SNMP Driver Configuration

Before you can use the SNMP feature you have to configure the SNMP manager and the SNMP agents (and thereby create a manager DP, and an agent DP that belongs to the manager DP), via the SNMP configuration panels.

This chapter describes the SNMP configuration panels for manager and agent configuration.

Open the SNMP configuration panel via System Management > Driver > SNMP.

The panel shows the agents for each SNMP manager. Furthermore, you can create new SNMP managers and agents.

Figure 1. SNMP configuration panel

SNMP Manager

The agents "SNMPAgent1", and "SNMPAgent2" (see figure above) belong to the manager with the number 1.

A SNMP manager can be chosen from the combo box and the agents belonging to the chosen manager are shown in the table. New managers can be created via the New button. You can create managers with a number from 1 until 255. The manager number 1 exists by default.

The chosen manager can be deleted via Delete button.

Note that when you delete a manager the agents that were configured for this manager, are not deleted!

SNMP Agents

The SNMP agents are queried by the SNMP managers. New SNMP agents can be created via the New button. The new agents are created by using the following panel.

Figure 2. Create SNMP agent
SNMP Manager

Shows the manager for which the agent is created.

Agent DP Type

Specifies the name for the SNMP agent DP. The entry is read from the config file. You have to set the config entry "agentDPName" or in case of SNMPv3, the entry "v3entityDPName". See [snmpdrv]

Version

Defines the SNMP version for the Agent. Possible versions are V1/V2 or V3.

SNMP Agent ID

ID of the SNMP Agent.

To delete an agent select the agent from the table and right click the table. The manager can be deleted via the context menu.

The configuration panel of the SNMP agent is opened via the context menu (right click on the table) or via double click on an agent in the table.

IP Address shows the IP address of the agent , e.g. 192.168.1.13, or a computer name, e.g. eiwrk068. If no IP address was set here or it has been deleted (empty string) the agent is disabled and the internal DPE Status.Timeout (see internal data points) is set to FALSE independent of the state it was before.

Figure 3. SNMP agent configuration

Agent/Entity

Name of the agent which is shown in the table on the SNMP agents tab.

Create
Creates a new SNMP agent.
Delete
Deletes the selected SNMP agent.

Common Settings

SNMP Version
Shows the selected SNMP protocol.
Driver number
The driver number to which the agent is assigned.
AgentId
The ID of the agent.
Configuration:

The checkbox activates a redundant agent (refer to redundant SNMP agent and SNMP in redundant WinCC OA System for further information). If a redundant agent is enabled, a second tab "2. Agent/Entity" is displayed. Switch on defines the condition for the redundancy switch:

  • connection timeout (keep alive check fails)

  • bad read/write request (TIMEOUT status is returned on a read or write request)

  • conn Timeout, bad read/write request (timeout or keep alive failure)

Timeout
Specifies the time in 1/100s until which the manager has to receive a reply to a SNMP message. The default value is 100. It might ,however, be necessary to increase the timeout in case of longer distances or low networks/agents. Valid values are 100 - 1000 (= 1 - 10sec).
Retries
Specifies the number of retries that are executed before an error is shown. If a timeout is reached the message is sent newly. You can configure 10 sending retries at most. (default = 1)

1. Agent/Entity / 2. Agent/Entity

IP Address

The IP address of the agent, e.g. 192.168.1.13, or a computer name, e.g. eiwrk068. If no IP address was set here or it has been deleted (empty string) the agent is disabled and the internal DPE Status.Timeout (see internal data points) is set to FALSE independent of the state it was before.

Port number

Defines the port number via which the SNMP manager tries to connect to the agent, which is configured here. The default WinCC OA Pmon SNMP agent port is 4700. The port numbers for the SNMP pmon agent and for the live agent can be specified via config entries.

Read / Write community

Allows the read and write access to the agent. The read and write community strings are like a password. The community strings are sent with the SNMP request. If the string is correct, the SNMP agent sends an answer (the requested information) to the manager. This entries are only used for the agents to which the WinCC OA system is connecting.

To encrypt or decrypt the access parameter of the SNMP driver the function snmpcrypt_setAccessPassPhrase() can be used. If the access parameter are encrypted the values displayed inside the panel are also encrypted.

SNMP live agents

The live agent provides data point specific data from the DP table of the ETM MIB. The SNMP Pmon agent serves as a proxy for the SNMP live agent. Thus, the data can be provided for external SNMP managers. The Live Agents tab shows the live agents configured for the WinCC OA project.

Further information about the OIDs of the WinCC OA MIB can be found under: MIB - WinCC OA MIB

Figure 4. SNMP configuration

Click on the push button "New" in the SNMP configuration panel (refer to the figure above) and the following dialog pops up, in which SNMP Live agents can be created.

You can create live agents with the number from 1 to 10. The number can be chosen from the combo box.

The SNMP live agent configuration panel can be used for configuring the dp elements that are queried via SNMP (the DPEs are provided by the SNMP live agent). The SNMP live agent configuration panel is opened via a double click on the agent in the table or via the context menu that is opened via right click on the table (refer to Figure "SNMP configuration" above). Click on the push button "select data point element" in the SNMP Live Agent configuration panel to select a data point element which is available to the Live_Agent SNMP manager.

Technically it would be possible to write (write access) on these DPEs. Since it is not possible to check the user rights, this was, however, omitted.

Figure 5. SNMP Live agent configuration

The unique number of the live agent (Agent No.) as well as the Name are shown at the top of the panel.

The DP Table shows the data points that are queried via SNMP. The data points are chosen via the familiar WinCC OA buttons and are added to the table via the Apply button. The data points contain an index, which is used to communicate with the data points via MIB (e.g. (1.3.6.1.4.1.13828.2.1.20.1.2.idx).The queried data point information is presented on other data points to which a peripheral address was added.

A trap text can be specified in the lower part of the panel. The trap text is represented on the _LiveAgentNr_SNMPLiveAgent.specificTrap data point element. The trap is sent to all configured managers when is clicked. The config entry
enableUserTraps =
                    "Yes"
has to be set so that the traps are sent.

The traps are sent via the Pmon agent since the Pmon agent serves as a proxy for the live agent. The default SNMP live agent port is 4701.

SNMPv3

In order to use SNMPv3 there are some additional optional config entries. Furthermore, the SNMP configuration panel as well as the address config for the SNMP driver were modified. You can now also configure SNMPv3 entities and set the entity type in the address panel. The config entries and the configuration and address panels are described in the following.

Restriction: Currently there is no SNMPv3 support in the WinCC OA SNMP Live Agent (WCCOAsnmpa) and in the Pmon.
Figure 6. create a v3 entity (agent)
CAUTION: If the data point (see figure above) name is changed when creating the agent/entity (default: SNMPAgent or SNMPV3Entity for V3), also the corresponding config file entry (see the SNMP config entries of this document) for the middle part of the data point name (agentDPName or v3entityDPName) has to be set. The middle part of the data point name has to be same for all created data points!
Figure 7. SNMP v3 entity configuration

An entity is configured in the panel shown above.

1. Agent/Entity / 2. Agent/Entity

IP address

The IP address of the entity, e.g. 192.168.1.13, or a computer name, e.g. eiwrk068. If no IP address was set here or it has been deleted (empty string) the entity is disabled and the internal DPE Status.Timeout (see internal data points) is set to FALSE independent of the state it was before.

Port

Defines the port number via which the SNMP manager tries to connect to the entity, which is configured here.

SecurityName

The SecurityName describes the user/the program that requires access to the data. The SecurityName has to be unique per SNMP manager.

ContextName

The context name on the target computer. The context includes specific MIB objects.

You can specify a context name per entity. If several context areas should be queried on one entity, several data points should be created.

The Management Information Base is the tree which leaves contain the actual data. You can restrict the user access in the SNMP V3 to an area of MIB e.g. everything under the node 1.3.6.2.1.1. Thus, the user can not access anything else.

SecurityLevel

The security level describes which security measures should be used for the data exchange.

  • noAuthNoPriv (1) No authentication and no encryption

  • authNoPriv (2) Authentication but no encryption

  • authPriv (3) Authentication and data encoding

Default value is (1).

ContextEngineID

The EngineID of the target computer. If this is not specified, it is defined during the query of data.

AuthProtocol

There are two protocols available for the authentication of the SNMP users:

  • none (1) no authentication protocol

  • HMAC_MD5 (2) MD5 authentication

  • HMAC_SHA (3) SHA authentication

  • HMAC_SHA2_224 (4) SHA2 authentication

  • HMAC_SHA2_256 (5) SHA2 authentication

  • HMAC_SHA2_384 (6) SHA2 authentication

  • HMAC_SHA2_512 (7) SHA2 authentication

Default value is (1).

An authentication protocol can only be selected, if the setting in the security level is "authNoPriv" or "authPriv".

AuthPasswd

The password used for the authentication. This password can only be set, if the setting in the security level is "authNoPriv" or "authPriv".

PrivProtocol

The sent data can also be encrypted in order to increase the security. For the encryption a protocol has to be selected.

  • none (1) no encryption

  • DES (2) Data Encryption Standard encryption (not recommended, use AES encryption instead)

  • IDEA (9): IDEA encryption (International Data Encryption Algorithm)
  • AES128 (4) Advanced Encryption Standard encryption with 128 bit key

  • AES192 (20) Advanced Encryption Standard encryption with 192 bit key

  • AES256 (21) Advanced Encryption Standard encryption with 256 bit key.

Default is (1).

An encryption protocol can only be selected, if the setting in the security level is "authPriv".

PrivPasswd

The password used for the encryption. This password can only be set, if the setting in the security level is "authPriv".

Note: The snmpcrypt_setAccessPassPhrase() function can be used to encrypt or decrypt the access parameters of the SNMP driver. This also encrypts the display of the values ​​within the configuration panel.