Apstra SNMP Hash Key Retrieval: Solving a Common Network Management Challenge

The Problem

Network automation is meant to make our lives easier, but occasionally we encounter limitations that require creative solutions. One such challenge emerged when a customer needed to retrieve SNMP keys that had already been hashed on Junos devices—a capability that wasn't available within Apstra's standard toolset.

The issue was straightforward but significant: The customer needed these hashed keys to incorporate them within a configurator to push additional SNMP configuration. Without access to these keys, their network automation workflow would break down, requiring manual intervention—precisely what automation aims to eliminate.

A Solution: SNMP Authentication Manager

To address this gap, we developed the SNMP Authentication Manager, a lightweight tool that extends Apstra's capabilities. The tool connects to devices, retrieves the hashed SNMP authentication and privacy keys, and makes them available for use in automation workflows.

How It Works

The tool offers a simple, intuitive workflow:

1. Connect to your devices through the interface
2. Select "Retrieve Authentication Keys"
3. Choose scope—either a single blueprint or all blueprints
4. Select the systems you wish to query
5. Execute the operation
6. View results showing successful retrievals and any failures
7. Either copy the property set to clipboard or upload directly to Apstra

The Property Set data includes:

• System ID
• Authentication keys (hashed)
• Privacy keys (hashed)
• Device hostname

{
  "snmp_auth": [
    {
      "authentication_key": "$9$EEZcSl8X-sgJlKv87dY2ZUjH5Fn/CpO13nlKM87N.Pf",
      "hostname": "GPU-Leaf2",
      "id": "52540BD0A3",
      "privacy_key": "$9$f53/ApBIEy0B1Eye8Ldbs2Gik.PTFnHk0BIEyroJZ"
    },
    {
      "authentication_key": "$9$EEZcSl8X-sgJlKv87dY2ZUjH5Fn/CpO13nlKM87N.Pf",
      "hostname": "rack1-001-leaf1",
      "id": "52540BD0A3",
      "privacy_key": "$9$f53/ApBIEy0B1Eye8Ldbs2Gik.PTFnHk0BIEyroJZ"
    }
  ]
}

Technical Implementation

The application is built using Python with a Streamlit frontend, packaged within a Docker container for easy deployment. Some key technical aspects include:

Authentication and API Integration

• The tool uses the Apstra REST API to authenticate and retrieve blueprint and system information
• We implemented a robust API client with proper error handling and session management
• Secure credential handling with support for environment variables and session-only storage

Device Command Execution

• The application executes commands on network devices through Apstra's telemetry API
• Implements polling with proper timeouts to ensure command completion
• Supports robust error detection and reporting for failed operations

Key Extraction Logic

• Utilizes a recursive search algorithm to find authentication and privacy keys in nested JSON responses
• Handles various SNMP configuration formats across different device types and software versions
• Implements detailed error reporting for missing or malformed configurations

Data Management

• Creates structured property sets formatted for direct use in Apstra
• Supports both creating new property sets and updating existing ones
• Implements proper validation for all user-supplied inputs

User Interface

• A clean, intuitive Streamlit interface with responsive design
• Clear visual indicators for task status and operation results
• Multi-tab layout separating different workflow components
• Support for both single-blueprint and batch processing modes

Practical Benefits

Once the keys are retrieved, they can be incorporated into configurators, allowing for advanced automation patterns. For example, you can create logic that matches system IDs with their corresponding authentication keys, enabling device-specific SNMP configuration without manual intervention.

This seemingly small enhancement opens significant possibilities for automation, particularly in environments with strict security requirements where SNMP v3 authentication is mandatory.

Deployment

The application can be deployed via Docker container or run locally:

# Docker deployment
docker run -d -p 8501:8501 iamjarvs/apstra_snmp_auth:latest

# Local installation
git clone https://github.com/iamjarvs/apstra-snmp-auth.git
cd apstra-snmp-auth
pip install -r requirements.txt
streamlit run app/ui/streamlit_app.py

Conclusion

The SNMP Authentication Manager demonstrates how targeted tools can bridge functionality gaps in network automation platforms. By addressing the specific need to retrieve hashed SNMP keys, we've enabled more complete automation workflows that would otherwise require manual steps.

This solution maintains security best practices by working with the hashed keys rather than requiring plaintext alternatives, ensuring that sensitive authentication data remains protected even as it's incorporated into automation processes.