IBM Support

IBM AIX: How to configure SNMPv3 encrypted

How To


Summary

This document will cover the steps to take in order to successfully configure SNMPv3 encrypted on a AIX system.

Objective

Why choose SNMPv3 encrypted over version 1/version 2 which are easier to configure and troubleshoot?
The main reason to use SNMPv3 is it adds both encryption and authentication which can be used together or separately.
Compared to its predecessors which have downsides like only 32 bit counters and plaintext community strings transmitted over the network, SNMPv3 is unique due to it's focus on security.

Steps

1. Install “snmp.crypto” fileset from AIX Expansion Pack media
 a) The AIX Expansion Pack media can be dwonloaded from our ESS website:

 b) For a complete step by step guide on downloading media from ESS please refer tot he following tech note:
2. Switch to snmpdv3e using ‘snmpv3_ssw’ command

# snmpv3_ssw -e
3. Edit your /etc/snmpdv3.conf file and configure your views and communities. Below you can see how the file's content looks like by default and a quick explanation on the specific keywords inside:
#VACM_GROUP group1 SNMPv1  public  -
VACM_VIEW defaultView       internet            - included -
#VACM_VIEW defaultView        1.3.6.1.4.1.2.2.1.1.1.0    - included -
#VACM_VIEW defaultView        1.3.6.1.4.1.2.6.191.1.6    - included -
# exclude snmpv3 related MIBs from the default view
#VACM_VIEW defaultView        snmpModules                - excluded -
#VACM_VIEW defaultView        1.3.6.1.6.3.1.1.4          - included -
#VACM_VIEW defaultView        1.3.6.1.6.3.1.1.5          - included -
# exclude aixmibd managed MIBs from the default view
#VACM_VIEW defaultView        1.3.6.1.4.1.2.6.191        - included -
#VACM_ACCESS  group1 - - noAuthNoPriv SNMPv1  defaultView - defaultView -
#NOTIFY notify1 traptag trap -
#TARGET_ADDRESS Target1 UDP 127.0.0.1       traptag trapparms1 - - -
#TARGET_PARAMETERS trapparms1 SNMPv1  SNMPv1  public  noAuthNoPriv -
COMMUNITY public    public     noAuthNoPriv 0.0.0.0     0.0.0.0         -
#DEFAULT_SECURITY no-access - -
logging         file=/usr/tmp/snmpdv3.log       enabled
logging         size=1000000                     level=3
smux            1.3.6.1.4.1.2.3.1.2.1.2         gated_password  # gated

END OF FILE
VACM_GROUP - defines a group and associate it with SNMP version and security information
VACM_VIEW - specifies view name and view mask
VACM_ACCESS - associates a group with security and views
NOTIFY, TARGET_ADDRESS, TARGET_PARAMETERS - where to send SNMP traps
COMMUNITY - specifies community name and access
DEFAULT_SECURITY - defines the default security posture to be configured for the SNMP agent
Here are some recommendations for some default lines you should un-comment:
VACM_GROUP group1 SNMPv1  public  -
VACM_ACCESS  group1 - - noAuthNoPriv SNMPv1  defaultView - defaultView -
COMMUNITY public    public     noAuthNoPriv 0.0.0.0     0.0.0.0         -
4. Optional Step - If you want to send the SNMP traps to a specific IP address you need to configure it in /etc/snmpdv3.conf
NOTIFY notify1 traptag1 trap -
NOTIFY notify2 traptag2 trap -
NOTIFY notify3 traptag3 trap -
TARGET_ADDRESS Target1 UDP 10.170.4.26       traptag1 trapparms1 - - -
TARGET_ADDRESS Target2 UDP 9.3.58.66       traptag2 trapparms2 - - -
TARGET_ADDRESS Target3 UDP 127.0.0.1       traptag3 trapparms3 - - -
TARGET_PARAMETERS trapparms1 SNMPv1  SNMPv1  public  noAuthNoPriv -
TARGET_PARAMETERS trapparms2 SNMPv1  SNMPv1  public  noAuthNoPriv -
TARGET_PARAMETERS trapparms3 SNMPv1  SNMPv1  public  noAuthNoPriv -
5. Check IP address in /etc/snmpd.boots corresponds to IP of SNMP agent, example:

# cat /etc/snmpd.boots
 000000020000000009033A79 0000000046
a) How this number you see is derived is as follows:
    The first 8 hexadecimal digits represent a vendor enterprise ID obtained from the Internet Assigned Numbers Authority (IANA). For IBM, this ID is 00000002. The string 00 indicates that the next 6 hexadecimal digits are zeros, followed by the IP address of the agent in the last 8 hexadecimal digits.
b) The goal here is to change the last 8 hexadecimal digits with the IP address of the SNMP agent.
c) Make sure it matches the IP address of the hostname, in the above example 09:03:3A:79 corresponds to 9.3.58.121 when its converted into hexadecimal.
6. Generate key pairs for the SNMP agent IP

# pwtokey -u all u1password 9.3.58.12
Replace with your IP address in the example above.  Note: This password is not related to the community name, it's only used to generate keys for user based security.
One authentication (authKey) key pair and one privacy (privKey) key pair are generated.
“localized” key used by AIX SNMP agent in /etc/snmpdv3.conf file
“non-localized” key to be used by SNMP management station
7. Add a “USM_USER” line to snmpdv3.conf file, here’s what the USM_USER line looks like:

USM_USER u1 - HMAC-MD5
6b5bddcf9702102641a9ab8b1d5f791f    DES
6b5bddcf9702102641a9ab8b1d5f791f    L -
The first string is the localized authKey genereated in step 6.
The second string is the localized privKey generated in step 6.
Note that it is ONE line only, ending with a dash as seen bellow
USM_USER u1 - HMAC-MD5 6b5bddcf9702102641a9ab8b1d5f791f    DES 6b5bddcf9702102641a9ab8b1d5f791f    L -
8. Add VACM_GROUP and  VACM_ACCESS lines to snmpdv3.conf example:
VACM_GROUP groupu1 USM  u1 -
VACM_ACCESS groupu1 - - AuthPriv USM defaultView - defaultView -
Note in this example groupu1 is the group name and u1 is the user.
9. Stop and start snmpd and dpid2 subagents:
Stop dpid2 subagents and snmpd

# stopsrc -s aixmibd
# stopsrc -s hostmibd
# stopsrc -s snmpmibd
# stopsrc -s snmpd
Start snmpd and then dpid2 subagents

# startsrc -s snmpd
# startsrc -s aixmibd
# startsrc -s hostmibd
# startsrc -s snmpmibd
10. Edit /etc/clsnmp.conf file and add this line by replacing with the correct values
user1 9.3.58.121 snmpv3 u1 - - AuthPriv HMAC-MD5
7a3e34265e0e029f27d8b4235ecfa987 DES
7a3e34265e0e029f27d8b4235ecfa987
Note that clsnmp.conf file has the non-localized authKey and privKey configured which were generated in step 6.
11. Try an SNMPv3e query using ‘clsnmp’ command
# clsnmp -h user1 -v walk system

Additional Information

SUPPORT

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

1.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred. 

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

4.  Provide a good description of your issue, and reference this Technote, and any issues you had with the instructions.

5.  Collect the system snap and upload all of the details and data for your case.

To collect a complete snap of your system information:

5.1) Remove previously gathered data

   # snap -r

5.2) Copy related files from #1 and #2 to the snap data directory

   # mkdir -p /tmp/ibmsupt/testcase
   # cp <logs, screenshots, etc> /tmp/ibmsupt/testcase

5.3) Run the snap command with one of the following options to collect all info.

     * If you have already engaged with a support engineer, use the flags specified by your support team.

   # snap -aZc (Omits system dump data)   
     OR 
   # snap -ac (Use if system dump data is needed)

5.4) Rename the testcase to include your case number to ensure it is properly attached to your case

  # mv /tmp/ibmsupt/snap.pax.Z /tmp/ibmsupt/yourcase#[.optional_description].snap.pax.Z

5.5) Upload the file by one of the following options (a, b, or c)

     a) Attach to your case
     https://www.ibm.com/mysupport/s/my-cases

     b) Upload to the Enhanced Customer Data Repository(ECuRep) 
     https://www.secure.ecurep.ibm.com/app/upload_sf

     c) Upload to the Blue Diamond FTP server (Blue Diamond Customers Only)
     https://msciportal.im-ies.ibm.com

* Note: For information about blue diamond upload see:

     http://www.ibm.com/support/docview.wss?uid=nas8N1020947

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
31 May 2019

UID

ibm10886219

Page Feedback