SNMPv3 authentication keys

Authentication is generally required for SNMPv3 requests to be processed (unless the security level requested is noAuth).

When authenticating a request, the SNMP agent verifies that the authentication key sent in an SNMPv3 request can be used to create a message digest that matches the message digest created from the authentication key defined by the user.

When a request is issued from the SNMP manager, the clsnmp command uses the authentication key found on an entry in the /etc/clsnmp.conf file on the SNMP manager. It needs to correlate with the authentication key specified on a USM_USER entry for that user in the SNMP agent's /etc/snmpdv3.conf file. Authentication keys are generated using the pwtokey command.

The authentication key is generated from two pieces of information:
  • The specified password
  • The identification of the SNMP agent at which the key will be used. If the agent is an IBM® agent, and its engineID was generated using the vendor-specific engineID formula, the agent may be identified by IP address or host name. Otherwise, the engineID must be provided as the agent identification.

A key that incorporates the identification of the agent at which it will be used is called a localized key. It can be used only at that agent. A key that does not incorporate the engineID of the agent at which it will be used is called non-localized.

Keys stored in the clsnmp command's configuration file, /etc/clsnmp.conf, are expected to be non-localized keys. Keys stored in the SNMP agent's configuration file, /etc/snmpdv3.conf, can be either localized or non-localized, though using localized keys is considered more secure.

As an alternative to storing authentication keys in the client configuration file, the clsnmp command allows user passwords to be stored. If the clsnmp command is configured with a password, the code generates an authentication key (and a privacy key if requested, and if the encrypted version is installed) for the user. These keys must produce the same authentication values as the keys configured for the USM_USER in the agent's /etc/snmpdv3.conf file or configured dynamically with the SNMP SET commands. However, the use of passwords in the client configuration file is considered less secure that the use of keys in the configuration file.