How To
Summary
This document will cover the steps to take in order to successfully configure SNMPv3 Authenticated & Non-encrypted (AuthNoPriv)
Important Note: SNMPv3 Non-Authenticated & Encrypted (noAuthPriv) is not supported.
Steps
Steps for SNMPv3 (AuthNoPriv):
1. Make sure that the snmpd daemon is linked to snmpdv3ne as below:
# ls -l /usr/sbin/snmpd
lrwxrwxrwx 1 root system 19 Nov 18 06:08 /usr/sbin/snmpd -> /usr/sbin/snmpdv3ne
lrwxrwxrwx 1 root system 19 Nov 18 06:08 /usr/sbin/snmpd -> /usr/sbin/snmpdv3ne
If not, please switch to it using the below command:
# snmpv3_ssw -n
# snmpv3_ssw -n
2. Review your current /etc/snmpdv3.conf file and configure your VIEWS and COMMUNITIES. Make sure that the below lines are un-comment:
VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView -
VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView -
VACM_VIEW defaultView internet - included -
COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 -
You could also start with a fresh clean snmdpv3.conf file from below path:
/usr/lpp/bos.net.tcp.snmpd/inst_root/etc/snmpdv3.conf
You can make a backup/copy of the currently configured /etc/snmpdv3.conf file and use this new clean file instead:
# cp -p /etc/snmpdv3.conf /etc/snmpdv3.conf.org
# cp -p /etc/snmpdv3.conf /etc/snmpdv3.conf.org
# mv /usr/lpp/bos.net.tcp.snmpd/inst_root/etc/snmpdv3.conf /etc/snmpdv3.conf
After moving that new clean file to /etc/snmpdv3.conf, make sure to have the above mentioned lines un-commented as well.
3) Make sure that the IP address in /etc/snmpd.boots file corresponds to IP of the AIX SNMP agent. For example:
# cat /etc/snmpd.boots
00000002000000000A630D53 0000000015
a) How this number you see is derived is as follows:
The first 8 hexadecimal digits represent a vendor enterprise ID obtained from the Internet Assigned Numbers Authority (IANA). For IBM, this ID is 00000002. The string 00 indicates that the next 6 hexadecimal digits are zeros, followed by the IP address of the agent in the last 8 hexadecimal digits.
b) The goal here is to change the last 8 hexadecimal digits with the IP address of the SNMP agent.
c) Make sure it matches the IP address of the hostname, in the above example 0A630D53 corresponds to 10.99.13.83
e) If it does not match the IP address of the hostname, please remove the current /etc/snmpd.boots file
# rm /etc/snmpd.boots
# rm /etc/snmpd.boots
When restarting the snmpd daemon in a step below, the /etc/snmpd.boots file will automatically get generated with newly correct hexadecimal IP address in the file.
4) Generate authKey pairs for the SNMP agent IP
Note: This password is not related to the community name, it's only used to generate keys for user based security.
One authentication (authKey) key pair is generated.
The “localized” key used by AIX SNMP agent in /etc/snmpdv3.conf file
The “non-localized” key to be used by SNMP management station
# pwtokey u1password 10.99.13.83
Replace with your IP address in the example above. Note: This password is not related to the community name, it's only used to generate keys for user based security.
One authentication (authKey) key pair is generated.
The “localized” key used by AIX SNMP agent in /etc/snmpdv3.conf file
The “non-localized” key to be used by SNMP management station
5) Add a “USM_USER” line to /etc/snmpdv3.conf file, here’s what the USM_USER line looks like:
USM_USER u1 - HMAC-MD5 cfce852445ae1728e9a884813100e11b - - L -
USM_USER u1 - HMAC-MD5 cfce852445ae1728e9a884813100e11b - - L -
The first string is the localized authKey which were generated in step 4.
Note that it is ONE line only, ending with a dash as seen bellow.
Note that it is ONE line only, ending with a dash as seen bellow.
6) Also, add VACM_GROUP and VACM_ACCESS lines to /etc/snmpdv3.conf example:
VACM_GROUP groupu1 USM u1 -
VACM_ACCESS groupu1 - - AuthNoPriv USM defaultView - defaultView -
VACM_GROUP groupu1 USM u1 -
VACM_ACCESS groupu1 - - AuthNoPriv USM defaultView - defaultView -
Note in this example groupu1 is the group name and u1 is the user.
7) Edit /etc/clsnmp.conf file and add this line by replacing with the correct values
user1 10.99.13.83 snmpv3 u1 - - AuthNoPriv HMAC-MD5 7a3e34265e0e029f27d8b4235ecfa987 - -
user1 10.99.13.83 snmpv3 u1 - - AuthNoPriv HMAC-MD5 7a3e34265e0e029f27d8b4235ecfa987 - -
Note that clsnmp.conf file has the non-localized authKey which were generated in step 4.
8) Stop and start snmpd and dpid2 subagents:
Stop dpid2 subagents and snmpd
# stopsrc -s aixmibd
# stopsrc -s hostmibd
# stopsrc -s snmpmibd
# stopsrc -s snmpd
# stopsrc -s aixmibd
# stopsrc -s hostmibd
# stopsrc -s snmpmibd
# stopsrc -s snmpd
Start snmpd and then dpid2 subagents
# startsrc -s snmpd
# startsrc -s aixmibd
# startsrc -s hostmibd
# startsrc -s snmpmibd
# startsrc -s snmpd
# startsrc -s aixmibd
# startsrc -s hostmibd
# startsrc -s snmpmibd
9) Try an SNMPv3ne query using ‘clsnmp’ command
# clsnmp -h user1 -v walk system
# clsnmp -h user1 -v walk system
Additional Information
In-case you'd like to configure SNMPv3 AuthPriv (Authenticated & Encrypted), you can follow the technote below:
Also, further customization might be required based on your security requirements, such as disabling the default ' public ' Community Name:
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxMAAQ","label":"Communication Applications-\u003ESNMP"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
02 December 2024
UID
ibm17176480