Login or Register to Ask a Question and Join Our Community


AIX

Privacy enable on SNMPv3 AIX)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Privacy enable on SNMPv3 AIX)
# 1  
Old 06-26-2015
IBM Privacy enable on SNMPv3 AIX)
I have SNMPv3 working on our server but when viewed from the security software, it shows no privacy enabled

Code:
AIX 7.1, TL1, snmp.crypto 6.1.2.0 installed, ran snmpv3_ssw -e

Unsure what I have configured wrong.

What is needed to show Privacy in AIX. I looked at a config on a Solaris box that does have it working and it seems like I have things set correctly.

See snips of snmpdv3.conf below:

Code:
USM_USER spkadmin - HMAC-MD5 caXXXXXXXXXXXXXXXXXXXXXXX35 DES e7XXXXXXXXXXXXXXXXX51 N -
 
# VACM_GROUP entries
# Format is:
# groupName securityModel securityName storageType
VACM_GROUP group1 USM spekadmin -
# VACM_VIEW entries
# Defines a particular set of MIB data, called a view, for the
# View-based Access Control Model.
# Format is:
# viewName viewSubtree viewMask viewType storageType
VACM_VIEW group1View interfaces - included -
VACM_VIEW group1View tcp - included -
VACM_VIEW group1View icmp - included -
VACM_VIEW group1View system - included -
VACM_VIEW group1View sysObjectID - excluded -
# VACM_ACCESS entries
VACM_ACCESS group1 - - DES USM group1View - - -
 
#VACM_GROUP group1 SNMPv1 public -
VACM_VIEW defaultView internet - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.2.1.1.1.0 - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191.1.6 - included -
# exclude snmpv3 related MIBs from the default view
VACM_VIEW defaultView snmpModules - excluded -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.4 - included -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.5 - included -
# exclude aixmibd managed MIBs from the default view
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - included -
#VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView -
#NOTIFY notify1 traptag trap -
#TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - -
#TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv -
#COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 -
DEFAULT_SECURITY no-access - -
logging file=/tmp/snmpdv3.log enabled
logging size=100000 level=0
smux 1.3.6.1.4.1.2.3.1.2.1.2 gated_password # gated

Thanks.
Last edited by Don Cragun; 06-26-2015 at 05:46 PM.. Reason: Add CODE and ICODE tags.
# 2  
Old 06-26-2015
It's not clear what you mean by "show privacy in your security software". What kind of manager are you using? When configuring snmp I recommend that you first do a query from the agent itself using the clsnmp command. This lets you simulate a manager function and insure security is working correctly without worrying about another machine and another manager running on another machine.

Once you verify it works with this minimum configuration then worry about configuring the manager machines.

See the manage pages for clsnmp and it's configuration file.

Once you can query, then you do this capture to insure privacy is working, something like:

Code:
tcpdump -i lo0 -c 10000 -a -T snmp "(host 127.0.0.1) and (port 161 or 162)"

snmpv3 configuration for auth and priv (max security) has a lot of parts...so configure agent and query from agent before moving to large task like configuring into your manager system

So get clsnmp working from agent first.
# 3  
Old 06-27-2015
Also notice that HACMP (in case you have a cluster) is depending on SNMP communication between the nodes. Otherwise the cluster.information daemon (clinfoES) and perhaps a few others will not work any more.

Many monitoring tools (HP OpenView, for example) base their operation also on SNMP, so test thoroughly before commissioning "security enhancements".

Usually these are issued by people who never had to administrate a system and this shows. We have about two times a year some "security advisory" which would immediately stop all our servers from peroperly working would we put it into practice. Best practice is to ignore such idiotic suggestions.

I hope this helps.

bakunin
# 4  
Old 07-08-2015
I am still using snmpv1 because so many programs have not liked snmpv3. Which means I still need to make the switch someday.

To see which daemon you are using by default (snmpd (v1) or snmpdv3 look at the following:

Code:
michael@x071:[/usr/sbin]ls -l snmpd*
lrwxrwxrwx 1 root system      7 May  7 13:13 snmpd -> snmpdv1
lrwxrwxrwx 1 root system      9 Dec 20  2014 snmpd.orig -> snmpdv3ne
-rwxr-x--- 1 root system 364136 Jul 31  2014 snmpd64v1
-rwxr-x--- 1 root system 335416 Jul 31  2014 snmpdv1
-rwxr-x--- 1 root system 336611 Mar 19  2014 snmpdv3ne

By default AIX now uses snmpdv3ne (for snmpdv3 Non-Encrypted). The start/stop command (startsrc/stopsrc) for snmpd looks at /usr/sbin/snmpd -= so changing what it points at changes your daemon.

The get the encrypted snmpv3 daemon (snmpdv3e) you need to load the daemon from the AIX Expansion Pack.

Reference: https://www-01.ibm.com/support/knowl..._troublesh.htm
# 5  
Old 07-08-2015
Quote:
Originally Posted by MichaelFelt
The start/stop command (startsrc/stopsrc) for snmpd looks at /usr/sbin/snmpd -= so changing what it points at changes your daemon.
there is a special command for that - snmpv3_ssw IBM Knowledge Center
# 6  
Old 07-08-2015
FYI: The snmpdv3e/snmpdv3 supports communication to snmpdv1 and lower version agents.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. AIX

Is it must to enable TCB on AIX LPARs ?

Hi, I've verified my AIX 7.1 LPAR , and TCB is disabled by default. #odmget -q attribute=TCB_STATE PdAt PdAt: uniquetype = "" attribute = "TCB_STATE" deflt = "tcb_disabled" values = "" width = "" type = "" generic = "" ... (3 Replies)
Discussion started by: System Admin 77
3 Replies

2. AIX

SNMPv3 error - Help please!

Hello everyone: I'm still relatively new to AIX administration and learning every day. I need to configure SNMPv3 in several servers. I tried first on a "test environment" server, no firewalls, and I was successful. Then I moved on to the "production" servers, which are behind firewall and I... (0 Replies)
Discussion started by: designbc
0 Replies

3. AIX

How to enable command history in AIX 6

Hi Friends, I am using AIX 6 with ksh shell, i am not able to get the commands histroy which was used earlier by pressing up and down arrow keys. Could you please help me to enable the history for ksh shell in AIX 6 OS. Thanks in Advance. Siva Kumar. (3 Replies)
Discussion started by: sivakumarl
3 Replies

4. AIX

Enable large filesize option in NFS mount in AIX 4.3

Hi All, I have a NFS mount filesystem, however it is not supporting a creation of filesize greater than 2 GB in it, how can i enable the option (bf = true) in it. The AIX version is 4.3.2 Thanks in Advance!! (1 Reply)
Discussion started by: mad_man12
1 Replies

5. AIX

Enable send email through smtp - exchange on AIX 6.1

Please help, i can not to send email from AIX 6.1 to outside network through STMP - Exchange. Any one can help ? (1 Reply)
Discussion started by: ichsan
1 Replies

6. Infrastructure Monitoring

Configuration of snmpv3 in AIX

Hi, I am new to AIX and have been assigned a task to configure the snmp on aix which can talk to our management server. Any help in relation to this will be greatly appriciated. Cheers, Tarun (3 Replies)
Discussion started by: tkhanna
3 Replies

7. Infrastructure Monitoring

net-snmp-config --create-snmpv3-user snmpengineID

Solaris 10 -- I created SNMPv3 users with net-snmp-config --create-snmpv3-user command. I am using HP Network Node Manager's SNMPv3 Smart Plugin to serve as the SNMP management server. Some SNMPv3 users were automatically created with the same snmpengineID. This causes NNM's brassagt proxy to... (0 Replies)
Discussion started by: rjsteele
0 Replies

8. UNIX for Dummies Questions & Answers

regular user - enable printer - aix unix

how can I let a regular user enable a printer? (0 Replies)
Discussion started by: naes
0 Replies
Login or Register to Ask a Question