IBM Tivoli Network Manager stores all snmp passwords in ncim. snmp version 1 and 2 passwords are moved to snmpV1Sec. snmp version 3 passwords are moved to snmpV3Sec. But how do you find which password was used successfully in the discovery?
The starting place for consistency is to use OQL. Whether your ncim database is DB2, Oracle, Informix or Mysql the OQL connection from the ITNM server is the best.
Documentation on NCIM OQL query
Armed with the IP address you are attempting to learn the snmp password for, take a look at this query.
[netcool@itnm:/opt/IBM/tivoli/netcool/precision/bin] $ pwd
/opt/IBM/tivoli/netcool/precision/bin
[netcool@itnm:/opt/IBM/tivoli/netcool/precision/bin] $ ./ncp_oql -username ncim -password pass4ncim -service ncim -domain NCOMS -dbId NCMONITOR
ncp_oql ( IBM Tivoli Network Manager OQL Interface )
Copyright (C) 1997 - 2010 By IBM Corporation. All Rights Reserved. See product license for details.
IBM Tivoli Network Manager Version 3.9 (Build 97) created by ncpbuild at 14:30:50 Wed Aug 29 BST 2012
Connected to Oracle DB schema NCMONITOR
|itnm:1.> select s.netaddr, v1.community, v1.accessid from snmpTarget s left join snmpV1Sec v1 on v1.accessid = s.readaccessid where s.netaddr = '9.48.205.210';
|itnm:2.> go
{
NETADDR='9.48.205.210';
COMMUNITY='@44:LJz5cEHRmJY3/YMCvBA+YAk6BaKiyvKuOEesiyPJFb4=@';
ACCESSID=1;
}
1 rows(s)
|itnm:1.>
[netcool@itnm:/opt/IBM/tivoli/netcool/precision/bin] $ ./ncp_crypt -decrypt -password @44:LJz5cEHRmJY3/YMCvBA+YAk6BaKiyvKuOEesiyPJFb4=@
ncp_crypt ( IBM Tivoli Network Manager Password Encryption/Decryption Tool )
Copyright (C) 1997 - 2010 By IBM Corporation. All Rights Reserved. See product license for details.
IBM Tivoli Network Manager Version 3.9 (Build 97) created by ncpbuild at 14:30:50 Wed Aug 29 BST 2012
@44:LJz5cEHRmJY3/YMCvBA+YAk6BaKiyvKuOEesiyPJFb4=@ 'public'
[netcool@itnm:/opt/IBM/tivoli/netcool/precision/bin] $
The successful password stored in ncim for this IP address is highlighted above, public
The above query was used against an Oracle ncim, but could have been used against any ncim, which is what makes this type of query the most desirable.
It is possible to direct query the information from ncim. Here is an example of a direct query into Informix, where the database structure is different and no reference to NCMONITOR database is necessary.
-bash-3.00# dbaccess - -
> connect to 'itnm' user 'ncim';
ENTER PASSWORD:
Connected.
> select s.netaddr, s.domain, v1.community from snmpTarget s left join snmpV1Sec v1 on v1.accessid = s.readaccessid where s.netaddr = '9.48.132.172';
netaddr 9.48.132.172
domain ZCOM39
community @44:xcMhI0F1F1+YYBMvAEDfpcQJkw8TpgsCOpE1MBHn8E8=@
-bash-3.00# ./ncp_crypt -decrypt -password @44:xcMhI0F1F1+YYBMvAEDfpcQJkw8TpgsCOpE1MBHn8E8=@
ncp_crypt ( IBM Tivoli Network Manager Password Encryption/Decryption Tool )
Copyright (C) 1997 - 2010 By IBM Corporation. All Rights Reserved. See product license for details.
IBM Tivoli Network Manager Version 3.9 (Build 97) created by ncpbuild at 22:06:25 Wed Feb 15 GMT 2012
@44:xcMhI0F1F1+YYBMvAEDfpcQJkw8TpgsCOpE1MBHn8E8=@ 'public'
-bash-3.00#
Although the direct query is also valid, remember
Different access tools might be needed for the direct query, like SqlPlus, or dbaccess.
Database structure is different, even though the password is saved within the ncmonitor database.
ncp_crypt -decrypt must be run on the server where ITNM is running. If your database is remote to the ITNM server, decrypt the encrypted password back on the ITNM server.
Tags: 
snmptarget
itnm
ncp_crypt