.nuance.com
    rwcommunity  ReadWriteNuance 10.3.0.0/16

    This example gives read only access to requests that specify the community string "ReadOnlyNuance" coming from host bluebird. It gives read/write access to requests that specify the string "ReadWriteNuance" coming from any IP address starting with 10.3. Specifying the source of the request is optional.

  3. Save the changes, and restart the watcher service. See Starting and stopping the watcher service manually.

Note: You must configure the same private and public community strings on your SNMP manager (see Configuring traps with your SNMP manager). Otherwise, the watcher service rejects all requests that don’t match its configured community strings.

Configuring SNMP user authentication

This section applies to SNMPv3. For SNMP v1 or v2c see Configuring SNMP community strings.

For SNMP v3, you must configure a user and (if specified on the SNMP trap manager) an engine ID. Optionally, you can specify the level of authentication desired.

  1. On all hosts running the watcher service, open $NUANCE/config/SwmAgent.conf in any text editor.
  2. Add this line:

    createUser -e engineIDusername [hashing_algorithm] [authentication_pswd] [encryption_algorithm] [encryption_pswd]

    Where:

    • engineID is the value of the SNMP engine ID. Required if the SNMP trap manager uses one.
    • username is the username. Required.
    • hashing_algorithm specifies a level of authentication. Value is MD5 or SHA.
    • authentication_pswd is the authentication password. Required if a hashing algorithm (MD5 or SHA) is specified.
    • encryption_algorithm specifies encryption. Value is AES or DES. Encryption is optional but if specified then authentication must be specified.
    • encryption_password is the encryption password. If unspecified, the authentication password is used.

Note: You must configure the same values on your SNMP manager (see Configuring traps with your SNMP manager). Otherwise, the watcher service rejects all requests with unmatched values.

These examples create a user, a user with a higher level of authentication, a user with authentication that includes encryption. If the SNMP manager specifies an engine ID, then you must specify it when creating the user.

  • User:

    createUser -e 0x800002b804616263 MyUser

  • User with MD5 authentication:

    createUser -e 0x800002b804616263 MyUser MD5 MyMD5Password

  • User with MD5 authentication and AES encryption, no encryption password (authentication password used instead):

    createUser -e 0x800002b804616263 MyUser MD5 MyMD5Password AES

  • User with SHA authentication and DES encryption:

    createUser -e 0x800002b804616263 MyUser SHA MySHAPassword DES MyEESPassword

Configuring traps with Management Station

To configure the watcher service to send SNMP traps, you specify the host and port where the traps are sent. The values must match the values in the SNMP trap manager configuration. For v2c and v3 SNMP trap managers, you can also set the level or severity of sent traps. For example, your SNMP trap manager could receive critical and major traps, but not minor traps.

Use Management Station to configure the watcher service to send traps to an SNMP trap manager:

  1. Click the Monitoring & Control tab→System View→Network Design.
  2. Select a scope from the network tree: Nuance Network, a particular cluster, or host:
    • Nuance Network (recommended)—Values apply globally to all clusters and hosts in the network. The best practice is to configure the entire network to point to a single SNMP manager.
    • Cluster—Values apply to all hosts and clusters in the selected cluster.
    • Host—Values apply to services running on the selected host.
  3. Click the Properties link for that scope. The SNMP Configuration page appears.
  4. To specify the SNMP manager:
    1. Enter the hostname (or IP address) and port number where your SNMP manager is configured.

      Optionally (v1 and v2c only), you can specify a community string as part of the hostname, for example, community_string_for_v1_v2c@host. When the watcher service sends traps, they are labeled with the community string and can be read only by SNMP managers who are members of a logical group identified by that string. If not set, the default is "public."

    2. Optional for v2c and v3 SNMP trap managers, set the trap level of sent traps. For example, selecting Critical configures the watcher service to send only critical traps to this host. The default is All. You can set more than one of these parameters for a given SNMP server, for example, to have it receive critical and major, but not minor traps.

      For example, if you configured your SNMP manager to run on host bluebird and to receive all traps on port 2092, your screen would look like this:

  5. Click OK.

    Management Station stops and starts the SNMP watcher module on the relevant hosts to apply the configuration. (This module is the internal component that provides the communication interface between the SNMP manager and watcher service.) Depending on the number of hosts to configure, this process might take some time.

    The window disappears when the process is complete. You have now enabled the watcher service to send traps to the SNMP trap manager. This means that whenever an alarm is generated on a configured host, the alarm is sent to Management Stationand the SNMP manager.

Please note:

  • If all hosts at the network or cluster scope have the same SNMP configuration, Management Station populates the fields with the values whenever you display this page at those scopes. If any scope configures a different SNMP manager, the fields are blank and Management Station informs you that the values are different for some hosts.
  • To stop sending SNMP traps, select the host scope and set the status to DISABLED on the selected host. This function is available only at the host scope.

Configuring traps without Management Station

To configure the watcher service to send SNMP traps, you specify the host and port where the traps are sent. The values must match the values in the SNMP trap manager configuration. For v2c and v3 SNMP trap managers, you can also set the level or severity of sent traps. For example, your SNMP trap manager could receive critical and major traps, but not minor traps.

Note: Before configuring the watcher service, you must restart any Speech Suite services that were started with watcher.SendAlarmsToWatcher=FALSE (and set the value to TRUE). When doing these restarts, you must pass the entire command-line with all parameters. See Starting services without Management Station.

Use these parameters to configure where the watcher sends traps. (There are parameters for different SNMP versions.)

Trap handler parameters Description
wm.snmp.V1TrapHandlers

Host and port of an SNMPv1 trap manager.

Set at initialization only.
wm.snmp.V2TrapHandlers

Host and port of an SNMP V2c manager.

Set at initialization only.
wm.snmp.V2CriticalTrapHandlers

Host and port of an SNMP V2c manager that receives only critical traps.

Set at initialization only.
wm.snmp.V2MajorTrapHandlers

Host and port of an SNMP V2c manager that receives only major traps.

Set at initialization only.
wm.snmp.V2MinorTrapHandlers

Host and port of an SNMP V2c manager that receives only minor traps.

Set at initialization only.
wm.snmp.V3CriticalTrapHandlers

Host and port of an SNMP V2c manager that receives only critical traps.

Set at initialization only.
wm.snmp.V3MajorTrapHandlers

Host and port of an SNMP V2c manager that receives only major traps.

Set at initialization only.
wm.snmp.V3MinorTrapHandlers

Host and port of an SNMP V2c manager that receives only minor traps.

Set at initialization only.

Optionally, you can use combinations of parameters to send different trap levels to different handlers. (By default, watcher sends all traps.) For example, you could send critical and major traps to one SNMP server, and minor traps to another: 

wm.snmp.V#CriticalTrapHandlers

wm.snmp.V#MajorTrapHandlers

wm.snmp.V#MinorTrapHandlers

To configure the watcher service to send traps to the SNMP trap manager, add one or more trap handler parameters to the watcher configuration. The parameter syntax is: 

wm.snmp.V#trap_levelTrapHandlers=[community_string_for_v1_v2c]@host:port

where host:port specifies the hostname (or IP address) and port number where your SNMP manager. The trap_level can be Critical, Major, or Minor (v2c and v3). If you do not supply a value for trap_level, the watcher sends all traps to the configured SNMP manager.

Optional for v1 and v2c. Specify a community string as part of the hostname. When the watcher service sends traps, it labels them with the community string and can be read only by SNMP managers who are members of a logical group identified by that string. The default is "public."

To configure the watcher service to send traps to the SNMP trap manager, add one or more trap handler parameters to the watcher configuration. The parameter syntax is: 

wm.snmp.V#trap_levelTrapHandlers=[community_string_for_v1_v2c]@host:port

where host:port specifies the hostname (or IP address) and port number where your SNMP manager. The trap_level can be Critical, Major, or Minor (v2c and v3). If you do not supply a value for trap_level, the watcher sends all traps to the configured SNMP manager.

Optionally (v1 and v2c only), you can specify a community string as part of the hostname. When the watcher service sends traps, they are labeled with the community string and can be read only by SNMP managers who are members of a logical group identified by that string. If not set, the default is "public."

If you configured your SNMP manager to run on host bluebird and to receive traps on port 2092, the parameter would be set like this:

wm.snmp.V2TrapHandlers=bluebird:2092

Configuring traps with your SNMP manager

You must configure your SNMP manager to receive the traps sent by watcher.

There are many third-party SNMP managers available, and the configuration for receiving traps from the watcher service is different for each. Here are the basic steps:

  1. Load the Nuance MIB file, NUANCE-MIB.mi2, into the SNMP manager’s MIB database. This file is located in $NUANCE/data/mibs on hosts running speech software.
  2. Set the port for receiving traps. The SNMP manager port must match the wm.snmp.Port configuration.
  3. For SNMPv3, you must configure a user and (if specified on the trap manager) an engine ID. Optionally, you can specify authentication and encryption levels. These values must match the watcher service configuration (see Configuring SNMP user authentication
  4. Test that the SNMP manager can receive traps.
  5. Customize the traps by specifying a description, severity, format, and actions to take when the trap is triggered.