Creating users in SNMPv3
This scenario shows how to create a user in SNMPv3 by manually editing the /etc/snmpdv3.conf and /etc/clsnmp.conf files.
User u1
will be created in this scenario.
User u1
will be given authorization keys, but will
not be given privacy keys (which are available only if you have the snmp.crypto fileset
installed). The HMAC-MD5 protocol will be used to create u1's authorization
keys. After u1 is configured, it will be put into a group, after which
that group will have its view and access permissions defined. Finally,
trap entries for u1 will be created.
Each individual value used in the /etc/snmpdv3.conf and /etc/clsnmp.conf files must not exceed 32 bytes.
- The information in this how-to scenario was tested using specific versions of AIX®. The results you obtain might vary significantly depending on your version and level of AIX.
Step 1. Create the user
- Decide which security protocols you want to use, either HMAC-MD5 or HMAC-SHA. In this scenario, HMAC-MD5 will be used.
- Generate the authentication keys by using the pwtokey command.
Your output may look different based on the authentication protocol
you are using and if you are using privacy keys. These keys will be
used in the /etc/snmpdv3.conf and /etc/clsnmp.conf files.
The command used for user
u1
follows:
The IP address specified is the IP address where the agent is running. The password can by any password, but be sure to save it in a secure place for future use. The output should look similar to the following:pwtokey -p HMAC-MD5 -u auth anypassword 9.3.230.119
Display of 16 byte HMAC-MD5 authKey: 63960c12520dc8829d27f7fbaf5a0470 Display of 16 byte HMAC-MD5 localized authKey: b3b6c6306d67e9c6f8e7e664a47ef9a0
- With root authority, open the /etc/snmpdv3.conf file with your favorite text editor.
- Create a user by adding a
USM_USER
entry following the format given in the file. TheauthKey
value will be the localized authentication key that was generated using the pwtokey command. The entry for useru1
follows:#--------------------------------------------------------------------------- # USM_USER entries # Defines a user for the User-based Security Model (USM). # Format is: # userName engineID authProto authKey privProto privKey keyType storageType # USM_USER u1 - HMAC-MD5 b3b6c6306d67e9c6f8e7e664a47ef9a0 - - L - #----------------------------------------------------------------------------
userName
is the name of the user. In this case, it isu1
.authProto
must be the protocol that you used when you created the keys. In this case, it isHMAC-MD5
.authKey
is the localized authentication key that was created using the pwtokey command.privProto
andprivkey
are not specified because we are not using the privacy keys in this scenario.keyType
isL
because we are using the localized authentication key.
- Save and close the /etc/snmpdv3.conf file.
- Open the /etc/clsnmp.conf file on the SNMP manager with your favorite text editor.
- Add the new user according to the format given in the file. The
entry for
u1
follows:#---------------------------------------------------------------------------------------------------- # # Format of entries: # winSnmpName targetAgent admin secName password context secLevel authProto authKey privProto privKey # user1 9.3.230.119 SNMPv3 u1 - - AuthNoPriv HMAC-MD5 63960c12520dc8829d27f7fbaf5a0470 - - #----------------------------------------------------------------------------------------------------
winSnmpName
can be any value. This value will be used when making SNMP requests using the clsnmp command.targetAgent
is the IP address where the agent is running, which was also used in creating the authentication keys.admin
is set toSNMPv3
because we will be sending SNMPv3 requests.secName
is the name of the user that you are creating. In this case, it isu1
.seclevel
is set toAuthNoPriv
because it is being configured to use authentication but not privacy (as a result, there are no values forprivProto
andprivKey
).authproto
is set to the authentication protocol that was used in creating the authentication keys.authKey
is the non-localized key that was generated by the pwtokey command.
- Save and close the /etc/clsnmp.conf file.
Step 2. Configure the group
The user must now be placed in a group. If you already have a group that is configured with all of the view and access permissions that you want to give this user, you can put this user in that group. If you want to give this user view and access permissions that no other groups have, or if you do not have any groups configured, create a group and add this user to it.
VACM_GROUP
entry
in the /etc/snmpdv3.conf file. The group entry
for u1
follows: #--------------------------------------------------------------
# VACM_GROUP entries
# Defines a security group (made up of users or communities)
# for the View-based Access Control Model (VACM).
# Format is:
# groupName securityModel securityName storageType
VACM_GROUP group1 USM u1 -
#--------------------------------------------------------------
groupName
can be any name. It becomes that name of your group. In this case, it isgroup1
.securityModel
is set toUSM
, which takes advantage of the SNMPv3 security features.securityName
is the name of the user. In this case, it isu1
.
Step 3. Configure view and access permissions
The
view and access permissions must be set for the new group that was
just created. These permissions are set by adding VACM_VIEW
and VACM_ACCESS
entries
to the /etc/snmpdv3.conf file.
- Decide what view and access permissions you want the new group to have.
- Add
VACM_VIEW
entries to the /etc/snmpdv3.conf file to define what MIB objects the group can access. In this scenario,group1
will have access to theinterfaces
,tcp
,icmp
, andsystem
MIB subtrees. However, we will restrictgroup1
's access to thesysObjectID
MIB variable within the system MIB subtree.#---------------------------------------------------------------- # VACM_VIEW entries # Defines a particular set of MIB data, called a view, for the # View-based Access Control Model. # Format is: # viewName viewSubtree viewMask viewType storageType VACM_VIEW group1View interfaces - included - VACM_VIEW group1View tcp - included - VACM_VIEW group1View icmp - included - VACM_VIEW group1View system - included - VACM_VIEW group1View sysObjectID - excluded - #----------------------------------------------------------------
viewName
is the name of the view. In this scenario, it isgroup1View
.viewSubtree
is the MIB subtree that you want to give access to.viewType
determines whether the MIB subtrees defined are included in the view. In this case, all subtrees are included, but the MIB variablesysObjectID
, which is part of thesystem
subtree, is excluded.
- Add a
VACM_ACCESS
entry to the /etc/snmpdv3.conf file to define the permissions that the group has to the MIB objects specified above. Forgroup1
, read only access is given.#----------------------------------------------------------------------------------------------------------- # VACM_ACCESS entries # Identifies the access permitted to different security groups # for the View-based Access Control Model. # Format is: # groupName contextPrefix contextMatch securityLevel securityModel readView writeView notifyView storageType VACM_ACCESS group1 - - AuthNoPriv USM group1View - group1View - #-----------------------------------------------------------------------------------------------------------
groupName
is the name of the group. In this case, it isgroup1
.securityLevel
is the level of security that is being used. In this scenario, authentication keys are used but not privacy keys. The value is therefore set toAuthNoPriv
.securityModel
is the security model that you are using (SNMPv1, SNMPv2c, or USM). In this scenario, it is set toUSM
to allow the SNMPv3 security features to be used.readView
determines which VACM_VIEWs the group has read access to. In this scenario,group1View
is given, which givesgroup1
read access to thegroup1View VACM_VIEW
entries.writeView
determines which VACM_VIEWs the group has write access to. In this scenario, no write access is given togroup1
.notifyView
specifies the name of the view to be applied when a trap is performed under control of the entry in the access table.
Note: In some cases, multiple VACM_ACCESS entries for one group may be necessary. If users in the group have different authentication and privacy settings (noAuthNoPriv
,AuthNoPriv
, orAuthPriv
) multiple VACM_ACCESS entries are required with thesecurityLevel
parameter set accordingly.
Step 4. Configure trap entries for the user
Trap
entries in SNMPv3 are created by adding NOTIFY
, TARGET_ADDRESS
and TARGET_PARAMETERS
entries
to the /etc/snmpdv3.conf file. The TARGET_ADDRESS
entry
will specify where you want the traps to be sent, and the TARGET_PARAMETERS
entry
will map the TARGET_ADDRESS
information to group1
.
NOTIFY
entry
has been configured by default. Following is the default NOTIFY entry: NOTIFY notify1 traptag trap -
In
this scenario, we use the value that is specified in the default entry, traptag
.- Add a
TARGET_ADDRESS
entry to specify where you want traps to be sent.#------------------------------------------------------------------------------------- # TARGET_ADDRESS # Defines a management application's address and parameters # to be used in sending notifications. # Format is: # targetAddrName tDomain tAddress tagList targetParams timeout retryCount storageType #------------------------------------------------------------------------------------- TARGET_ADDRESS Target1 UDP 9.3.207.107 traptag trapparms1 - - -
targetAddrName
can be any name. In this scenario, we usedTarget1
.tAddress
is the IP address where the traps for the group should be sent.tagList
is the name configured in theNOTIFY
entry. In this scenario, it istraptag
.targetParams
can be any value. We used istrapparms1
, which will be used in theTARGET_PARAMETERS
entry.
- Add a
TARGET_PARAMETERS
entry.#------------------------------------------------------------------------- # TARGET_PARAMETERS # Defines the message processing and security parameters # to be used in sending notifications to a particular management target. # Format is: # paramsName mpModel securityModel securityName securityLevel storageType #------------------------------------------------------------------------- TARGET_PARAMETERS trapparms1 SNMPv3 USM u1 AuthNoPriv -
paramsName
is the same as thetargetParams
value in theTARGET_ADDRESS
entry, which, in this case, istrapparms1
.mpModel
is the version of SNMP being used.securityModel
is the security model that you are using (SNMPv1, SNMPv3, or USM). In this scenario, it is set toUSM
to allow the SNMPv3 security features to be used.securityName
is the user name specified in theUSM_USER
entry, which, in this case, isu1
.securityLevel
is set toAuthNoPriv
because we are using authentication keys but not privacy keys.
Step 5. Stop and start the snmpd daemon
After making the changes the /etc/snmpdv3.conf file, stop and the start the snmpd daemon.
- Type the following command to stop the snmpd daemon:
stopsrc -s snmpd
- Type the following command to start the snmpd daemon:
startsrc -s snmpd
The new settings will now take effect.
refresh -s snmpd
will not
work as it did in SNMPv1. If you make changes to the /etc/snmpdv3.conf file,
you must stop and start the daemon as instructed above. The dynamic
configuration function supported in SNMPv3 will not allow you to refresh.Step 6. Test your configuration
clsnmp -h user1 walk mib
where mib is
a MIB subtree to which the user has access. In this scenario, it could
be interfaces
, tcp
, icmp
,
or system
. If the configuration is correct, you will
see the information from the specified subtree.If you did not get the correct output, review the steps in this document and verify that you have entered all information correctly.