Privacy enable on SNMPv3 AIX)

anrivera140 · June 26, 2015, 12:37pm

I have SNMPv3 working on our server but when viewed from the security software, it shows no privacy enabled

AIX 7.1, TL1, snmp.crypto 6.1.2.0 installed, ran snmpv3_ssw -e

Unsure what I have configured wrong.

What is needed to show Privacy in AIX. I looked at a config on a Solaris box that does have it working and it seems like I have things set correctly.

See snips of snmpdv3.conf below:

USM_USER spkadmin - HMAC-MD5 caXXXXXXXXXXXXXXXXXXXXXXX35 DES e7XXXXXXXXXXXXXXXXX51 N -
 
# VACM_GROUP entries
# Format is:
# groupName securityModel securityName storageType
VACM_GROUP group1 USM spekadmin -
# VACM_VIEW entries
# Defines a particular set of MIB data, called a view, for the
# View-based Access Control Model.
# Format is:
# viewName viewSubtree viewMask viewType storageType
VACM_VIEW group1View interfaces - included -
VACM_VIEW group1View tcp - included -
VACM_VIEW group1View icmp - included -
VACM_VIEW group1View system - included -
VACM_VIEW group1View sysObjectID - excluded -
# VACM_ACCESS entries
VACM_ACCESS group1 - - DES USM group1View - - -
 
#VACM_GROUP group1 SNMPv1 public -
VACM_VIEW defaultView internet - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.2.1.1.1.0 - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191.1.6 - included -
# exclude snmpv3 related MIBs from the default view
VACM_VIEW defaultView snmpModules - excluded -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.4 - included -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.5 - included -
# exclude aixmibd managed MIBs from the default view
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - included -
#VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView -
#NOTIFY notify1 traptag trap -
#TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - -
#TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv -
#COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 -
DEFAULT_SECURITY no-access - -
logging file=/tmp/snmpdv3.log enabled
logging size=100000 level=0
smux 1.3.6.1.4.1.2.3.1.2.1.2 gated_password # gated

Thanks.

blackrageous · June 26, 2015, 6:36pm

It's not clear what you mean by "show privacy in your security software". What kind of manager are you using? When configuring snmp I recommend that you first do a query from the agent itself using the clsnmp command. This lets you simulate a manager function and insure security is working correctly without worrying about another machine and another manager running on another machine.

Once you verify it works with this minimum configuration then worry about configuring the manager machines.

See the manage pages for clsnmp and it's configuration file.

Once you can query, then you do this capture to insure privacy is working, something like:

tcpdump -i lo0 -c 10000 -a -T snmp "(host 127.0.0.1) and (port 161 or 162)"

snmpv3 configuration for auth and priv (max security) has a lot of parts...so configure agent and query from agent before moving to large task like configuring into your manager system

So get clsnmp working from agent first.

bakunin · June 27, 2015, 5:23pm

Also notice that HACMP (in case you have a cluster) is depending on SNMP communication between the nodes. Otherwise the cluster.information daemon (clinfoES) and perhaps a few others will not work any more.

Many monitoring tools (HP OpenView, for example) base their operation also on SNMP, so test thoroughly before commissioning "security enhancements".

Usually these are issued by people who never had to administrate a system and this shows. We have about two times a year some "security advisory" which would immediately stop all our servers from peroperly working would we put it into practice. Best practice is to ignore such idiotic suggestions.

I hope this helps.

bakunin

MichaelFelt · July 8, 2015, 5:32am

I am still using snmpv1 because so many programs have not liked snmpv3. Which means I still need to make the switch someday.

To see which daemon you are using by default (snmpd (v1) or snmpdv3 look at the following:

michael@x071:[/usr/sbin]ls -l snmpd*
lrwxrwxrwx 1 root system      7 May  7 13:13 snmpd -> snmpdv1
lrwxrwxrwx 1 root system      9 Dec 20  2014 snmpd.orig -> snmpdv3ne
-rwxr-x--- 1 root system 364136 Jul 31  2014 snmpd64v1
-rwxr-x--- 1 root system 335416 Jul 31  2014 snmpdv1
-rwxr-x--- 1 root system 336611 Mar 19  2014 snmpdv3ne

By default AIX now uses snmpdv3ne (for snmpdv3 Non-Encrypted). The start/stop command (startsrc/stopsrc) for snmpd looks at /usr/sbin/snmpd -= so changing what it points at changes your daemon.

The get the encrypted snmpv3 daemon ( snmpdv3e ) you need to load the daemon from the AIX Expansion Pack.

Reference: https://www-01.ibm.com/support/knowledgecenter/ssw\_aix\_61/com.ibm.aix.networkcomm/snmpv3_troublesh.htm

agent.kgb · July 8, 2015, 9:07am

there is a special command for that - snmpv3_ssw IBM Knowledge Center

blackrageous · July 8, 2015, 12:59pm

FYI: The snmpdv3e/snmpdv3 supports communication to snmpdv1 and lower version agents.