Question & Answer
How do I configure SNMPv3 on the IBM i?
Starting at IBM i R710, support for SNMPv3 was added to the previous SNMP capability that provided support for SNMPv1 and SNMPv2. (Note: the IBM i has support for SNMPv2; however, IBM i does not have support for what became the de-facto SNMPv2 standard offering of SNMPv2c).
SNMPv3 is the current standard version of SNMP defined by the Internet Engineering Task Force (IETF). It primarily addresses the security issues that made SNMPv1 and SNMPv2 to be considered deprecated versions. Security was added in the form of user-based authentication and data privacy.
The user-based authentication and data privacy enhancements added by SNMPv3 are stored in a configuration file in the IFS directory and file: /QIBM/UserData/OS/SNMP/snmpd.conf
A sample version of this file is stored in the ProdData path. There is no need to edit the file directly as CL commands to add, change, and delete SNMP users are available.
SNMPv3 has some additional concepts and terminology to be considered and which you see referenced as you configure support for SNMPv3 on your system.
snmpEngine - Provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects.
snmpEngineID - Uniquely identifies the agent within an administrative domain. By default, the engine identifier is created by using a vendor-specific formula and incorporates the IP address of the agent. However, any engine identifier that is consistent with the snmpEngineID definition in RFC 3411 and that is also unique within the administrative domain can be specified.
snmpEngineBoots - Specifies the number of times the agent has restarted since the SNMP engine identifier was last changed.
User Based Security Model (USM) - The USM is responsible for authenticating, encrypting, and decrypting SNMP requests and responses.
Configuring SNMPv3 on the IBM i
Before you configure SNMPv3, we highly recommend ensuring the latest SNMP PTFs have been applied to the system to ensure you do not encounter issues or bugs already corrected by IBM.
Latest PTFs as of February 2020 are as follows:
- R710 - SI66626 (end of service)
- R720 - SI68842
- R730 - SI69158
- R740 - SI69366
SNMPv3 is not enabled by default on a R710 or higher release system. To enable it, you need to change the SNMP attributes to allow SNMPv3 support and to generate an snmpEngineID:
CHGSNMPA ALWSNMPV3(*YES) SNMPENGID(*SYSGEN)
Note: SNMP will need to be restarted before this change becomes active. (ENDTCPSVR *SNMP, and then STRTCPSVR *SNMP).
After enabling SNMPv3, an extra menu option will be available from the CFGTCPSNMP menu to "Work with users for SNMP" (Option 3). You need to use this option, or the ADDUSRSNMP command to add a SNMPv3 user. This user might be dictated by your SNMP Manager administrator; however, if not, you need to inform the SNMP Manager administrator of the username along with the authentication and privacy protocols configured and their respective passwords.
Note: There is absolutely no correlation between the SNMPv3 user that you create here and OS/400 user profiles. Although they might share a username, there is no link between them, and management of them is separate.
||The username is case-sensitive and must contain at least one character, but a maximum of 32 characters. It cannot contain leading or embedded blanks.|
||The authentication protocol can be configured to be either SHA or MD5. It can also be set to *NONE so that no authentication is done for this user (sometimes useful for debug purposes). Authentication secures the identity of the user.|
||The authentication password is used to generate the key used in authenticating messages on behalf of this user and must be specified if the protocol is not *NONE. Must be a minimum of 8 characters in length and is case-sensitive. Up to 255 characters can be specified.|
The privacy protocol can only be specified if an authentication protocol is being used, but does not have to be configured. It uses DES protocol, but can be *NONE if not required. Privacy allows for encryption of SNMPv3 messages to ensure confidentiality of data.
NOTE : AES protocol is now also supported at V7R3M0. You will need to apply SI63091 or it's supersede to make this protocol work correctly at V7R3M0.
Additional note: Some SNMP managers have some more specific privacy protocols to choose from. The IBM i AES protocol (*CFBAES) is equivalent to AES128 (alternatives on some SNMP managers are AES192 and AES256). The IBM i DES protocol (*CBCDES) is equivalent to DES (the alternative on some SNMP managers might be 3DES).
||The privacy password is used to generate the key used in encrypting messages to and from this user and must be specified if the privacy protocol is not *NONE. Must be a minimum of 8 characters in length and is case-sensitive. Up to 255 characters can be specified.|
||The key type should be left as the default of *LOCALIZED unless you are creating the SNMP user to use with SNMP Manager APIs (where the IBM i is the sending requests to SNMP agents). Support for SNMP Manager APIs with SNMPv3 is at R720 or later versions only.|
Example of Adding a SNMPv3 User
In this example, we create a user named snmpuser to use the MD5 authentication protocol and authentication password of '3250bway'. DES privacy protocol is specified with a password of 'savannah'.
===> ADDUSRSNMP Add User for SNMP (ADDUSRSNMP) Type choices, press Enter. User Name.......................> snmpuser Authentication protocol.........> *HMACMD5 *HMACSHA, *HMACMD5, *NONE Authentication password.........> 3250bway Privacy protocol................> *CBCDES *CBCDES, *NONE Privacy password................> savannah Key Type........................> *LOCALIZED Storage Type....................> *NONVOLATILE *NONVOLATILE, *PERMANENT
Things to consider / Common issues
||Configuration changes to the SNMP agent will not take effect until SNMP has been restarted.|
||Enabling SNMPv3 will not prevent the agent from processing requests from older versions of the protocol.|
||The SNMP Engine ID gets generated after SNMPv3 has been enabled AND the agent restarted.|
||Using an invalid Engine ID can prevent a SNMPv3 manager from communicating with the SNMPv3 agent. It can also prevent you creating a SNMPv3 User. At R720, an invalid Engine ID will prevent the SNMP agent from starting. Recommendation is to use *SYSGEN to generate Engine ID.|
||Changing the SNMP engine boot parameter in CHGSNMPA while the agent is active may cause authentication failures.|
||The username and passwords in ADDUSRSNMP and CHGUSRSNMP are case-sensitive. The adding or changing of SNMPv3 users is reflected in the snmpd.conf configuration file|
||Our current implementation of SNMPv3 on releases V7R2M0 or earlier, does not include support for AES ciphers to encrypt and decrypt SNMP messages (Privacy Protocol), but this is available for R730 (see earlier note).|
||Ensure the latest R720 or R730 SNMP PTFs are applied to allow support of SNMPv3 with the SNMP manager APIs. No support for SNMPv3 with the SNMP Manager APIs at R710.|
||Ensure the latest R710 or R720 PTFs are applied to support SNMP GETBULK requests to the IBM i. Support for the SNMPv3 GETBULK function in the R720 SNMPv3 manager APIs is provided via PTF SI55538.|
||No correlation between SNMPv3 User ID and OS/400 User Profile of the same name. They are completely separate entities.|
||A discovery process occurs the first time that a SNMPv3 manager tries to communicate with a SNMPv3 agent. During this process the SNMP manager tries to discover the SNMP agent's engineID and engineBoot values. Time synchronization between these two entities also occurs. Successful completion of this phase is necessary before any snmpGet, snmpGetNext, snmpWalk, or snmpGetBulk operation being submitted to the agent.
In certain cases where the SNMP manager is not following the protocol defined in RFC 3414 section 4, the engineID discovery process will not complete and the IBM i SNMP agent will not respond. In other cases where there may be an issue with the time synchronization in getting past the discovery phase, you should perform the steps below:
1. End the SNMP agent (ENDTCPSVR *SNMP) and SNMP manager.
2. Add the following system wide environment variable:
ADDENVVAR ENVVAR('QIBM_SNMPV3_AUTH') VALUE('1') LEVEL(*SYS)
3. Restart the SNMP agent (STRTCPSVR *SNMP) and SNMP manager.
||An issue has been discovered during SNMPv3 Engine ID discovery that prevents some SNMP managers from accepting the report PDU because the IBM i was returning the incorrect datatype for the usmStatsUnknownEngineIDs OID. (See R730 APAR SE70033 or R720 APAR SE70360) Apply the latest PTF to correct this issue.|
At R730 only, it is now possible for the IBM i to support a single message exchange for SNMPv3 EngineID discovery and Time Synchronization. PTF SI68425 must be applied and the following steps acted upon:
Start the SNMP server with the command: STRTCPSVR *SNMP
Note: If this PTF is removed, the environment variable MUST be changed back to its previous value '1' or removed. This step is done by using the WRKENVVAR LEVEL(*SYS) command.
03 March 2020