Decide on your security needs—community-based or user-based
If you are satisfied with the security of your existing configuration, you can continue to use community-based security with no migration. If you would like to take advantage of USM or VACM, or if you have some SNMP managers that use SNMPv3, you will need to migrate your configuration. Note that USM can be used only when both the SNMP agent and the manager requesting the data support USM, as the z/OS® Communications Server SNMP agent and the snmp command do. VACM can be used even for community-based requests, but doing so requires migration of existing community name and trap destination definitions in PW.SRC and SNMPTRAP.DEST to SNMPD.CONF.
Even if your managers continue to be community-based, there are important advantages to migrating your PW.SRC information to SNMPD.CONF format:
- Enables users to make use of the access control mechanism provided with SNMPv3 with community-based security.
- Provides the ability to dynamically configure the z/OS SNMP agent using MIBs.
- Provides a way of easing into SNMPv3 user-based security.
- Does not require any changes to the manager configuration.
The following tables list the advantages and disadvantages of using each type of security.
SNMPv1/SNMPv2c advantages | SNMPv3 disadvantages |
---|---|
Widely implemented on many platforms. | Not yet implemented on many platforms. |
Easy to configure. | More robust configuration options. |
SNMPv1/SNMPv2c disadvantages | SNMPv3 advantages |
---|---|
Legacy standards-based administrative model. | New standards-based administrative model. |
SNMPv1 and SNMPv2c allow particular IP addresses to access all data or no data. | SNMPv3 allows a particular user to access particular data. |
Not very robust (password sent in PDU). | Robust (data integrity and data origin authentication). |
Any user that can read data can also change the data (for objects defined as read-write). | The ability to change data can be limited to specific users. |
No data confidentiality. | Encryption available. |
Configuration changes require restarting of SNMP agent. | Configuration changes for USM and VACM can be made dynamically, either locally or remotely. |
For more information about security, see Creating user keys.